Every time a massive data breach makes the news, we remind you about the best practices you need to employ to protect your online properties. You should never use weak passwords and recycle them. Instead, pick a password manager that lets you generate unique passwords for every different service, website, and app. And use two-factor authentication (2FA) or one-time passwords (OTP) whenever you can. That way, when hackers inevitably hack one of your accounts, your other properties are protected. But you should remain vigilant when it comes to defending your online accounts.
Unique passwords and 2FA/OPT aren’t enough, as hackers have found a clever way to trick you into giving them that unique code they need to break into your account. And you might not even realize that you’ve opened the doors to your Amazon, PayPal, Coinbase, or bank account to attackers who might steal money from you. It’s all possible thanks to a new type of customizable bots that place automated calls with the sole scope of stealing that temporary password.
How bots hack your 2FA codes
Even without bots, 2FA protection isn’t foolproof. Some hackers might try social engineer attacks to convince you to give up that temporary code or password. But not all of them might be that convincing.
On the other hand, the bot is a lot more sophisticated and will make you believe that you’re talking to the automated security system belonging to the service that hackers want to penetrate. Motherboard demonstrated the attack with a simple example, an incoming call supposedly coming from PayPal’s fraud prevention system.
An automated voice tells the PayPal account holder that someone tried to spend a particular sum of money. PayPal needs to verify the account holder’s identity to block the transfer, and they’ll ask for the 2FA/OTP.
‘In order to secure your account, please enter the code we have sent your mobile device now,’ the voice said. PayPal sometimes texts users a code in order to protect their account. After entering a string of six digits, the voice said, ‘Thank you, your account has been secured and this request has been blocked.’
The bot then proceeded to inform the user there’s no reason to worry about:
‘Don’t worry if any payment has been charged to your account: we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up,’ the voice said.
What actually happens
Hackers who obtained someone’s personal data — such as their real name, email address, and phone number — might use it to determine whether they have a PayPal account with that address. They can apply the same procedure to any sort of online account. Once they find a match, they can feed the victim’s phone number to a bot that’s tailored for that service.
Motherboard explains that these bots can cost a few hundreds of dollars per month and target specific services like Amazon and PayPal. Others can target specific banks like Bank of America and Chase. And some of them let you customize the experience to any type of account.
The bot sounds just like one of the bots you’re might be talking to during regular customer service calls. They’ll invite you to press certain keys and then to input your 2FA/OTP code. But as soon as you do, the code reaches the hacker who initiated the attack.
The reason you get a code via text message on your phone is that the hacker has tried to log into your account, fully knowing they won’t be able to get into it. The bot makes it sound that it’s a service like PayPal that’s generating the unique 2FA/OTP code. And you’ll have no way of knowing it’s a hacker targeting you. Especially as you rush to deal with the threat.
Once inside your account, the hackers can steal money or cryptocurrency. The video below shows one such conversation with a bot.
What you can do to protect your 2FA codes
If you’re worried about 2FA/OTP bots attacks, you should make sure you understand how they work, and Motherboard’s coverage is a great place to start. You’ll want to inform your friends and family about the increased usage of this sort of hack.
Next time you receive a call inviting you to input 2FA codes, you should hang up. Never send those codes to anyone. Instead, log into those services to monitor your activity. And call customer support. You might want to change the email associated with that account to prevent these attacks from happening. Once hackers know what email you use for PayPal or Bank of America, they might still target you with similarly sophisticated attacks.