Two-factor authentication adds an extra layer of protection to a users online accounts.
When using the extra security layer, a password must be entered into a users account and then a temporary code known as a one-time password (OTP) is sent to the account owner’s smartphone. That code must then be entered to complete the login process.
Hackers have found a way to defeat two-factor authentication by sneaking a piece of rogue malware onto their smartphones.
Researchers at cybersecurity firm Symantec have discovered malware that can steal OTP codes and use this to hijack a user’s accounts.
The Malware has been found on Android smartphones and is known as Android.Bankosy.
The malicious code specifically targets two-factor authentication codes delivered by automated phone call.
Android.Bankosy redirects the user’s phone calls to the phone of the attacker, letting them steal the OTP code and access the account.
Many two-factor authentication systems use text messages and Symantec says it has discovered malware capable of stealing those codes as well.
This type of hack is especially lucrative to hackers because many banking systems now use two-factor authentication to protect users who access their accounts from desktops, tablets, and mobile devices.
Before hackers can use this type of two-factor malware they must first gain access to a user’s smartphone and install malicious code. Smartphone users are urged to keep their device software up-to-date and avoid downloading software from third-party platforms outside of the Google Play store.