I saw this post on Krebs yesterday, that served as yet another reminder of why you should not, under any circumstances, give out information to people who contact you out of the blue.
The gist of this particular party game is a way to beat Two-Factor Authentication. It goes something like this:
- Hacker has gained access to your information thanks to a data breach. It includes the username and password to an online account, not to mention your phone numbers and maybe some other stuff about you.
- You, having been a safe internet user, of course, have 2FA enabled just for these types of circumstances.
- The hacker contracts with a service.
- The hacker goes to the bank website, enters your username and password.
- The service calls you directly, pretending to be your bank, and saying that they are sending a code to you via SMS, or Authenticator App, and asks you to verify your identity that way so that they can talk to you about your account.
- Your phone or authentication app buzzes with a one-time passcode.
- You read it to the person on the phone.
- The person on the phone passes it to the hacker, who continues into your online banking account.
And so, I repeat. Do not give out any information to someone who calls you. Hang up, and call your bank directly.
Go read the whole thing for more of the details on these services, and how they work. It’s interesting. But if you remember nothing else, remember that when anyone calls and says they are calling about your account, a legal issue, etc. Hang up, and call the place they say they are calling from directly. That’s not how any legitimate business works anymore, so the second someone calls you and starts asking you to verify who you are, be suspicious and hang up.
Follow these topics: Security