Your bank, credit card, and even social media accounts now require some form of two-factor authentication for access. That’s due to passwords being exposed in data breaches and many people using easy-to-guess passwords—123456 was the most common password used in 2020.

Two-factor authentication makes it harder to hack into accounts, because you need a password and a one-time code, sent by text message or generated by an app, to access the account. And although it’s more secure, it’s still not foolproof. Here are the two most common ways criminals get around it. 

Swap SIM Cards

Your phone has a SIM (subscriber identity module) card, which is a unique chip that identifies it to the cellular network. In the SIM swap attack, a hacker impersonates you, contacting your cellular carrier and claiming that you’ve gotten a new phone. The cellular carrier transfers your account to the hacker’s SIM card, and the hacker now receives text messages with your two-factor authentication codes.  

Fake Code Input

Although the authentication code isn’t static, like your password, it’s still a password of sorts that needs to be entered into a website or other portal to access your account. Just as hackers create fake login screens for Amazon, Google, and other services,  they can do the same for authentication codes. Hackers send you an email or text with a link to a fake website. This message encourages you to click on the link because, for example, there’s a problem with your account. If you enter a real authentication code on that fake site, the hackers now have it and can use it on the real website. 

Be Smart

These vulnerabilities do not mean you should turn off two-factor authentication. They show that the same human factor that makes phishing scams and other schemes work can also affect two-factor authentication. Be smart, and scrutinize links before you click. Also, ask your cellular provider what security measures it has in place to verify your identity—make sure you take advantage of all those available.