The leaked NSA report shows 2-factor authentication has a critical weakness: You

Jack Morse

June 6, 2017 at 10:32 PM

So you've created a strong password, kept an eye out for sketchy links, and enabled two-factor authentication — what could possibly go wrong?

Well, it turns out the answer is "you."

As the leaked NSA report on Russian efforts to hack the computers of U.S. election officials before the 2016 presidential election demonstrates, we are all often our own biggest security weakness. The document, published by The Intercept, shows that hackers found a way around the protections offered by two-factor authentication that is striking in its simplicity: They asked the targets for their verification codes.

"If the victim had previously enabled two-factor authentication (2FA)," explains a slide detailing the Russian attack, "the actor-controlled website would further prompt the victim to provide their phone number and their legitimate Google verification code that was sent to their phone."

To translate, after tricking victims into entering their email and password into a fake Google site, the hackers found that some victims had 2FA set up on their accounts. This meant that even with the password, hackers were unable to gain access to the Gmail accounts in question — that is, unless they could get the verification codes as well.

So, again, they just straight up asked for them.

Image: nsa/the intercept

"Once the victim supplied this information to the actor-controlled website, it would be relayed to a legitimate Google service, but only after [redacted] actors had successfully obtained the victim's password (and if two-factor, phone number and Google verification code) associated with that specific email account."

Basically, the hackers were able to bypass the email security measures by requesting that the victims give them the keys to the digital castle.

Once access was gained to the accounts, which reportedly belonged to an electronic-voting vendor, the hackers would then email election officials from the hacked accounts and attempt to trick those same officials into opening script-laden Word docs that would compromise their computers.

It's an elaborate bit of spear phishing, and it reminds us that no matter what digital security practices we put in place, we can all still slip up.

In the face of everyday online threats, the best defense (other than setting up 2FA — which you should definitely still do) might be the simplest: exercise caution with every email you receive, and be paranoid as hell.

In the face of skilled Russian hackers? Well, that one's trickier, but maybe start with not handing over your email password, phone number, and 2FA verification code.

WATCH: Researchers are using sound to levitate objects, and it's changing the medical industry

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80276%2feff195aa 5680 49b1 a6cc 7fbd4dfa62f6

Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Sports
Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'
Murray made a bad night on the court worse during a moment of frustration on the bench.
Yahoo Sports
Yahoo Fantasy staff's Mock Draft 1.0: Shocking picks are plentiful
Teams have made their big splashes in free agency and made their draft picks, it's time for you to do the same. It's fantasy football mock draft time. Some call this time of year best ball season, others know it's an opportunity to get a leg up on your competition for when you have to draft in August. The staff at Yahoo Fantasy did their first mock draft of the 2024 season to help you with the latter. Matt Harmon and Andy Behrens are here to break it all down by each round and crush some staff members in the process.
Yahoo Sports
Former NBA guard Darius Morris dies at 33
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Yahoo Sports
2024 Fantasy Football Mock Draft, 1.0
The Yahoo Fantasy football crew got together for their very first mock draft of 2024. Andy Behrens recaps the results.
Yahoo Finance
Former House Speaker Paul Ryan says he’s not voting for Trump : 'Character is too important'
Ryan says he would be writing in a Republican candidate instead of voting for Donald Trump.
Yahoo Sports
Golf’s moment of truth is here, and the sport is badly flailing
Nonexistent negotiations and missed opportunities for reconciliation between the PGA Tour and LIV Golf have the sport stuck in place.
Yahoo Sports
Post-draft NFL fantasy power rankings: Offenses we love, like and want to stay away from
With free agency and the draft behind us, what 32 teams look like today will likely be what they look like Week 1 and beyond for the 2024 season. Matt Harmon and Scott Pianowski reveal the post-draft fantasy power rankings. The duo break down the rankings in six tiers: Elite offensive ecosystems, teams on the cusp of being complete mixed bag ecosystems, offensive ecosystems with something to prove, offenses that could go either way, and offenses that are best to stay away from in fantasy.
Yahoo Sports
Ranking the best situations for the rookie quarterbacks: Start with Michael Penix in Atlanta at No. 1
It’s key to note that we’re not saying the “best team” or “best roster.” Instead, we’re talking about the best confluence of factors that can outline a path for survival and then success.
Yahoo Sports
Cardinals lose C Willson Contreras after left arm fractured by J.D. Martinez's swing
The Cardinals' nightmare season continues.
Yahoo Sports
Fantasy Baseball Waiver Wire: Jonny DeLuca leads intriguing pickups
Fantasy baseball analyst Andy Behrens offers up a fresh batch of midweek pickups to consider, led by a former Dodgers prospect.
Yahoo Finance
These 3 stocks are poised to benefit from the massive energy transition
The energy transition will benefit companies providing electrical needs for surging demand. Analysts point to these three stocks as a Buy.
Yahoo Sports
What's wrong with the Denver Nuggets? | Devine Intervention
Dan Devine and Adam Mares discuss the Denver Nuggets and Minnesota Timberwolves after Monday night’s game 2.
Yahoo Sports
Bulls' Lonzo Ball picks up $21.4 million option for 2024-25 season amid knee concerns
Ball hasn't played since the 2021-22 season.
Yahoo Sports
Nuggets star Jamal Murray takes ‘full responsibility’ for throwing heat pack, towel on court in Game 2 loss
Jamal Murray was fined $100,000 by the league this week for throwing things onto the court in his team's loss to the Timberwolves on Monday.
TechCrunch
Nintendo finally confirms the Switch 2 is on the way
In the most anticlimactic way possible, Nintendo on Tuesday confirmed years of rumors: The Nintendo Switch 2 console is on the way. "We will make an announcement about the successor to Nintendo Switch within this fiscal year," wrote Shuntaro Furukawa, the president of Nintendo, on X. Rather, Furukawa wanted to warn users not to expect the actual announcement in next month's Nintendo Direct livestream.
Yahoo Finance
Social Security just passed Medicare as the government's most pressing insolvency risk
An annual government report offered a glimmer of good news for Social Security and a jolt of good news for Medicare even as both programs continue to be on pace to run dry next decade.
Yahoo Sports
Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race
The value of the Dolphins and Formula One racing is enormous.
Yahoo Sports
Indianapolis Star bars columnist Gregg Doyel from covering Caitlin Clark, Fever after inappropriate exchange
Doyel is also reportedly suspended for two weeks without pay.
Yahoo Sports
NFL Draft fashion: Caleb Williams, Malik Nabers dressed to impress, but Marvin Harrison Jr.'s medallion stole the show
Every player was dressed to impress at the 2024 NFL Draft.

News

Life

Entertainment

Finance

Sports

New on Yahoo

The leaked NSA report shows 2-factor authentication has a critical weakness: You

WATCH: Researchers are using sound to levitate objects, and it's changing the medical industry

Recommended Stories

The FDIC change that leaves wealthy bank depositors with less protection

Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'

Yahoo Fantasy staff's Mock Draft 1.0: Shocking picks are plentiful

Former NBA guard Darius Morris dies at 33

2024 Fantasy Football Mock Draft, 1.0

Former House Speaker Paul Ryan says he’s not voting for Trump : 'Character is too important'

Golf’s moment of truth is here, and the sport is badly flailing

Post-draft NFL fantasy power rankings: Offenses we love, like and want to stay away from

Ranking the best situations for the rookie quarterbacks: Start with Michael Penix in Atlanta at No. 1

Cardinals lose C Willson Contreras after left arm fractured by J.D. Martinez's swing

Fantasy Baseball Waiver Wire: Jonny DeLuca leads intriguing pickups

These 3 stocks are poised to benefit from the massive energy transition

What's wrong with the Denver Nuggets? | Devine Intervention

Bulls' Lonzo Ball picks up $21.4 million option for 2024-25 season amid knee concerns

Nuggets star Jamal Murray takes ‘full responsibility’ for throwing heat pack, towel on court in Game 2 loss

Nintendo finally confirms the Switch 2 is on the way

Social Security just passed Medicare as the government's most pressing insolvency risk

Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race

Indianapolis Star bars columnist Gregg Doyel from covering Caitlin Clark, Fever after inappropriate exchange

NFL Draft fashion: Caleb Williams, Malik Nabers dressed to impress, but Marvin Harrison Jr.'s medallion stole the show