Two step verification keeps criminals from accessing your account if your password is compromised. It is a great way to add an added level of security to your accounts. However, enterprising criminals have found a way around it.
How did they do it? Is there some back door that they found? Have they created a new brute force hack technique? Nope. They just ask for the verification code. Low tech social engineering strikes again.
Here is how it works. They send you a text that looks like it comes from Google notifying you of a password reset. If you don’t want your password reset, you are instructed to text the word STOP. Once you do, you are asked to text 822 back to be sent a verification code to stop the password reset. Once you receive the verification code, they ask you to text them the code back to confirm that you don’t want the password reset. Pretty clever huh?
Of course what is happening is they are trying to get into your account but can’t because they don’t have the verification code. By playing the stop the password reset game they are hoping to catch you off guard so you just sent them the code.
For the record, no one will ask you if you don’t want to do something with your account. As soon as someone asks you for confirmation to NOT do something, you know the jig is up. This is just another reminder that we have to read our texts and emails carefully and question anything that seems odd. The criminals count on you to react without thinking. Stop them in their tracks, think before you react.
It seems like every day, we hear about a new security breach. Yahoo, Adobe, Ashley Madison; all breached leaving their account holders feeling violated and wondering if their data or identify are safe. To make matters worse these breaches are often not identified until months or years after the attack, giving criminals plenty of time to capitalize on the stolen information. Even if you have a strong password, it cannot protect you if your account provider has its user’s login credentials stolen.
As mentioned in a previous post, many account providers are now offering two step verification. How does it work? You set up the service by giving them your cell phone number. The next time you login you are asked for your password and then an verification code that is texted to your phone. Worried about losing your phone? You can print off backup codes or give them an alternative cell phone number.
Once two step verification is enabled, if a cyber criminal tries to login to your account you will receive a text with an verification code. Not only does it keep the criminal from logging in to your account, it also alerts you that your login credentials have been compromised and that you need to change your password.
ITS highly recommends that you enable two step verification on all your accounts that offer it, especially on your Google account. If you are a user who has access to sensitive data or admin access, our recommendation is even stronger. To make it as easy as possible to enable it, we have created a lovely step by step document that gives clear instructions. We also encourage you to call the Service Desk if you wish to enable it but are uncomfortable doing it on your own.
Cyber criminals are becoming better and better at hacking passwords. One way to fight back is with two factor authentication. To learn more, watch the video.
What to learn how to step up two factor authentication on your google account? Check out this link.