How To Protect Yourself From Two-Factor Scams

Hi, this is Gary with MacMost.com. Let me show you how to protect yourself against two-factor scams. 

Two-factor or two-step authentication is a great way to protect your online accounts against scammers that want to get into them. The general idea is that you not only need to know your ID, which is usually just your email address, and your password which, of course, should be a long unique password for each site, but you also need a second factor after the password. This is usually a code that changes all the time. So you enter your ID, your password, and then it asks you for the code. Then you get the code from a variety of different sources depending upon the site or service you're logging into and only then are you allowed into the account. Somebody trying to break into your account may know your ID, because it is probably just your email address and that's pretty public, but hopefully they don't know your password and can't get the code. If they do know your password though you're still protected. That is unless they try to scam you out of the code unless they try to scam you out of the code. 

They can do that one of three main ways. The codes usually come from Authenticator App. This is an app like the Apple Passwords App that generates usually a six-digit number. It's different every time. So you go to log on now and it's one 6-digit number but you do it, say, next week it's going to be another 6-digit number. These are usually called Authenticator Codes. Goggle's Authenticator App was the main one that originally provided these. But lots of different password managers can do it. Chances are if you're using an iPhone, an iPad, or a Mac you're probably getting them from the Passwords App. But you can still get them from Goggle Authenticator and a variety of other password apps that will generate the same code. It's basically taking a key that's part of the account and using that to generate the code based on the current time and then that's what you enter in and the site or service on the other end confirms. The great thing about these is they change all the time. So if somebody were to steal your code right now and then try it, just say five minutes later, it won't work anymore. It was tied to that specific time. 

But another way to get these codes is over text messaging. The SMS system, which sends out text messages across all the mobile providers, is often used for this. Originally it was very often used but it is less and less so now because of the problems we're going to talk about right here. So you go to log onto a site, you type in your ID, you enter your password, and then it tells you to look for a code that you're going to get as a text message. You see that code. You type it in or in the case of iPhone or Mac it's probably going to automatically put it in there for you, and now you can log in. That second factor protects your account and somebody else who only has your ID and password can't get in. They won't get that code. The code will come to you. If they try to login they never see the code. The can't complete the last step. They can't log into your account. 

But there are three methods that can be used to scam you out of that code and get into your account. Other articles and videos will talk about other methods but those are usually just variations on these main three. So the first one is called Direct Calling. This is when they are going to call you directly, and it can happen over text or email but usually it is a phone call. So in this case they've got two pieces of information and they are missing that third. They know your account ID, your email address, and they know your password. So they've gotten that from somewhere. Where do they get your password from? Well, it could have been a data breach at the site itself, or it could have been a data breach at some other site and you used the same password on two different sites. So they are guessing that you just used the same password over and over again. That's why it is important to have a unique password for every website. So a data breach with one site doesn't hurt you on other sites. 

Okay, so they need the second-factor. How do they get that code? Well, first they call you and they pretend to be from that site or service. A lot of times they will actually claim there is a security issue. So they're basically claiming to help you with security instead of actually trying to scam you into getting access to your site. So what they're going to do is they're going to say there's a problem and to make sure that they're talking to the right person they are going to send you a code and you can tell them that code that will confirm they called the right person. So basically they are getting you to look in the opposite direction. They want you to think of them as somebody helping you with security, not doing the opposite. So on their end they log in with your ID and password and then it asks for the code. The code goes to you, not to them. So your get that code but now because you've been told by them that they are sending you a code, and the code seems to come from the same place that they say they are calling from, you think it is okay. You tell them that code and now they've got your two-factor code. They could complete the login on their side and then they will quickly get off the phone with you because now they are into your website. They can go ahead and change the password and lock you out! 

So how do you protect yourself against this? Well, like any other spam you shouldn't talk to somebody on the phone or reply to text messages that you get. If you think it could be real you use the real contact information, not whatever is provided in the email, voicemail, or text message that you get to call the real company to figure out what is going on. Also, look at the text message you get with these SMS two-factor codes. Often they will warn you against this exact kind of thing. But not often enough. Here's one example which plays right into scammers hands. You could see here you are just given a security code. It seems to come from the actual company, like if you look up those five digits you'll find that it's the real company because they are faking the caller ID, and it doesn't say anything special except that it is a security code. The person at the other end, the scammer, is actually going to say I'm sending you a security code. So it all seems legit. A much better way of doing it is to send a message like this, one that right up front says that the company will never call or text you for this code. You should take that advice for all codes you get over SMS, even if it doesn't say that. You don't give this code to somebody else. This is just something you use when you're logging on directly and there's nobody else involved. 

If you find these videos valuable consider joining the more than 3000 others that support MacMost through Patreon. You get exclusive content, course discounts, and more. You can read about it at macmost.com/patreon. 

Now let's look at method number two. This is often called a Man-In-the-Middle attack which makes it sound really spooky and scary. But in this case the person trying to scam doesn't really have anything on you. They just have your email address, which is public. You get tons of spam. Your email address is on spam lists and chances are they are not trying to attack you, they're sending this out to like a million people. They don't know your password. They can't access the two-factor code. They're going to try to get everything from you using this scam. So, what they're going to do is send out this spam and it's going to have a link to the site or service. It's a fake link though. It is going to their website, not the real one. But it is going to look real. It's going to ask you for an ID and a password. It's going to look just like the real site unless you look closely at the URL for the page you're on. If you fill out the ID and email address it is going to send it to the scammer, who will then be notified that somebody fell for the first part of the trap. Then they're going to take that ID and password and enter it into the real site. Then that will trigger the two-factor code. Not YOU entering it into the fake site but THEM entering it into the real site. But the two-factor code comes to you. To your phone number. However, on your fake site it is simply going to ask you for that code. Just like it would if it was the real one. You enter that in and it still not logging you in. You're still not at the real site. But it is now sending that code to the scammer who is sitting there waiting looking at the screen saying, Enter the two-factor code. So they enter the code that you voluntarily gave them and now they are in. 

There are a lot of scary things about this. A scammer can throw the scam out to a million people to see who they catch. You don't really know you're being attacked, and if they get in you may still not know you're being attacked until later. So you avoid this, of course, by not clicking on any links and emails or text messages. Just like you probably already do to avoid spam. If you do go to the site you should be able to see that the URL is different than the real site, but it can be really tricky with this and make it look kind of real, and you really have to pay careful attention to make sure you're at the right site. But the ultimate way to protect yourself again this is use a Password Manager. The reason that works is because Password Managers store the website and the password and the two-factor code. When the scam email sends you to the wrong website, it doesn't match the one you have in your Password Manager. So it doesn't have a password for the scam site which hopefully triggers your suspicions to look carefully at what is going on here and avoid this scam. Password Managers are the ultimate way to avoid a man-in-the-middle attack of this kind. 

Now there is a third method which is scary because it doesn't involve you at all. They're not actually scamming you. They're scamming the phone company. So, when SIM swapping attacks, they need to know a lot about you right away. They need to know your account ID. They need to know your password. They need to know your phone number. These things aren't impossible to get especially if there has been a data breach. But they still won't have access to the two-factor code. So they're using this scam to get that last piece. What they are going to do is they're going to call not you, but your mobile phone provider. They are going to try to convince them to switch the phone number from your phone to their phone. They are going to do that by pretending to be you and being clueless about how to switch to a new phone. So the mobile phone provider shouldn't allow them to do this. But if they are persistent and if they follow certain scripts they can try to convince the mobile phone provider to switch it and then they can just go, try to log in with the ID and password they already have, and the two-factor code will now come to them because they switched your phone number to their phone. Now they can get into the account.

So this is scary because it can happen without any involvement on your part. But, fortunately there are ways, and really good ones, to avoid this. The first is to avoid SMS as a two-factor authentication mode. You should be using an Authenticator App like in the Passwords App on your Mac or iPhone to get these codes. They shouldn't be sent over your mobile phone provider anymore. Now, that said they're going to be websites and services that still have this as their only option. But if you notice that you're getting two-factor codes over SMS from someone you may want to log onto that site or service and look at the security settings and see if there's another option. If could be when you first signed up SMS was the only option but they have regular authenticator codes now. Another thing to be on the lookout for is any problems with your phone, particularly with SMS messages. Like if suddenly you can't send any or you are not receiving any or the phone isn't working. Then something is up and you are going to want to call your mobile phone provider to figure out what the problem is anyway. But be suspicious that this is what might be going on. 

Now while this may seem like the scariest of all the scams there are actually ways to protect yourself again this using functions at your mobile phone provider. They have different names for it. AT&T calls it Wireless Account Lock. Verizon calls it Number Lock. T-Mobile calls is SIM protection. If you have a different provider they probably have a different name for it. Look into that now based on your phone provider and make sure that is turned On. 

Now, if all the methods I've told you for avoiding two-factor scams you've already done the most important one which is basically to learn about them. Once you know they are there you can start to take protections against them and be on the lookout. Also, tell your friends and family about these kinds of scams. Tell them about how to prevent them. Education is the best protection. Stay safe and thanks for watching.