One-time passwords and 2FA codes — what to do if you receive one without requesting it | Kaspersky official blog
Over the past few years, we’ve become accustomed to logging into important websites and apps, such as online banking ones, using a password and another verification method. This could be a one-time password (OTP) sent via a text message, email or push notification, a code from an authenticator app or even a special USB device — a token. This way of logging in is called two-factor authentication (2FA), and it makes hacking much more difficult. Stealing or guessing a password alone is no longer enough to hijack an account. But what should you do if you haven’t tried to log in anywhere, but suddenly receive a one-time code or a request to enter it?
There are three reasons why this situation might occur:
A hacking attempt. Hackers have somehow learned, guessed, or stolen your password and are now trying to use it to access your account. You have received a legitimate message from the service they are trying to access.
Preparation for a hack. Hackers have either learned your password or are trying to trick you into revealing it, in which case the OTP message is a form of phishing. The message is fake, although it may look very similar to a genuine one.
Just a mistake. Sometimes online services are set up to first request a confirmation code from a text message, and then a password, or authenticate with just one code. In this case, another user could make a typo and enter your phone/email instead of theirs — and you’ll receive the code.
As you can see, there may be a malicious intent behind this message. But the good news is that at this stage, there has been no irreparable damage, and by taking the right action you can avoid any trouble.
What to do when receiving a code request
Most importantly, do not click the confirmation button if the message is in the “Yes/No” form, do not log in anywhere, and do not share any received codes with anyone.
If the code request message contains links, do not follow them.
These are the most essential rules to follow. As long as you don’t confirm your login, your account is safe. However, it’s highly likely that your account’s password is known to attackers. Therefore, the next thing to do is to change the password for this account. Go to the relevant service by entering its web address manually, not by following a link. Enter your password, get a new (that’s important!) confirmation code, and enter it. Then find the password settings and set a new strong password. If you use the same password for other accounts, you’ll need to change the password for them, too — but make sure to create a unique password for each account. We understand that it’s difficult to remember so many passwords, so we highly recommend storing them in a dedicated password manager.
This stage — changing your passwords — is not so urgent. There’s no need to do it in a rush, but also don’t postpone it for another day. For valuable accounts (like banking), attackers may try to intercept the OTP if it is sent via a text message. This is done through SIM swapping (registering a new SIM card to your number) or attacking via the operator’s service network, utilizing a flaw in the SS7 communications protocol. Therefore, it’s important to change the password before they attempt such an attack. In general, one-time codes sent in text messages are less reliable than authenticator apps and USB tokens. We recommend always using the most secure 2FA method available; a review of different two-factor authentication methods can be found here.
What to do if you’re receiving a lot of OTP requests
In an attempt to make you confirm a login, hackers may bombard you with codes. They try to log in to the account again and again, hoping either that you’ll make a mistake and click “Confirm”, or go to the service and disable 2FA out of annoyance. It’s important to keep cool and do neither. The best thing to do is go to the service’s site as described above (open the site manually, not through a link) and quickly change the password; but for this, you’ll need to receive and enter your own, legitimate OTP. Some authentication requests (for example, warnings about logging into Google services) have a separate “No, it’s not me” button — usually, this button causes automated systems on the service side to automatically block the attacker and any new 2FA requests. Another option, albeit not the most convenient one, would be to switch the phone to silent or even airplane mode for half an hour or so until the wave of codes subsides.
What to do if you accidentally confirm a stranger’s login
This is the worst-case scenario, as you have likely allowed an attacker into your account. Attackers act quickly, changing settings and passwords, so you’ll have to play catch-up and deal with the consequences of the hack. We’ve provided advice for this scenario here.
How to protect yourself?
The best method of defense in this case is to stay one step ahead of the criminals: si vis pacem, para bellum. This is where our security solution comes in handy. It tracks leaks of your accounts linked to both email addresses and phone numbers, including on the dark web. You can add the phone numbers and email addresses of all your family members, and if any account data becomes public or is discovered in leaked databases, Kaspersky Premium will alert you and give advice on what to do.
Included in the subscription, Kaspersky Password Manager will warn you about compromised passwords and help you change them, generating new uncrackable passwords for you. You can also add two-factor authentication tokens to it or easily transfer them from Google Authenticator in a few clicks. Secure storage for your personal documents will safeguard your most important documents and files, such as passport scans or personal photos, in encrypted form so that only you can access them.
Moreover, your logins, passwords, authentication codes and saved documents will be available from any of your devices — computer, smartphone or tablet — so even if you somehow lose your phone, you won’t lose your data and access, and you’ll be able to easily restore them on a new device. And to access all your data, you only need to remember one password — the main one — which is not stored anywhere except in your head and is used for banking-standard AES data encryption.
With the “zero disclosure principle”, no one can access your passwords and data — not even Kaspersky employees. The reliability and effectiveness of our security solutions have been confirmed by numerous independent tests, and our home protection solutions received the highest award — “Product of the Year 2023” — in tests by the independent European laboratory AV-Comparatives.
Kaspersky official blog – Read More