Email this Article Email   

CHIPS Articles: A Text Message Mess

A Text Message Mess
By Kristin Cohen, Office of Technology Research and Investigation, FTC - July 9, 2015
Editor’s Note: Due to the OPM data breach, CHIPS magazine continues to caution readers to be on guard against potential scams. For the latest information from OPM please visit the OPM Website: Additional assistance is available from the Secretary of the Navy dedicated DON website to increase communications regarding the data breach:

Let me set the scene: your friend John is rushing to get his daughter from school and his son to the soccer field, and he still needs to stop at the grocery store because there’s nothing in the fridge. In the midst of this everyday madness, he gets a text message from Google with a verification code. He thinks, “That’s weird. Maybe I should log in to my email and see what’s going on.”

Before he has a chance, he gets another message. It says:

Google has detected unusual activity on your account. Please reply with the verification code sent to your mobile device to stop unauthorized activity.

What should John do?

It’s quite possible that he might reply with the code — especially while he’s distracted, and worried that he might lose access to his email. Unfortunately, if he sends the code, he’ll be giving a hacker access to his email account.

Here’s what happened behind the scenes:

1. A hacker who has John’s email address and mobile number went to the email login screen, clicked “Forgot Password,” and asked for a verification code via text message.

2. John got the verification code on his phone.

3. The hacker — pretending to be John’s email provider — sent him a text message and asked for the code.

4. John forwarded the code to the hacker, and the hacker had everything he needed to complete the login process.

The hacker could gather a lot of information about John while snooping through his email. He also could change John’s settings, so future emails sent to John are forwarded to the hacker. It could be a long time before John notices this change.

So, what can you do?

Don’t send verification codes to anyone via text or email. Use these codes only on the login page. And if you get a verification code that you didn’t request, let your provider know about it. That could be a sign that someone is tampering with your account.

If you suspect that someone has hacked into your email, see the video on the Federal Trade Commission website for guidance on what to do:

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer