How Criminals Crack Two-Step Authentication

Organized crime is experimenting with malware that defeats two-step authentication, creating new headaches for banks, email providers, and their customers.

How Criminals Crack Two-Step Authentication

Two-step authentication is the hot new thing for service providers like Google and major banks like Chase. But organized crime, which loves swiping credit card and debit card numbers for those sweet, sweet fraudulent transactions, will find a way to crack anything. Even, it seems, two-step authentication.

McAfee just released their newest quarterly threat report (PDF), which contains info on the first bumbling attempts to create malware which cracks two-step authentication. Apparently, defeating services which send a code to your phone and then require you to enter it into your computer is difficult, but possible. Two malware apps discovered in Europe and Asia, Android/FakeBankDropper.A and Android/FakeBank.A, pose as legitimate apps for (mostly Korean) banks. The fake apps then capture login and password info… and steer incoming SMS messages, such as the new code to access online banking, to the criminal’s server as well.

iOS and North American Android customers don’t have much to worry about; both Apple and Google (along with Amazon) do great jobs of monitoring their online app stores for malware. But customers in other countries with unregulated app marketplaces, like China and Russia, have to use an extra bit of caution to avoid downloading account-draining malware.

[Image: Flickr user Ramona Klee]

About the author

Based in sunny Los Angeles, Neal Ungerleider covers science and technology for Fast Company. He also works as a consultant, writes books, and does other things.



More Stories