How can scammers reset passwords without accessing the email account?



  • I've read some of the other questions here but I still can't fully wrap my head around this.

    I know there are different 2FA implementations but, assuming the hacker can't access the email account, how (in some instances) are they still able to (assuming they port out the number or intercept codes) reset passwords and ultimately take over an account?

    Doesn't the password reset still go to the email account?

    Trying to upgrade my security and this is one threat model I can't quite comprehend.



  • There are a number of methods, I believe, but the major one I'm aware of is text message hijacking. More details can be found here.

    This method used a commercial service called Sakari. It's a legitimate business that forwards one's text messages to a different device, aimed primarily at companies that want to use the SMS system for customer contact or marketing. Lucky submitted a phony Letter of Authorization indicating that they were the owner Cox's phone number, along with $16 payment for the cheapest tier of Sakari service. That's all it took for the researching hacker to re-route all of Cox's incoming text messages to their hardware, leaving Cox in the dark, with a phone and connected accounts that didn't show any signs of tampering.

    Once they've hijacked your number, all they need to to is request a password reset and enter the code they get. I believe there is also a method that involves contacting the person and asking for the code, although obviously that would require the target to be involved.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2