The Booming Underground Market for Bots That Steal Your 2FA Codes

The bots convincingly and effortlessly help hackers break into Coinbase, Amazon, PayPal, and bank accounts. From a report: The call came from PayPal's fraud prevention system. Someone had tried to use my PayPal account to spend $58.82, according to the automated voice on the line. PayPal needed to verify my identity to block the transfer. "In order to secure your account, please enter the code we have sent your mobile device now," the voice said. PayPal sometimes texts users a code in order to protect their account. After entering a string of six digits, the voice said, "Thank you, your account has been secured and this request has been blocked. Don't worry if any payment has been charged to your account: we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up," the voice said.

But this call was actually from a hacker. The fraudster used a type of bot that drastically streamlines the process for hackers to trick victims into giving up their multi-factor authentication codes or one-time passwords (OTPs) for all sorts of services, letting them log in or authorize cash transfers. Various bots target Apple Pay, PayPal, Amazon, Coinbase, and a wide range of specific banks. Whereas fooling victims into handing over a login or verification code previously would often involve the hacker directly conversely with the victim, perhaps pretending to be the victim's bank in a phone call, these increasingly traded bots dramatically lower the barrier of entry for bypassing multi-factor authentication.

TOTP

[dskoll]

This is why SMS and email "2FA" methods are useless. The best type of verification is Google Authenticator, AKA TOTP. The reason is that it's not tied to an email address or phone number, so a hacker wouldn't know who to contact to convince you to give up your 2FA code.

Re:

[Anonymous Coward]

They aren't useless. This only works if you're stupid enough to give the hacker the code. This is no different than saying your password is useless just because you freely gave it to the thief.

Re:TOTP

[dskoll]

They are almost useless because email and SMS messages can relatively easily be intercepted.

Re:

[angel'o'sphere]

They are almost useless because email
Nope. For that you have to be on the network of the server - or on the network of the receiver. As you hardly have any idea which "route" the mail will go.
And as email is encrypted - since 20 years or so - you hardly get anything.
The only option to intercept it is to hack MY computer - where it is stored unencrypted - and/or hack the server, where it is likely also stored unencrypted.

and SMS messages can relatively easily be intercepted.
If you are in the same cell like

Re:TOTP

[dskoll]

SMS messages can be intercepted with a SIM swap scam [wikipedia.org].

Email messages can be intercepted by phishing the email credentials, which if not also protected with 2FA are a weak point.

Re:

[stabiesoft]

Depends. My cell provider has the option to add a code. Want to port my number, you need the code. The telco was a bit reticent in doing it, because they implied even I would not be able to port it even if I personally presented myself to a store. And I don't understand why this scam works really. 2FA is exactly that. I log in with a user/pass and wait for the code. I would not reveal a code if I did not assert the first factor of logging in. But then I don't buy gift cards to pay my IRS agent when he calls

Re:

[computererds]

Sims can also be cloned, and on a gsm network, intercepted between tower and phone.

Given both of those would have to be for relatively local targets. I'm just stating facts, not supporting his position.

Re: TOTP

[aRTeeNLCH]

Thanks for that link. Now I know I'm totally safe. I get great service from my provider, at ultra low prices (for my country, relative to other providers), but their one Achilles heel is the time it takes to get a number ported or similar requests. Last time it took several months. Now I know it delivers extra security! It's a feature!

Re:

[mjwx]

SMS messages can be intercepted with a SIM swap scam [wikipedia.org].

Which is nearly useless in most countries as issuing a new SIM results in the old SIM being immediately locked out of the network (as a replacement SIM assumes the old one is lost or stolen) expressly so you can't have two SIM's on the one number.

Secondly, it's a lot of effort to go through to get at someone's account. So unless you know they've got money, are physically located in the same country, know their account details intimately and then the phone company does not follow security procedures about

Re:TOTP

[thegarbz]

There's nothing to intercept. Very few if any such fraud schemes rely on any interception. They rely on dumb users, users which have leaked enough data to have their phone number tied to their login credentials, and users dumb enough to hand over anything in face of an automated call. Authenticating with Google is no more secure than asking for a password if the *user is willing*.

Re:

[dskoll]

The difference is you have to know who to contact. In theory, if you're using TOTP, the 2FA screen will not say "We've sent a code to your phone number at XXX" or "We've sent a code to your email at foo@example.com". The scammers will have to figure out who exactly to contact to get the TOTP code.

Re:

[maglor_83]

I've never seen anywhere that lists the full phone number or email address for these. The hackers already have all that information from prior hacks.

Re:

[thegarbz]

The difference is you have to know who to contact.

No you don't. That is already a given. Re-read my post. The "who to contact" part is no different from SMS, Email, or Authenticator. In each case you need to tie a communications method to the user under attack.

Re:

[mjwx]

There's nothing to intercept. Very few if any such fraud schemes rely on any interception. They rely on dumb users, users which have leaked enough data to have their phone number tied to their login credentials, and users dumb enough to hand over anything in face of an automated call. Authenticating with Google is no more secure than asking for a password if the *user is willing*.

This.

I'm actually glad for 2FA because some dopey bint in Rhode Island keeps trying to change my password on Gmail and Facebook. I'm "JSmith", she's "JSmith1", but every few weeks I get a message from Google asking if I'm trying to change my password. I asked about it a support chat, but there isn't anything they can do (understandably, it's a public link) but don't change the password unless I respond. I have changed the password once or twice just to be on the safe side.

The really daft thing is, sh

Re:

[CaptainDork]

Still, we're not in the 1st grade anymore. By now, the Internet user should know how stuff works. Those hacks require the cooperation of the victim.

I'm 76 years old and I fell for those traps back when princes of Nigeria and later, Anna Kournikova was pre-meme.

No matter the sophistication of the protection, there's always a way around it.

You have mail.

Re:

[I've Got Three Cats]

They aren't useless. This only works if you're stupid enough to give the hacker the code. This is no different than saying your password is useless just because you freely gave it to the thief.

Exactly. Any authentication system is useless if the human is dumb enough to give out their credentials to an automated phone call. Or a guy with an Indian accent calling from "the US" who can't tell you what time it is "in the US".

For fucks sake, what is wrong with people?

Re:

[XXongo]

They aren't useless. This only works if you're stupid enough to give the hacker the code. This is no different than saying your password is useless just because you freely gave it to the thief.

The thing about passwords is that they are only useful if you type them in when requested to do so.

The thief simply has to do a good job at mimicking such a request.

You're saying "oh, I'm so smart I'd never be fooled." Yes, everybody thinks that.

Until they're fooled.

Re:

[torkus]

Been in tech since a kid in the Commodore c64 days. I've had data breaches compromise passwords a few times, but i've never given up a password, PIN, or other auth to a scammer. It takes a level of savvy, but it's not impossible by any means to avoid being fooled.

Maybe the future will prove me wrong.

Re:TOTP

[Junta]

Not applicable in this case. SMS is considered problematic because it's not well secured.

TOTP will fare no better, because either way the attacker can ask for your code, and whether it came in through SMS, email, or just read off your TOTP app, they don't care. The vulnerability is falling for the person claiming to be using that code to authenticate you.

Generally mitigated by everything saying 'we will never ever call out to you and ask for your code unprompted ever". However people will still fall for it, particularly if it's something as stressful as a financial transaction.

Re:TOTP

[e3m4n]

I get pissed when medical places call me and then want ME to verify sensitive information. I usually tell them to fuck off, I dont know them, and there is no fucking chance on this green earth I will tell them anything like that over the phone. Occasionally I will meet them halfway. If they can tell me my street number and name, I will give them city/zip code. That short of thing. I have no intention of verifying to a blank legal pad and pen on the other end of that line. Another thing to mention, most fraud prevention is FAIL SAFE... as in no action from you results in a DENIED transaction. Typically these systems are setup that you have to ALLOW a suspect transaction to go through, not the other way around.

Re:TOTP

[Junta]

Yes, the correct way is for the event of an unsolicited message to say "call us at the number you already know, launch the app you already have, or visit the website you already know". No links, no request for a direct reply, merely a note directing you to go to a well vetted path.

I always wondered how those suspicious messages worked on some people given my normal experience. Then I went to a company that had an internal IT department that sent out legitimate messages that directed us to do things exactly the way a hacker would do. I reported the first message to IT security as a phishing attempt and got told "no, that's an actual notice from our department". Can't remember the specifics but it reeked of phishing more than legitimate message.

Re:

[apoc.famine]

Our HR department did that in hilarious fashion. After our required anti-phishing training, they sent out an email which checked literally all of the boxes for phishing attempts that were in the training. It was just mind-blowing.

A whole bunch of us reported it as phishing, and that person never emailed anyone again, as far as I'm aware. No idea if they're still around.

Re:

[tlhIngan]

Our HR department did that in hilarious fashion. After our required anti-phishing training, they sent out an email which checked literally all of the boxes for phishing attempts that were in the training. It was just mind-blowing.

Actually, we had that happen too - after an anti-phishing training thing, they sent out an email saying we needed to set up some account or other. Now it was legitimate, but they asked to click the link so I kept telling everyone "it could be a phishing attack!". Apparently enough

Re:

[vivian]

It would probably be a good idea for your HR department to send out fishing like requests after all the staff had been trained just to find those that needed additional training.

Re:

[rgmoore]

Our IT security people do exactly that. They added a "report phishing" button to our email, and they periodically send fake phishing emails to see who will bite and who will report. With the fake emails, there's some way the email client knows, so if you click the report button it congratulates you for having successfully detected a phishing attempt.

Re: TOTP

[boxless]

I canâ(TM)t tell if youâ(TM)re just shitting with us. You do realize that email was sent on purpose, donâ(TM)t you? I am sure the hr person is still very much employed. They measure how many people take the bait to see if the training worked. Happens to me every year. And yes, the email is a dead giveaway.

Re:

[mjwx]

Yes, the correct way is for the event of an unsolicited message to say "call us at the number you already know, launch the app you already have, or visit the website you already know". No links, no request for a direct reply, merely a note directing you to go to a well vetted path.

I always wondered how those suspicious messages worked on some people given my normal experience. Then I went to a company that had an internal IT department that sent out legitimate messages that directed us to do things exactly the way a hacker would do. I reported the first message to IT security as a phishing attempt and got told "no, that's an actual notice from our department". Can't remember the specifics but it reeked of phishing more than legitimate message.

Yep, my bank constantly pops up messages on my internet banking portal and last time I called, had a pre-recorded message saying "The Bank will never call you and ask for personal details". Like you said, they'll call or email and ask you to call them, that way you can go through the secure portal or automated verification process (and then with my bank, a 2nd in person verification process).

As for my doctor... In the UK we register with a clinic, so we tend to get to know who's calling us and they don'

Re:

[rgmoore]

We could make credit cards near impervious to fraud... but the banks wont because they'll be such a pain to use that no-one will be willing to use them (making the banks and payment processors miss out on those juicy percents they skim off the top of every transaction). So ultimately we need to balance usability with security with liability (with liability, banks eat much of the cost of fraud because the loss in income would be far greater if they increased security).

The key is that the most profitable poin

Re:

[torkus]

Companies with a retail/social presence need simply build a two-way authentication into whatever app they have...in a way that scammers can't leverage.

A call-in number works too of course but if BoA calls me, says to open my app and look for for an auth code that they operator will read to ME to confirm...then they've seamlessly confirmed i'm who i claim (i've logged into BoA via a known-good application, rep can see on the back end a successful recent login) and I can confirm either BoA was utterly hacked

Re:

[I've Got Three Cats]

I get pissed when medical places call me and then want ME to verify sensitive information.

Absolutely. Cold calling me the expecting me to authenticate myself to you first? Piss. Right. Off.

Re:

[torkus]

I get pissed when medical places call me and then want ME to verify sensitive information. I usually tell them to fuck off, I dont know them, and there is no fucking chance on this green earth I will tell them anything like that over the phone. Occasionally I will meet them halfway. If they can tell me my street number and name, I will give them city/zip code. That short of thing. I have no intention of verifying to a blank legal pad and pen on the other end of that line. Another thing to mention, most fraud prevention is FAIL SAFE... as in no action from you results in a DENIED transaction. Typically these systems are setup that you have to ALLOW a suspect transaction to go through, not the other way around.

Seriously, this is such a huge, HUGE security issue. It's ridiculously common for companies to call you, then request YOU provide THEM tons of PII before they can "help" you. It's no shock that scammers leverage this.

Personal anecdote - had XPO logistics (freight company - often deliver appliances and other large items) call me to verify a delivery. Pressed 1 to confirm to the automated agent which flagged some kind of error. The human that came on insisted that they could do NOTHING until I verified my

Re:

[rgmoore]

Heck, even credit card companies do this shit and they're heavily invested in anti-fraud.

The credit card companies are usually a bit better, and for two reasons. For one thing, they're usually calling about a transaction that's just happened. If it's a legitimate transaction, the fact they know about it so quickly serves as evidence that they're who they say they are. The other thing is that they're usually just asking if a specific transaction is legitimate. They aren't going to do anything more than c

Re:

[Beryllium Sphere(tm)]

Except people have been trained to "enter the number we just sent you". Extensively. The scam has the advantage that the mark gets a number and gets it from the legitimate source.

The scam works because they can make (e.g.) PayPal send a real credential and make it sound like it's coming from the scammers.

Near as I can tell it also only works if they have your password. I think I will further upgrade mine now. Wonder if PayPal has stupid requirements that reject Diceware passphrases.

Re:

[Opportunist]

Well, how would they know who to contact with text verification either? All they usually get to see is a few digits of the phone number, not the whole number. More likely, they already know your number.

Which basically only changes "please enter the number we sent you via text" to "please enter the number from your Google Authenticator" in the fraudulent message.

Re:

[shanen]

It's a bit better and more secure than that, but the real risk is to think that you've "solved" the security problem. This game never ends. I like to approach it from the Godelian perspective, others favor the Turing way, or maybe Ken Thompson said it best? https://www.win.tue.nl/~aeb/li... [win.tue.nl] But the crooks and gamesters aren't so philosophical. Whatever the rules of the game, they will look for the weakest links in the chains of security, and if any game goes on long enough, one or more links shall be broken

Re:

[Opportunist]

Security needn't be absolute. All it has to be is good enough that it costs you more to break it than you get out of it.

Re:

[shanen]

The OP was closer to the absolute claim, but my secondary point is that value is hard to assess. For example, you may think your data is low value, but the attacker may think it's the missing piece of something bigger.

Re:

[Ostracus]

Someone had tried to use my PayPal account to spend $58.82, according to the automated voice on the line. PayPal needed to verify my identity to block the transfer.

Why isn't "automatically block" the default? A person already knows if they did something or not.

Re:

[torkus]

Why isn't "automatically block" the default? A person already knows if they did something or not.

Automatically block happens lots too. Needed to send a friend $2k - yes, a one-off out-of-norm transaction for me. Tried a wire. Security review...transaction voided and $ returned. Tried Zelle. Got a 'on hold, reviewing' and I confirmed via email and SMS. Still denied ... three times. Tried a different bank, same denied. Tried taking out $2k at ATM...nope, daily limit.

I'm hoping paypal lets me because otherwise I'm sending a check by carrier pigeon. Checks seem just fine up to 5-6 figures. Maybe

Re:TOTP

[transporter_ii]

I'm partial to U2f keys. It's something physical that I have to press a button on. But on the places that don't allow them, Authy seems to work well and bypasses the cell and email problems, as well.

It would be nice if more banks and financial institutions would turn on U2F authentication.

Re:

[DraconPern]

Pretty sure these attacks also effects authenticator apps since they already know your email/phonenumber/password already. Hackers just send you a message to ask you to enter your TOTP code at which point the real server has no way to know it came from you or the hacker. I can't see any way to solve this w/o user education. Normal users do not know that TOTP should not be entered through SMS. Read that again. Normal users don't know enough to verify the communication channel be

Re:

[ctilsie242]

It doesn't really matter what form of authentication is being used... a phishing attack will get a user to read a SMS code, read from their authenticator, etc. to let a party in. Even Yubikeys or other auth tokens with a button on the end, a user can be pursuaded to keep pressing the button every so often.

The only way around this is user education, and, if a bank needs to send a message, sending something like "This is whatever bank. Log onto our website via the ways you have used previously, with your ac

Re:

[thegarbz]

False. This is why SMS and email 2FA methods *aren't perfect*. They remain far from useless, and your wonderful Google Authenticator, tell us again which of the backup methods did you set to use for it, SMS or Email?

Re:

[dskoll]

I use neither SMS nor Email as my TOTP backup methods. Instead, I generated 10 one-time recovery codes and locked them in a safe place.

Re:

[dskoll]

And also, I generated QR codes of all my TOTP codes, printed them out, and locked those away in a safe.

Re:

[fahrbot-bot]

The best type of verification is Google Authenticator, AKA TOTP.

Or Authy [authy.com] which is compatible with Google Authenticator and has multi-device, backup and Android/iOS/Windows/Linux/MacOS desktop client support.

Re:

[bloodhawk]

These attacks work on all TOTP, SMS, email methods etc. They rely on the gullibility of the user as opposed to breaking the tech. google authenticator is no more immune to this than SMS.

Re:

[AbRASiON]

Paypal are worthless, losers - because they didn't offer normal authenticator methods for years and years and years.

I had to go through quite a rigourous process about 4 or 5 years ago to emulate some kind of symantic RSA dongle device, to get 2FA in Google Authenticator, for Paypal. As all they offered was SMS.

If you offer SMS, I'm not even going to bother. I've got Authy, it's on my PC, 2 phones, 2 ipads, it's very handy.

Re:

[easyTree]

This is why SMS and email "2FA" methods are useless. The best type of verification is Google Authenticator, AKA TOTP

(1) Bot prepares to perform whichever transaction its owner is interested in
(2) Calls user for the Google Authenticator code
(3) Immediately uses the digits entered to impersonate the user
(4) Bottastic!

Re:

[torkus]

The human is (almost) always the weakest link in the chain.

Re: TOTP

[boxless]

Iâ(TM)m so effing smaht so I can say things are useless because I can see obvious flaws in the system. Hey brainless, has it ever occurred to you that we all get it that itâ(TM)s not perfect. We all get that there are holes in all the systems. But, can you potentially see that this is a heck of a lot better than just a password? If itâ(TM)s all useless, then letâ(TM)s just not use anything at all. No passwords, no nothing. Itâ(TM)s all worthless, right?

2FA = 1FA

[sloth jr]

Two things you know doesn't make 2 factor authentication, and shouldn't be presented as such. Factors:
- something you know
- something you have
- something you are

Re:

[Chris Mattern]

The Daily WTF has dubbed it "Wish-It-Was Two-Factor".

Re:

[timeOday]

The "thing you have" in this case is your phone.

And in fact this is not a counter-example of that.

If you have to trick the holder of the 2FA into giving you the code, 1) everybody not dumb enough to do that is still safe, and 2) they still don't have your phone. Even if they use your one-time password to change your ebay password for example, with the next 2FA challenge they would still have to trick you into helping them again.

Re:

[RJMonkeyboy]

'Reading the number' is just proof that you have it. They could just as easily say 'we need you to stick your Yubikey into your PC', and people would still fall for it.

Re:

[Anonymous Coward]

Your phone is something you have, this is most definitely 2 factor. The security hole here is the moron holding the phone.

This explains it

[rgmoore]

I guess this explains why the texts I get from my bank always start with, "[Bank] will NEVER call or text you for this code. DON'T share it." It's still dumb to try handling 2FA by texting a code- it's way too easy to intercept SMS messages- but one would hope people would pay attention to the part of the message saying the bank won't ask for the code.

Re:

[torkus]

They'll never ask you for it, except on their website where they ask you for it.

I get it, but it's such a blurry line for lots of people. It's also trivial to make a fake login website to collect this.

"For security we won't ask you for the code over the phone, go to BoA_Not_A_Scam.token website and enter it there for me, sir. then we can send you the $10 million dollars your uncle in Nigeria left you right to your bank account"

Re:

[rgmoore]

The message is obviously imperfect and could definitely be improved, but it gets at the real problem. The whole point is that a potential attacker has no control over the message containing the code. It goes straight from the bank to the user. So the bank really wants to remind the user that if they haven't just tried to log in, receiving a login message is suspicious. As I said, the message could be improved- saying something about how you should only get this message if you're trying to log in would b

Tomorrow's news

[PinkyGigglebrain]

PayPal announces 3FA to protect their customers from evil scammers.

Re:

[CaptainLugnuts]

a/s/l?

Re:

[antdude]

M(ultiple)FA & I(nfinite)FA. :P

Social Engineering, not much else

[jobslave]

This is just simple social engineering and not really a lot else, just using a bot, no big deal advancement here. Clue # 1 that should be a HUGE red flag. They called you. If they call you, it's fraud in pretty much every case. Your bank will send you a letter in the mail if they suspect something with your account, they will not call you. And if it's not actually fraud, just simply log into your account, look and verify yourself and call your bank/credit card company directly using a know number for them, like the one on the back of the card they tell you to use. Dispute the charge after the fact if there was actually a fraudulent charge against your account. Oh and in every case you can, sign up for text alerts for charges so you get a text every time there is a charge for any amount on your account. Then you're aware anytime someone might try to charge your account and can know instantly if it was you or not.

Honestly, if you are a victim of fraud because someone reached out to you, you're no longer the victim and caused it to happen in most cases. If they contact you, stop listening and call a known number. This is basic social engineering protection 101 people.

Re:

[Ostracus]

True banks will not but I've had CC ask about a particular charge via E-mail because they don't recognize the sender (usually foreign).

Re:

[ljw1004]

Clue # 1 that should be a HUGE red flag. They called you. If they call you, it's fraud in pretty much every case. Your bank will send you a letter in the mail if they suspect something with your account, they will not call you.

What? In all the banks I've been with (Barclays Bank in the UK, Chase in the US, and First Tech Credit Union in the US) they have telephoned me when there was a credit card transaction they considered suspicious.

(They always start by saying "To confirm your identity please answer the following questions", to which I always reply "Before I can answer that I'll need to confirm your identity please". They're usually confused but answer nevertheless. I then hang up and telephone the number on the back of my car

Re:

[Rinikusu]

Wells Fargo will call if they suspect fraud. They will also give you their extension/name so you can hang up, and call them back on the number listed on your card. if a scammer goes through the trouble to intercept your outgoing calls and mimic the automated switchboard, holy shit we're fucked. It's one of the few things I really like about WF, and it has saved my ass from being skimmed 2 or 3 times over the past 20 years. It is also a giant PITA when you get declined paying for something and get that call

Re:

[pjt33]

There was a scam which worked like that, except that instead of intercepting your outgoing call what they did was somehow keep the connection open when you hung up, so that the dialling tone you heard when preparing to ring back was actually generated by them. A quick Google search shows that it's still happening in Canada [ctvnews.ca], at least.

Re:

[apoc.famine]

Lol, my credit union calls within like 5-10 minutes of suspected fraud on my card. I can buy something dodgy from Amazon UK (I'm in the US) and I know I'll need my phone handy because they're going to call and confirm. It's great service!

And it comes from the same number every time that I have saved as a contact in my phone. So yeah, maybe someone could hack into my phone and change the number to their fraudulent one and then call me to trick me that it's my credit union, but that doesn't seem overly likely

Re:Social Engineering, not much else

[tlhIngan]

And it comes from the same number every time that I have saved as a contact in my phone. So yeah, maybe someone could hack into my phone and change the number to their fraudulent one and then call me to trick me that it's my credit union, but that doesn't seem overly likely. And if they did that, I'd honestly be pretty damn impressed.

You do realize that number is from Caller ID, right? And your phone is merely looking that number up in the contacts list?

And that spoofing Caller ID is what scammers do all the time?

Re:

[bloodhawk]

Actually nearly all banks WILL call you. both mine certainly do. But the call will come from their security section and they will happily provide you a reference number and extension so you can lookup and verify the phone number yourself and call them back.

Re:

[bloodhawk]

Well I have been with 4 different banks over the years, have had calls from all of them for dodgy or suspected dodgy transactions. Realistically if you think about it, it would be insane for them not to call as waiting for snail mail while criminals get away with the goods is not in their interests.

Re:

[PPH]

E-Mail. But they just ask me to call them back at the number on the back of my CC. I can't see the risk with this approach.

Re:

[Beryllium Sphere(tm)]

My bank does call for things like suspicious credit card charges. Lamentably, they also outsource the calls to a firm with an unrelated name on caller ID. I found out later that I had answered a legitimate call by shouting at some call center person that he was a federal felon. Next time will simply hang up and call the bank's number.

Re:

[hawk]

> If they call you, it's fraud in pretty much every case.

But not always.

Citi's fraud unit called me something like 15 years ago after some kind of compromise, and overnighted a new card.

It's not rare for fraud departments to call, but they also offer callback numbers, etc.

There's got to be inside leaks as well.

[RightSaidFred99]

Somewhere along the chain (telcos, software operators for pieces of 2FA, inside jobs, something) they are finding out when you've enabled 2FA as well. I enabled 2FA with my bank, one of the big 3, and within a day I was getting scam texts trying to get my 2FA code.

Re:There's got to be inside leaks as well.

[thegarbz]

and within a day I was getting scam texts trying to get my 2FA code

That means they already had your details and you were already the subject of an attack. You just now have a more visible means of identifying said attack rather than it going on behind your back.

You want to know how they find out if you have 2FA enabled? They try and login as you.

Learn to recognize the trick!

[Acum Amcum]

Requiring any action from you to STOP something that is going to happen otherwise, is the oldest trick in the book. It doesn't matter if you use email, phone call, SMS, 2FA, MFA, as long as you fall for this trick.

how dumb do you have to be!

[bloodhawk]

people fall for such an obvious scam? seriously?

Re:

[PinkyGigglebrain]

sadly I must say the answer is "yes"

As Einstein once said "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe."

Re:

[ebvwfbw]

people fall for such an obvious scam? seriously?

People still fall for the extended car warranty scam or they'd stop doing it.

This is easy to prevent

[djp2204]

Banks, Paypal, and email providers all explicitly say in the 2FA "text" that they will never call and request the code. The only time they text you a code and ask you to read it back to them is when YOU call THEM, not the other way around. Anyone who falls for this is ignoring their own authentication message.

How to prevent this

[Todd Knarr]

Just remember that services like Paypal use 2FA to authorize transactions, not to block them. If the call were legitimate, it'd say "To permit this transaction, enter the code we've texted you.". If you do nothing, the transaction wouldn't be authorized. So if you get one of these calls, simply hang up and go check your account. If you see a fraudulent transaction on it, report it as fraud.

Remember the prime rule: never give information to a service unless you have contacted them through a channel that didn