In an exceptionally elaborate Phishing Scheme, it appears that Identity Thieves have successfully managed to work around 2-factor authentication, also known as two-step authentication.
Two-factor or Two-Step authentication is the system by which you are usually required to have already provided a mobile phone number to the site or service that you are trying to login to. Once you type in your username and password, the site will respond with an SMS or an email or something that is sent to you, which contains a secret code, phrase or words which also needs to be entered to allow access. The secret is issued by the site and is therefore only known by the site and you once the message is received. So entering it should mean that it is you that is trying to login. Well that was up till now, anyway…
Recently a number of banking victims thinking they were safe using a well known South-East Asian banks website secured by 2-factor authentication have become the latest victims of bank account fraud as a result of some very cunning and careful Phishing.
Like nearly all Phishing attacks the victims responded to an email which appeared to be from the bank and invited bank customers to click on a link which inevitably took the victims to an almost identical Phishing site that had been established by the phishers perpetrating the fraud.
In the first instance the victims where asked to enter their username and password, which in this elaborate scheme was immediately emailed to the scammer waiting for each victim. Now under normal circumstances most people would not fall for such a scheme, however the notion of 2-factor authentication has lured many people into thinking that this is not the total sum of the necessary information required to access a secure account. So the thieves armed with this information immediately entered this into the real Internet login page for the bank, which naturally immediately executed the 2-factor authentication mechanism sending the required code to the mobile device of the victim, which they then entered into the phishers fake site and so provided the missing authentication information to the waiting thieves.
At each of the 5-steps of this involved and well thought out scheme each victim actually believed they were interacting with the bank and completely safe from this type of fraud because the sequence of events was exactly as they should have been under normal circumstances. This in-turn left the victims with a false sense of security and the villains with all the necessary details required to alter details on the account and in most cases clean the accounts out, all before anybody had worked out what was going on.
This new form of phishing which has the potential to lure many people in because of the two-factor authentication belief is particularly insidious and really means that there is no form of authentication mechanism that is truly safe, unless this process is prevented at the outset.
There are two significant ways that this type of attack can be thwarted! The first is to prevent the spam from getting to your email inbox in the first place by using a product like wumber anti-spam. This product only allows the email address to be used by the person that it is given to, so even if a crook gets it, the email address is of no use. The second and most significant is to use the FREE wumber anti-phishing add-on for Microsoft Internet Explorer which uses unique INFRAMAPPING technology, so in this instance the tool would have immediately identified the fake site and while a login and password would have been provided they would have been to login to the fake site not your real Internet banking site, in which case the phishers would never have got the real banking username and password to start the fraud in the first place, let alone the necessary information to also extract the second part of the authentication requirement.
Even if you have two-factor authentication YOU MUST REMAIN VIGILANT, this is no longer safe, unless you are a wumber subscriber. wumber is free to join and it’s free for everyone to use. Join Today!
This link is a video of Wally from wumber explaining how wumber works… Check it out!