Prevent 2FA Attacks on your accounts

Cover Image for Prevent 2FA Attacks on your accounts
Amit Ripshtos

TLDR: Do not share 2FA code you get from SMS-es to other people. Also - Scroll down to copy a message that you can share with your friends and family about the subject to help them avoid hacker attacks, too.

In today’s digital age, securing our online accounts is more crucial than ever. Two-factor authentication (2FA) is a popular method to enhance security, but it’s also a target for malicious actors. Here's what you need to know.

What is a 2FA Number?

Two-factor authentication (2FA) adds an extra layer of security to your online accounts by requiring not just a password, but also a second piece of information—often a code sent to your phone. Services like WhatsApp, Facebook, and Instagram use 2FA to protect user accounts. For example:

  • WhatsApp: Sends a 6-digit code via SMS.
  • Facebook: Provides a code via SMS or an authentication app.
  • Instagram: Uses SMS codes or authentication apps.

Why Malicious Actors Want Your 2FA Number

Malicious actors aim to steal your 2FA number to gain unauthorized access to your accounts. With this information, they can bypass security measures, lock you out, and potentially commit fraud or identity theft. The primary goal is to take over accounts, steal personal data, or scam your contacts.

How They Do It

  1. Account Recovery Scams: Attackers exploit the "forgot my password" process. They initiate a password reset and contact you, pretending to be a service provider, requesting the 2FA code sent to your phone.
  2. Impersonation: They use hacked accounts of people you know, contacting you via WhatsApp or email, and ask for the 2FA code, pretending it's for their own account recovery.

Together with those 2 methods, it is likely to fall a victim of this attack.

How easy is to execute an attack

Attackers don't need to be sophisticated, as sending SMS using services like Twilio is pretty easy. For example, sending an SMS with Twilio and Python requires only four lines of code:

# Create Twilio client
client = Client(account_sid, auth_token)
# Send SMS
# in body part you have to write your message
message = client.messages.create(
    body='This is a new message',

Putting the Attack to the Test

To illustrate how easily people can fall victim to this type of attack, we conducted a small experiment. We sent an SMS to our friends and family, impersonating a WhatsApp 2FA message. Then, we used WhatsApp to message them, pretending to be a trusted contact whose account had been "hacked," and asked them to provide the SMS content.

The results

Many of our friends and family members sent the 2FA token without hesitation, demonstrating how quickly someone can be tricked into compromising their account security. Here are some examples:

These examples highlight how important it is to be aware of these tactics and to always verify requests for sensitive information, even when they appear to come from trusted contacts.

How to Prevent This Attack

  • Never Share Your 2FA Code: Legitimate services will never ask for your 2FA code via text, email, or call (you should use the code only in the application or browser if you initiated the login).
  • Verify Requests: If someone you know asks for a 2FA code, verify their identity through a different communication channel.
  • Be Skeptical of Urgency: Scammers often create a sense of urgency to trick you into providing information without thinking it through.
  • Use Authentication Apps: Consider using authentication apps instead of SMS for added security.

By understanding these tactics and being vigilant, you can protect your accounts from being compromised. Stay safe online!

Spead the word

To make it simple, we crafted a message you can share with your friends and family that explains this kind of attack and how to prevent it:

My dear family!

I wanted to share something important about keeping your WhatsApp and Facebook accounts safe:

Don't share any SMS that includes "2FA," "code," or has 4-6 random numbers. This is a "2FA code" used to reset passwords for your WhatsApp / Facebook / Google account.

If someone asks for this code, call them first to make sure it's really them. They might have been hacked too.

Love you all, stay safe! 😊