AI allows hackers to bypass double authentication, be careful

Two-step authentication is supposed to increase the security of your accounts. But hackers are now using artificial intelligence to easily bypass it.

Double authentication, also called 2FA, has become a standard for securing access to most online accounts. But like any advance in security, it did not take long to interest hackers, who are constantly looking for new ways to circumvent the locks. Recently, Gmail was hit by malware capable of stealing cookies allowing the second authentication factor to be entered, and therefore hacking the account.

But this time, hackers are drawing a new weapon, one that can be used at will, available 7 days a week, 24 hours a day. You guessed it, it’s artificial intelligence that now allows them to create conversational robots capable of Steal the one-time passcodes (OTP) that users receive during the double-verification process.

The Holy Grail of hackers, the OTP or the one-time password, which they will try to extract from their victims by any means possible

Concretely, double authentication consists of providing, in addition to your usual identifiers, an additional single-use verification code. This ephemeral password (one-time password or OTP in English) is generally sent to you by SMS, voice call or mobile application. The main purpose of this procedure is to prevent a hacker who has stolen your login credentials from accessing your account.

But these OTPs are precisely the element coveted by hackers to bypass this additional security. To do this, they rely on social engineering and manipulation by creating websites or call robots that pose as employees of “legitimate” companies. Convinced by this charade, many victims then unsuspectingly communicate their precious OTP code recently received on their smartphone.

Once the OTP is in their possession, the hackers simply have to re-enter it on the real website of the impersonated company to pose as the user, in this case the victim. By stealing this password, they can then access all of their victim’s online services. Hence the importance of being wary of any suspicious request for communication of an OTP, whatever the means.

OTP chatbots are powered by AI to steal your codes, but you can protect yourself

To achieve their goals, unscrupulous hackers now have tools that use artificial intelligence to generate credible user manipulation scenarios vocally or in writing. These are OTP chatbots capable of automatically and massively calling them by pretending to be a company’s hotline with a natural voice. They can even be configured to display a fake official phone number to cover up the deception.

During the call, the chatbot follows a pre-written and personalized script to encourage the victim to communicate their confidential code, under a false pretext such as a security problem to be resolved or an alleged update of settings. Once in possession of the OTP, the criminals can then break into the victim’s accounts.

Some very sophisticated OTP chatbots offer numerous options, such as personalizing the name of the spoofed company, displaying the last 4 digits of the bank card for an enhanced credibility effect, or even choosing from a dozen languages. Some of them are priced as high as several hundred dollars per week for premium versions.

So, to separate the wheat from the chaff, caution is your best weapon against phishing attacks aimed at stealing your 2FA codes. Pay close attention to questionable links received in your emails and choose instead to manually enter the official URL or use a favorite.

Before entering your credentials on a website, check that its address is perfectly legitimate, without any suspicious spelling errors. A glance at the Whois database will tell you if it was created recently, in which case it’s a bad sign and sounds like a trap!

Do not trust telephone calls where you are asked for your confidential code, no matter how convincing the person you are talking to may seem. No serious company asks for the identifiers of its customers to authenticate them.

Source : Kaspersky