Security Notice: Google Voice for 2FA

This is a quick alert. Over the past few months we’ve seen a large amount of accounts being compromised on several of our clients sites. All of them had Two-Factor Authentication. How were they hacked then?

Simple. First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the cookie using a malicious browser extension. Because Google uses the same cookie/account for all of their products the attacker can also access voice.google.com. Here, the attacker can see any SMS messages sent to you in real-time. This means that the attacker can now easily reset your password on any website since he has access to your e-mail and then use voice.google.com to retrieve the Two-Factor Authentication code.

So please, if you are using Google Voice as your Two-Factor Authentication number, don’t! And if you know someone who does, please explain this to him or her.