Be warned, there's a nasty Google 2 factor auth attack going around

So the scam is, attacker knows your gmail address and your phone number. They send you the text message about suspicous activity on your account. Then they attempt to reset the password on your gmail account. That triggers Google to send you the code. You reply to the attacker's message with the code as instructed, and they own your account.

This isn't a 2 factor attack. It's a social engineering Google account password reset attack. The attacking party is resetting your Google password and asking you to provide the code Google sends your registered mobile number via text to them.

I wonder if this is at all related to a phishing attempt that just got my mom and all her friends. It came in as a &quot;docusign&quot; email that looked reasonably legit (to an ordinary person) that just had one button to sign and review a document. Apparently they asked for email, email password, and phone number. I was surprised to learn about the phone number bit and how they&#x27;d use it. Something like this is probably how.<p>While I&#x27;d have thought entering your email password would have been red flag galore, my mom and her friends were all exploited by the social trust aspect &quot;I figured if it was coming from you it would be real.&quot;

Clever. If you&#x27;ve never actually had 2FA trigger before to know how it works, you could fall for this.

This is one of nice things about using a hardware security key (FIDO U2F), like Yubikey.<p>Since the security key works with the browser to ensure its communicating directly with a specific site, you can&#x27;t MITM them like you can mobile app (TOTP) or SMS-based two-factor codes.<p>I wish more browsers would add support for them.

This &quot;attack&quot; could be semi-mitigated by using Authy or Google Authenticator instead of SMS. If users knew to never ever paste the generated codes anywhere but the site, this attack wouldn&#x27;t exist at all.

A friend is currently receiving spear phishing attempts via text. Claims their lost iPhone has been found and that they need to log into icloud10 . com

While you&#x27;re add it, verify that your password has not been hacked by entering it here: hxxp:&#x2F;&#x2F;evil.example.com&#x2F;password-checker

How can this possibly work?<p>Even if an attacker gets the phone code, they should still need your password to sign in. How do they get past that?

I guess I&#x27;m going to go set all my security question answers to random 64-byte strings that are base-64 encoded.