2FA won't be as safe if you are not careful when online

Jun 7, 2017 20:23 GMT  ·  By

Two-factor authentication is a great way to secure your account, but even this method has a weakness that you might not even expect: you.

This might be a bit confusing, but in truth you have to be extra careful about every webpage you visit. According to the top-secret NSA document leaked to The Intercept, Russian intelligence agents managed to successfully hack the computers of US election officials ahead of the 2016 presidential elections. In that very same document, Mashable points out there's a slide which shows that hackers found a way to get around two-factor authentication by asking people for the verification codes they received on their devices.

"If the victim had previously enabled two-factor authentication (2FA), the actor-controlled website would further prompt the victim to provide their phone number and their legitimate Google verification code that was sent to their phone," reads the slide.

In short, once victims were tricked into entering the email and password into the fake Google site created by the Russian hackers, they were also asked to input more than just username and password, namely the 2FA verification codes.

Once the victim supplied the data to the actor-controlled website, it would be sent to a legitimate Google service. This happened only after the Russian actors had successfully obtained the proper password associated with that specific email account.

Second stage - infected documents

The scheme took things a step further. Once access was granted to the accounts, the hackers would email election officials and attempt to trick them into opening Word documents running malicious scripts in order to compromise their computers.

This is proof that two-factor authentication is a secure option to protect your online accounts only as long as you're extremely vigilant about where you input that data, especially when you're visiting links you've received via shady emails. The best protection is to always make sure that before you enter your username, password and 2FA details, you type in the address yourself to make sure it's legitimate.