How Iranian hackers blew a hole in Gmail’s two-step verification

Gmail is by far the world’s most popular web email platform, with around 425 million monthly active users. That’s why keeping its users’ data secure is a major priority – and why hackers are going to increasing lengths to break in.

In 2011 Google introduced 2-step verification for its Gmail users – an optional extra security measure that allows users to add an extra layer of protection to their account, should their password be stolen or compromised. 

When setting up the security measure, the user provides their mobile number, and if they then sign in from a different computer or device, they are then sent a code to their smartphone which they type in.

> See also: Don’t let email attachments become your weakest link

2-step verification or 2-factor authentication (2FA) is not a new concept, but has become more common in recent years as smartphone technology has made it easier to implement.

In a world where the inadequacy of password-based security is now well known and hackers regularly break directly into cloud companies and steal mass databases of passwords, it can provide that much-needed assurance.

But the technology is far from infallible – a new report from security research institute Citizen Lab has revealed how hackers have skirted round Gmail’s extra security layer. The report shows how hackers are using text messages are phone-based phishing attacks to circumvent Gmail’s security and take over the accounts of their victims.

Iranian political activists were specifically targeted through their smartphones, and sent messages appearing to come from Google reporting unauthorised access into their accounts. They were then asked to reset their password through a specially set up fake page.

The hackers then, in real time, tried to log into victims’ accounts using the provided password, triggering a sending of a (real) security code to the target. The victim then typed in their code to the bogus page, sending it to the hackers and allowing them access to their account.

As Citizen Labs explains, adding two-factor authentication to an account means attackers have to expend more effort to conduct an attack, in real time, in an attempt to get two pieces of information (a password and a security code) as opposed to just phishing for one. This will make large-scale attacks of this kind unlikely, because they will require ‘serious automation.’

But real-time 2FA phishing is on the rise, say the researchers, as they learn new methods by trial and error. 

‘Some of the malware-based campaigns that target 2FA have been tracked for several years,’ says Citizen Labs, ‘and are highly involved, and involve convincing targets to install separate Android apps to capture one-time passwords.’

> See also: 5 tips for keeping corporate email secure

Other types of these attacks exploit phone number changes, SIM card registrations and badly protected voicemail.

The report recommends that by using two-factor authentication and staying safer, Gmail users overall will stay safer. Google recommends that, for increased security, you use the Google Authenticator App over the text-message based approach.

‘And if you want to take the next step and prevent this whole class of phishing,’ says the report, ‘consider investing in an inexpensive U2F Key to use with compatible online accounts.’

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Email & Communications