Week 19: Smartphone – an Achilles' heel: How cybercriminals undermine two-factor authentication

14.05.2024 - Access to many applications on the internet is now protected by two-factor authentication. Smartphones are playing an increasingly important role as a second security factor when logging into online applications. Cybercriminals therefore try to gain access to these devices in order to obtain the login data. A case reported to the NCSC last week shows that entering a password in a phishing attack on an apparently non-critical internet service may nonetheless have serious consequences. It may also undermine the two-factor authentication process.

The email address is often also used as the username. If the user has forgotten their password, they can simply have a link sent to their email address, which they can then use to change their password. If a hacker succeeds in compromising the email account, they can use the password reset function to gain access to numerous internet services that are linked to that account. Hackers are therefore increasingly focusing their phishing attacks on email accounts. However, a case reported to the NCSC last week shows that compromising an email account is not the only gateway for numerous downstream hacking attempts. It is also an example of how hackers proceed step by step and react to the victim according to the situation.

In this particular phishing attack, the customer portal account of a mobile phone provider was hacked. The hackers initially managed to elicit the password for this account from the victim via a phishing page. Their ultimate intention was to create an eSIM; to do this, they also had to persuade the victim to forward the verification code that was sent via text message. Hackers usually generate fake competitions in which victims have to confirm a code sent via text message and enter it on a website in order to receive an alleged prize. The hackers can create an eSIM using the password, login and verification text message and then receive all text messages and phone calls that are sent to the victim's number.

Even if the potential damage seems minor at first glance, the consequences may nonetheless be serious:

First access to the email account, then to the Apple account, then...

In a further step, the hackers attempted to gain access to the victim's email account. With many email providers such as Yahoo or Gmail, it is not only possible to reset the password via an alternative email address, but also via text message sent to the mobile phone number. Once a hacker has access to incoming text messages containing a verification link, as was the case here, they can take over the email account.

The hackers were also able to see from the data in the telecoms provider's customer portal that the victim was using an iPhone. They could therefore assume that the victim also had an Apple account. Having already gained access to the email account and the text messages sent to the victim, they were also able to gain access to the Apple account and all the associated functions, including backups stored in the cloud. The hackers stored the backup to one of their own smartphones, which gave them more information about the apps used by the victim. They then gradually tried to compromise other accounts.

Hackers usually focus on standard services such as Facebook, Instagram and other social media channels, which the majority of smartphone users have installed. In this case, however, the backup gave the hackers a precise overview of all the apps installed, so they could see that their victim had installed several apps for managing crypto accounts. With this information, they were able to reset the account passwords and get hold of the numerical codes for the two-factor authentication of the authenticator apps. In this case, damage totalling over CHF 20,000 was caused simply because a password for an apparently non-critical internet service had been entered on a phishing site.


  • Wherever possible, install two-factor authentication. This offers an additional layer of protection to prevent your account from being hacked.
  • Never divulge personal data such as passwords or credit card details on a website that you accessed by clicking on a link in an email or text message.
  • Bear in mind that email sender IDs can easily be spoofed.
  • Use passwords with at least 12 characters, consisting of upper and lower case letters, numbers and special characters.
  • Don't use the same password more than once.
  • If possible, use different email addresses for different purposes.

Last modification 14.05.2024

Top of page