Can Two-Factor Authentication Protect You From Phishing Scams?

By: Eldad Zamler

Can Two-Factor Authentication Protect You From Phishing Scams?

Implementing two-factor authentication via text-messages sent to your cell phone
can't provide you good enough protection against phishing scams.


In the effort to improve security, Facebook recommends using two-factor authentication:
If you set up two-factor authentication, you'll be asked to enter a special security
code or confirm your login attempt each time someone tries to access Facebook
from a computer or mobile device we don't recognize.

Google supports 2-factor authentication by entering a six-digits-code sent to your
phone after you enter your username and password.
However, for adding a significantly better layer of protection Google recommends using
a Security-Key for 2-Step Verification, which is a USB device attached to the desktop.

Why sending SMS to your cellular phone is not good enough?
Fraudsters can easily overcome this obstacle.

After clicking on a scam link, the user visits a fake website. The scam website can
tempt the user to pass his/her private data and even to pay money to the fraudsters.
It is not necessary to hijack the user's account which can be protected by two-factor

The fraudsters can easily bypass the two-factor authentication and grab the
victim's account, when the second step is implemented by using a cell phone:

First, when the user enters his/her name & password into HTML fields in the
fake website, the fraudsters open the sign-in window of the real website in
their browser and enter the name & password that the real user gave them.

Next, when the user receives a text message in his/her phone and enter the
code into a text field on the fake website, the fraudsters enter the received
code into the appropriate text field in the sign-in page. From that moment
the account is in the hands of the fraudsters.