Two factor authentication scam

Apparently not everything on Twitter is useless. I heard about a two-factor authentication (2FA) attack that was targeting a user’s iCloud credentials but could probably be modified to get around other 2FA setups. A guy on twitter described the attack and here’s how it played out.

He got two messages that someone was trying to reset his iCloud password within a few minutes and he denied them both. Then a few minutes later he got a phone call and the Caller ID claimed to be from Apple. The caller said they were with Apple Security and that they had noticed two attempts to get into his iCloud account. They then said that they wanted to place him in the Enhanced Security Program, or something like that, and that they were going to send him a code and he needed to read it back to them to verify his identity. Fortunately for the guy, warning bells went off in his head and he said that that didn’t sound legit and the caller immediately hung up the phone.


For those of you who haven’t figured out what was going on – the hackers were doing the obvious method of trying to reset his password and they then called masquarading as Apple to get his 2FA code so they could reset his password and also remove his phone number from the account. If your phone number gets removed from the account, you have zero way of getting control of your account.

So the lesson here is that while 2FA massively increases the overall security posture of your accounts, hackers are coming up with newer and more creative ways to trick you into helping them bypass those codes and approval apps. If you get a call from someone claiming to be with Apple, Microsoft, your bank, or anyone who is trying to get info from you regarding your accounts, do not give it to them. They may have a very legitimate sounding reason for you to give them the code but you need to be very cautious if you did not initiate the call. Apple and Microsoft are not going to call you. Your bank’s fraud department may call you but even then, if I got that call, I’d tell them that I’ll need to call them back and then use the number on the back of my credit card, not the number they give me over the phone.

Stay safe out there.

Leave a Reply

Your email address will not be published. Required fields are marked *