Receiving an unprompted one-time passcode sent as an email or text should be a cause for concern as it likely means your credentials have been stolen.
One of the initial components of a cyberattack is the theft of legitimate credentials to corporate networks and online services.
These credentials can be stolen in phishing attacks, credential stuffing attacks, via information-stealing malware, or social engineering attacks.
The stolen credentials are then used to breach corporate networks for data theft, espionage, and ransomware attacks or to conduct financial fraud in consumers' online retail accounts.
Marketplaces devoted to selling stolen consumer online accounts make financial fraud easy, where threat actors can buy accounts for as little as $1.50 to Amazon, Marriot Bonvoy rewards accounts, Dunkin, Instacart, and many other well-known retail stores.
To better secure your online accounts, many companies offer a security feature called multi-factor authentication, which when configured, requires users to enter an additional form of verification before being allowed to log in to their account.
By using MFA, even if a threat actor successfully obtains your account credentials, they cannot log in without first passing the multi-factor verification prompt, significantly reducing successful account breaches.
This week, both a friend and a family member reached out to me stating that they received a text message from Amazon containing an MFA OTP required to log in to their account.
The text message came from the same number used in previous Amazon texts, contained no links, and simply displayed an OTP used for login.
The only difference is that they had not attempted to log into Amazon, so the OTP was unprompted and unexpected.
This meant someone else attempted to use the person's credentials at Amazon but was stopped by the two-factor verification prompt.
When receiving an unprompted 2FA code, the account holder should assume their credentials were stolen and log directly into Amazon, without clicking on any links in text messages or emails, to change their password.
If that same password is used with any of your other accounts, it should also be changed immediately on those sites.
It is also important to not think that since 2FA protected your account you no longer need to change your password.
This is a false sense of security, as threat actors have figured out ways to bypass MFA in the past, so there is no reason to give them the opportunity to do so with your account.
While SMS and email 2FA provide extra protection to your accounts, they are the most risky MFA method to use.
This is because if someone gains access to your email or phone number, such as through a SIM swapping attack, they'll also have access to your OTP codes.
Discord adds Security Key support for all users to enhance security.
Microsoft Authenticator now blocks suspicious MFA alerts by default.
Okta one-time MFA passcodes exposed in Twilio cyberattack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 17 Dec 2023 21:45:14 +0000