Online services are now a part of our lives. And while we enjoy using these services, it is also important to take steps to protect our accounts so that the chances of it being accessed by unauthorised users are rare. Are you using Step-2 verification? Have you enabled 2FA through SMS? Well, it may not be enough.

person holding iPhone
Photo by NeONBRAND / Unsplash

A new blog post by CERTFA has brought threatening reports that hackers are now able to bypass 2FA protection on accounts easily by phishing (Yes! The most simple attacks of all time!). A group of Iranian state-backed hackers have recently been able to successfully break through accounts of Google & Yahoo protected by 2FA using phishing attacks, particularly if the 2FA involves code being sent through SMS. What the attackers did was collect detailed information on the target which is quite easy to gather in today's data-centric always online world and then used that knowledge to write phishing emails that were customised to targets' level of security. The email contains a hidden message which alerts the attackers when the victim opens the email and then the traditional phishing begins. You can read the blog post for full details.

While the attack works 100% on SMS 2FA, the same hasn't been confirmed for One Time code generator apps like Authy (Android App) or Google Authenticator so it is still assumed safe to use this method. But the best method which has even worked for Google employees themselves is to use a security key like YubiKey or Google's own Titan Security Key.

It is very much essential today that you protect your accounts using Step2 verification and use security key to safeguard your account 100%. Hackers are always on the lookout for stealing data. And you might think - What will a hacker do stealing my data?!. To that I will answer - They can pretend to be you while carrying out their nefarious plans and ultimately the authorities will start looking for you while you were completely unaware of that!

If you haven't done it yet, then I urge you all to start doing it today. Take a look at these sites to help you get going. Also, remember that most of the authentication begins with taking your phone number and sending you codes through SMS, please refrain from doing so as many companies like Facebook have begun using those numbers to target ads. Always switch to 'using code generators' option.

  1. Facebook
  2. Google
  3. Instagram
  4. Twitter

When did you start using 2FA? Are you still using SMS code or have you switched to code generators? Are you using security key? Let me know on my social media handles.