Hackers are bypassing two-factor authentication, but it is still your best chance to safeguard online account

Hackers are bypassing two-factor authentication on target accounts through the use of automated bots that call the victim and ask for the authentication code. These bots are being sold on the Internet, and any hacker can use them to trick gullible users into sharing their sensitive two-factor authentication in order to gain access to their accounts.

The bots are specially designed to read an automated script that tells the victims that the call is from a particular agency. As per the incidents recorded till now, these bots currently target users of online services like Amazon, PayPal, Venmo, and some banks like Bank of America and Chase.

The bots serve as an ingenious solution for hackers who lack the social engineering skills to place such a call themselves. Moreover, since the bots talk in a robotic voice on the call, people are more easily tricked into believing that the call is indeed from the service firm, just as the hacker wants them to believe.

Here is an in-depth look into how the newly popular hack for two-factor authentication works.

Hacking two-factor authentication

For those unaware, two-factor authentication is an additional security step on most online accounts that requires two sets of verification from the user while logging in. The first one is the username and password or the email and password for all sites. The second step of verification sends a code or an approval request to another device of the user. Only by authenticating the login attempt through this code or this device can a user log into his/ her account.

Two-factor authentication is thus a nightmare for hackers as the account credentials are simply useless without the authentication code. The new phishing bot is an attempt to extract this code right from the users. We have seen such phishing attempts in other forms before, wherein the hackers call the victim in disguise and ask for OTPs or other such authentication codes.

The new bots do exactly the same but through a robotic conversation that asks the victim to enter the code over the call. This code is sent to the users as the hacker themselves try to log in to their accounts. While the authentication code is actually to log in to the account, the bot tells the victim that it is to keep their account safe or prevent a suspicious transaction.

As soon as the victims enter their authentication code, the bot displays it to the hacker on its own interface. The hacker is thus successfully able to log into the targeted account.

Openly sold hack

A few incidents wherein such bots have been used were recently highlighted in a Vice report. As mentioned in the report, these bots are being sold through various channels online, including some groups on Telegram. Those using these bots have even shared their success stories in duping people off their accounts, some even with attached screenshots of the bots doing the dirty deed.

Then there are scammers who are trying to collaborate with others to scam more victims. The report mentions that these Telegram channels even attempted to sell these bots at discounted prices recently in order to attract more customers. It is thus clear that the popularity and use of such bots in the hacking community are on the rise.

Two-factor authentication is still safe

There is a very important note here. While hackers are able to bypass the two-factor authentication through the bots, they cannot actually hack the account when such verification is enabled. Instead, they will need the authentication code from the targeted user, and if you do not share it with them, your account is sure to be safe from such an intrusion.

People are thus, still advised to opt for two-factor authentications wherever possible. Because even if the hackers have a victim's username or email and password, possibly through a previous data breach, the authentication code is their Achilles' heal. But make sure never to share it with anyone online and only use it yourself.