Scam Of The Week: Nasty Two-factor Auth Text Hack

JaredBusch

@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

Why would you send the 2FA to some random phone number that asked for your to do this?

this is one bit of social engineering I wouldn't expect to be all that successful, will it be zero % successful, sadly no, but I don't expect it to be more than 2-3% successful.

Of course it would be successful 2FA is black magic to users they have no idea what it really does

scottalanmiller

@JaredBusch said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

Of course it would be successful 2FA is black magic to users they have no idea what it really does

Or why they use it or when it would be requested.

Dashrender

@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

@JaredBusch said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

Of course it would be successful 2FA is black magic to users they have no idea what it really does

Or why they use it or when it would be requested.

How often do you see that being the case? Perhaps as more and more companies require it, users will be forced to use it while having no clue as to what it does or why.

scottalanmiller

@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

@JaredBusch said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

Of course it would be successful 2FA is black magic to users they have no idea what it really does

Or why they use it or when it would be requested.

How often do you see that being the case? Perhaps as more and more companies require it, users will be forced to use it while having no clue as to what it does or why.

I don't know for sure, but I'd assume "almost always."

Dashrender

@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

@JaredBusch said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

Of course it would be successful 2FA is black magic to users they have no idea what it really does

Or why they use it or when it would be requested.

How often do you see that being the case? Perhaps as more and more companies require it, users will be forced to use it while having no clue as to what it does or why.

I don't know for sure, but I'd assume "almost always."

Do you know anyone who's forced to use 2FA? I guess I do now, my doctors - their 2FA is a phone call from the hospital automated system. IF they are logging in, they will get a phone call where they have to press 1 to indicate it was them who is attempting to log in. If they aren't attempting to login and they get the phone call, they should just hang up and contact the help desk.

scottalanmiller

@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

Do you know anyone who's forced to use 2FA?

Of course. All of the employees of normal companies. Do you really not know thousands of people like this? I'd be surprised. maybe they just aren't talking about it because outside of IT who really talks about this kind of stuff?

Dashrender

@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

Do you know anyone who's forced to use 2FA?

Of course. All of the employees of normal companies. Do you really not know thousands of people like this? I'd be surprised. maybe they just aren't talking about it because outside of IT who really talks about this kind of stuff?

Perhaps I do, and you're right, it's not talked about.

scottalanmiller

@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

I guess I do now, my doctors - their 2FA is a phone call from the hospital automated system. IF they are logging in, they will get a phone call where they have to press 1 to indicate it was them who is attempting to log in. If they aren't attempting to login and they get the phone call, they should just hang up and contact the help desk.

Exactly. And every enterprise IT person I know uses two factor. Of some sort at least. Whether it is an internal system, SSH Keyphrases, RSA cards, Aladdin cards, Google Authenticator... 2FA is pretty darn common.

Dashrender

@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

I guess I do now, my doctors - their 2FA is a phone call from the hospital automated system. IF they are logging in, they will get a phone call where they have to press 1 to indicate it was them who is attempting to log in. If they aren't attempting to login and they get the phone call, they should just hang up and contact the help desk.

Exactly. And every enterprise IT person I know uses two factor. Of some sort at least. Whether it is an internal system, SSH Keyphrases, RSA cards, Aladdin cards, Google Authenticator... 2FA is pretty darn common.

Sure, those are IT persons. They though are expected to understand 2FA, and shouldn't fall for this type of trick as posted in the OP.

So let's talk about normals - outside of IT, do you see a lot of people using 2FA?

scottalanmiller

@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

So let's talk about normals - outside of IT, do you see a lot of people using 2FA?

I thought that I just said that. Every enterprise that I know uses 2FA. For everyone. Just part of normal computer usage. I'm sure lots don't, but enough do that I always see it.

Dashrender

@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

So let's talk about normals - outside of IT, do you see a lot of people using 2FA?

I thought that I just said that. Every enterprise that I know uses 2FA. For everyone. Just part of normal computer usage. I'm sure lots don't, but enough do that I always see it.

OK, well, in that case, I do know that most of my local friends who work in enterprise do not use 2FA.

scottalanmiller

@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

@scottalanmiller said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

@Dashrender said in Scam Of The Week: Nasty Two-factor Auth Text Hack:

So let's talk about normals - outside of IT, do you see a lot of people using 2FA?

I thought that I just said that. Every enterprise that I know uses 2FA. For everyone. Just part of normal computer usage. I'm sure lots don't, but enough do that I always see it.

OK, well, in that case, I do know that most of my local friends who work in enterprise do not use 2FA.

Do they do anything important like work in content, finance, accounting, HR, etc.?