How Criminals Crack Two-Step Authentication

Organized crime is experimenting with malware that defeats two-step authentication, creating new headaches for banks, email providers, and their customers.

Two-step authentication is the hot new thing for service providers like Google and major banks like Chase. But organized crime, which loves swiping credit card and debit card numbers for those sweet, sweet fraudulent transactions, will find a way to crack anything. Even, it seems, two-step authentication.

McAfee just released their newest quarterly threat report (PDF), which contains info on the first bumbling attempts to create malware which cracks two-step authentication. Apparently, defeating services which send a code to your phone and then require you to enter it into your computer is difficult, but possible. Two malware apps discovered in Europe and Asia, Android/FakeBankDropper.A and Android/FakeBank.A, pose as legitimate apps for (mostly Korean) banks. The fake apps then capture login and password info... and steer incoming SMS messages, such as the new code to access online banking, to the criminal's server as well.

iOS and North American Android customers don't have much to worry about; both Apple and Google (along with Amazon) do great jobs of monitoring their online app stores for malware. But customers in other countries with unregulated app marketplaces, like China and Russia, have to use an extra bit of caution to avoid downloading account-draining malware.

[Image: Flickr user Ramona Klee]

Add New Comment

2 Comments

  • beulah752

    like Robin replied I'm startled that a person can make $6071 in 1 month on the computer. did you see this web link w­w­w.K­E­P­2.c­o­m

  • Nosmo King

    So I guess the moral to this story is to do your online banking from your PC, not your Android phone.