Hackers are bypassing Gmail 2FA security protections
Your Google account is the gateway to most everything the average criminal hacker could want, including access to your Gmail inbox and the treasure trove of sensitive information it contains. Protecting your Google account is critical in the war against hacking and the use of two-factor authentication remains one of the most recommended weapons in the Gmail defense armoury. A new warning has now been issued by law enforcement as cybercriminals are actively bypassing that 2FA account protection to gain unfettered access to email data. Here’s everything you need to know and, most importantly, how to stop the 2FA-bypass hackers.
New Gmail Warning As 2FA Bypass Attacks Underway
The Federal Bureau of Investigation published an October 30 public alert relating to the theft of what are known as session cookies by cybercriminals in order to bypass 2FA account protections.The FBI Atlanta division’s warning stated that hackers are “gaining access to email accounts by stealing cookies from a victim’s computer.” Gmail, being the world’s biggest free email service with more than 2.5 billion active accounts, according to Google, is naturally a prime target for these ongoing attacks.
The FBI warning comes in addition to the awareness campaign I have been engaged upon when it comes to the dangers of 2FA bypass attacks and session cookie theft for Gmail users, as well as those of other web email platforms, over the last year or so. That these types of attacks are a prime method for cybercriminals looking to compromise Gmail accounts is now a given, so let’s cut straight to the chase and look at the best ways to mitigate the threat.
Mitigating The Gmail 2FA Bypass Attack Threat
Let’s start with the mitigation advice presented by the FBI in Atlanta, which is sound but breaks the boundary between usability and security, which is so important. If a security measure makes something more complicated to use, people will ignore it. The advice is to “recognize the risks of clicking the “Remember Me” checkbox when logging into a website.” Session cookies can be generated when you log in to a site, and you opt to tick the “remember this device” checkbox to save you the hassle of having to log in, complete with 2FA, every time you return. I’d file this advice under sensible and nice to have but ultimately destined to be ignored by most users.
Awareness and staying alert to the risk of attack remain the primary mitigations when it comes to session cookie theft. Most such attacks start with a phishing email or message that aimed to redirect you to a cloned Google account login page. You are asked to complete the username and password entry as you would expect and, in order to both install trust that this is a genuine page and to initiate the cookie theft itself, then presented with what will look like a genuine 2FA challenge. The attackers will actually be looking to intercept the response in order to bypass the security measures by capturing the session cookies to reuse when accessing your account. A Google spokesperson has said that there are “numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks.” That’s probably the best advice I can offer, use a passkey rather than a code that is sent by SMS or even an authentication application generated one. “Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication,” the Google spokesperson said.
If you use Google Chrome as your web browser, then you are also protected, as from version 127, by app-bound encryption. Chrome encrypts data tied to identity in much the same way as macOS users experience with Keychain protection. This prevents any app running as the logged-in user from gaining access to secrets such as session cookies. Add the fact that Google also provides protections such as safe browsing, device-bound session credentials and Google’s account-based threat detection feature. As long as you are careful what you click, then most Gmail users, most of the time, will stay secure from the 2FA bypass threat.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25717638/IMG_0478.PNG?w=238&resize=238,178&ssl=1 "If the Electoral College has invaded your phone screen, here’s how to get rid of it")
