2FA Immune Phishing Attacks Are on the Rise -- Security Today

2FA Immune Phishing Attacks Are on the Rise

2FA is more secure than single-factor methods only requiring a password, but it's not an impenetrable method.

By Kayla Matthews
Mar 25, 2019

People are used to two-factor authentication (2FA) security measures that bolster account protection. They require the account owner to provide something they know, as well as something they own.

For example, a person might get a text message containing a code that pops up on their smartphone. The password represents the knowledge aspect, and the code is the possession part.

Then, if a person's password somehow becomes compromised, the thief ideally wouldn't also have the smartphone text message.

That system sounds like a valid one, but experts warn hackers have even found a way to bypass the safeguards 2FA should provide.

A New Kind of Phishing

Nicolas Lidzborski, a security engineering lead at Google, mentioned the company had seen a substantial increase in 2FA phishing attacks. When speaking about the matter at a cybersecurity conference, he clarified that 2FA is more secure than single-factor methods only requiring a password, but it's not an impenetrable method.

How do hackers carry out these attacks? They use so-called "phishing kits" to create fake login pages people go to when they type in the 2FA code. After that, the cybercriminals may have to act quickly.

2FA codes typically only give access within small windows of time. Some are as long as 60 minutes. But, at Google, the codes become inactive in just 30 seconds. Automated platforms can use the 2FA code before it expires, though. If a hacker uses one of those, they could let those tools automatically wreak havoc on a victim by grabbing the information and using it to break into an account.

Like the lottery scammers that get phishing victims to divulge details by presenting them with links that go to phony login screens or forms, the people who orchestrate 2FA attacks may painstakingly create the pages that capture a victim's details, going to substantial lengths to ensure aspects like the font or graphics seem authentic.

Considering that the people received legitimate 2FA codes shortly before typing them in, most individuals wouldn't stop to think about how the forms might be fake. Indeed, this is a relatively new issue that hasn't reached mainstream consciousness yet.

A Security Researcher Makes a Tool to Bypass 2FA

Eventually, people may look back on 2019 as the year when people realized 2FA is not a foolproof method. In early January, news broke about a security researcher who created a penetration testing tool showing the potential ineffectiveness of 2FA. It's a modified reverse proxy that records all a phishing victim's interactions and traffic as they enter details into a login screen.

This example describes the phishing kits explained earlier. But, its creator says it's easier to implement and automate than other available options. If tools like this one become widely available to cybercriminals, it'd potentially become much easier for people to fool phishing victims, despite having limited tech knowledge.

Even worse, the fake forms people enter information into could seem so realistic that it becomes virtually impossible for everyday internet users to detect any oddities about them.

Advancements in 2FA

These developments illustrate why it's time for 2FA to develop beyond the method of text message codes. Fortunately, the evolution is ongoing. Some more advanced forms of 2FA send push notifications to mobile devices.

Additionally, cases exist where the second element if 2FA is not something people have, but something they are. For example, someone might fulfill the latter component of 2FA by pressing on a biometric fingerprint reader embedded in their smartphone.

Once a user interacts with those notifications, access gets granted. This method reportedly doesn't produce anything a hacker could steal. It's convenient for the user, too, because they don't need to type anything in to access the site or service. That's good news, especially since the databases maintained by the third-party companies that verify users' phone numbers and send 2FA text message codes have flaws, too.

One of those companies, called Voxox, had a database vulnerability that exposed at least 26 million text messages to a security researcher who was able to see the outgoing text messages almost in real time. Voxox took the database offline, but the event emphasizes another reason why people shouldn't blindly believe 2FA will protect them from hacks in all cases.

Hackers Continually Seek New Attack Methods

This coverage serves as a reminder that hackers keep pace with security developments and find ways to make them less effective.

Security researchers sometimes find the issues before hackers do, but people need to exercise caution nevertheless and remember how creative hackers are when they trick victims.

DSI Security Officers Prevented Mass Shooting, Shielded Fellow Officer Amid Gunfire
05/09/2025
Genetec, SaferWatch Bring Real-Time Vehicle Intelligence to Public Safety Agencies
05/08/2025
ZBeta Strengthens Its Advisory Bench with New Appointment
05/05/2025
Security Trends Reshaping Enterprise Resilience Into 2027
05/05/2025
Amerant Bank Selects Omnilert AI Technology for Enhanced Video Surveillance Security
05/02/2025
Minnesota County Is Still Reaping Huge Benefits from ASAP Service
05/01/2025
Winsted Unveils Pinnacle Collection with Sliding Worksurface
04/30/2025
Everon Awarded Sourcewell Cooperative Purchasing Contract
04/30/2025

Featured

TSA Begins REAL ID Full Enforcement Today

Today, the Transportation Security Administration (TSA) announced the imminent implementation of its REAL ID enforcement measures at TSA checkpoints nationwide. Read Now
Body-Worn Cameras on the Rise

On the evening of Oct. 29, 2024, the owner of 300 Guard based in Houston, was shot while on duty at a convenience store. He returned fire. He was wearing a plated vest and thankfully recovered in the hospital. Read Now
- Government
Brazil Port Enhances Surveillance and Supports Wildlife Conservation with Sustainable Technology

Ferroport, which operates the iron ore terminal at the Port of Açu in São João da Barra, Rio de Janeiro, Brazil, has deployed state-of-the-art video surveillance cameras from Axis Communications to enhance nighttime security and visibility, while decreasing environmental impact and prioritizing sustainability. With cutting-edge technology, the port now has precise surveillance cameras that capture high-quality nighttime images, while reducing the amount of artificial lighting that negatively impacts the surrounding ecosystem. Read Now
- Government
Fast-Forward from 1,000 B.C.E. to Today

The lock and key have been around since time immemorial. In fact, the locksmith profession is one of the oldest in the world when you consider the earliest wooden tumbler lock debuted three-plus millennia ago. Read Now
- Access Control
Verizon’s 2025 Data Breach Investigations Report Notes Alarming Cyberattack Surge Through Third Parties

Verizon Business recently released its 2025 Data Breach Investigations Report (DBIR), which reveals a significant increase in cyberattacks. The report found that third-party involvement in breaches has doubled to 30%, and exploitation of vulnerabilities has surged by 34%, creating a concerning threat landscape for businesses globally. Read Now
- Cybersecurity

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

ResponderLink

Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.
AC Nio

Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.
Hanwha QNO-7012R

The Q Series cameras are equipped with an Open Platform chipset for easy and seamless integration with third-party systems and solutions, and analog video output (CVBS) support for easy camera positioning during installation. A suite of on-board intelligent video analytics covers tampering, directional/virtual line detection, defocus detection, enter/exit, and motion detection.