“Don’t share this code with anyone!” When it comes to one-time codes and passwords, this advice would seem so axiomatic that it hardly bears repeating. Then again…
A polite request for help
We recently came across this phishing scam. A person receives an SMS message that goes roughly as follows:
“Hello, you don’t know me, but your phone number once belonged to me. I’m trying to log into an old account linked to this number, and it’s telling me that it will send a verification code in an SMS to this number. I’d like to know if it’d be OK with you if I request the code and if you can just send it back to me? If not, that’s totally fine.”
It’s true that if you don’t use a phone number for a long time, your mobile operator may disconnect it and sell it to someone else. So there is a chance that your number might once have had another owner, especially if you only got it recently. And many people know about this.
The request is written in polite language, and it looks extremely convincing. Good-natured people appreciate politeness, and the request seems reasonable, so they are likely to agree. The code arrives and the recipient sends it to the author of the polite request, who responds with profound gratitude. But the good Samaritan has just handed over access to their account.
What really happened
Sure, there’s a very small chance that it might have been a message from someone who really owned your number once and needs your help. But it’s unlikely. Phishing is a more probable explanation. Here’s how it happens.
In the wilds of cyberspace, the attacker discovers an e-mail address (yours) that is linked to a phone number (also yours). If you have or once had an account with Yahoo, Twitter, or LinkedIn (or one of hundreds of lesser-known services that recently leaked their user data), it’s not hard to find out which phone number is linked to your e-mail.
The attacker begins by stealing access to your e-mail. To do that, they need to reset the password. When they attempt to reset it, the service sends an SMS message with a verification code to the number linked to the account to confirm that it is the owner of the account who is trying to reset the password.
But before taking this step, the fraudster writes you a touchingly polite SMS as above. The code is valid for just a few minutes, so the cybercriminal needs to groom you in such a way that you’ll send it without delay.
With access to your e-mail, the attacker can reset the passwords for all accounts linked to the address — social media, other mail services, online wallets, and so on. The links for password reset are sent to this e-mail, and voilà! The cybercriminal has access to all your accounts — and you don’t.
That’s why you should never share any verification codes that arrive in SMS, no matter how nicely anyone pleads with you for assistance. Sharing just one code could lock you out of almost your entire online existence.
How to keep your accounts on a short leash
- Never share verification codes with anyone, in SMS or over the phone. These codes are the main way a service verifies that you are you.
- Enable two-factor authentication wherever possible. Even if you lose access to your e-mail account, at least that will protect your other accounts from theft.
- Use security solutions on all of your devices, including mobiles. Among other protection features, they will warn you about any Trojans looking to pinch codes from SMS.