One-Time Code Contradiction: When to Share and When to Beware
Vložit
- čas přidán 26. 06. 2024
- ✏️ You're told not to share your one-time two-factor or other authentication code. And then you're asked for it.
✏️ To share or not to share that code
Although one-time codes are meant to enhance security, scammers exploit the contradiction of being asked to “never share this code” when we do need to enter the code with the site we’re signing in to. Key advice: only enter codes on official sites; never share them over the phone.
Updates, related links, and more discussion: askleo.com/171041
🔔 Subscribe to the Ask Leo! CZcams channel for more tech videos & answers: go.askleo.com/ytsub
✅ Watch next ▶ Why ANY Two-Factor Is Better than No Two-Factor ▶ • Why ANY Two-Factor Is ...
Chapters
0:00 Share one-time code contradiction
0:30 To share or not to share that code
1:25 Normal use: signing in
2:00 Normal use: extra security
3:45 Basic scam: the phone call
6:00 Bonus scam: phishing
❤️ My best articles: go.askleo.com/best
❤️ My Most Important Article: go.askleo.com/number1
More Ask Leo!
☑️ askleo.com to get your questions answered
☑️ newsletter.askleo.com to subscribe to the Confident Computing newsletter.
☑️ askleo.com/patron to help support Ask Leo!
☑️ askleo.com/all-the-different-... for even more!
#askleo #2FA #authentication - Věda a technologie
✅ Watch next ▶ Why ANY Two-Factor Is Better than No Two-Factor ▶ czcams.com/video/2DNJqjGLHR8/video.html
This is why having an email address/phone number as a user name is so bad!
I screen my calls with an answering machine, phony phone callers give up when they realize they have to talk to a machine and not me. They don't want to waste their time leaving a recorded message that I will delete and ignore.
There's also authenticator app 2fa as well, which is what I use. SMS and email 2fa are not the only one-time code based 2FA methods.
Codes made by an app are proof that you have the secret you were given at setup.
Very informative videos
Thanks
Always confirm the actual phone number for the service and contact the Tech Support of the company. If the number is different form the website it’s a scam
Not too long ago I changed account types at BOA and they sent me a code and asked for it so they could access my account. Alarm bells went off but since I initiated the call I went ahead and told him the code. I would never do this if I was replying from an email or phone call I did not expect. Also I NEVER click an email link to go to a site and log in, nor should you.
No worries. I don't have a phone.
Ok. I’ll stop worrying. Now I can sleep.
If I got a that type of message for code would immediately delete and contact site.
Theres a bank where i live which has an unusual way of verifying its you
When you try to sign in or make other changes (such as resetting security information, which includes a password and what they call “memorable information”, which is kinda a second password, but they only ask for 3 characters from it each time you sign in, presumably to reduce the risk of someone watching you sign in, then gain access to your account at a later time)
They then do things a bit differently with the 2 factor part of it
When signing in, once you have entered your username, password, and the 3 random characters, they then display a code on your computer screen, then have a robot call you on a number you have registered on your account (if you have more than one registered number, you can choose which one it calls) and ask for the code (which you can either dial in to the phone, or speak the code)
Edit: the robot first says something like “this is an automated call from [bank], if you are expecting this call, please press the # key”
It's hard to imagine people being confused at this process! Stupid seems to be the new norm!
I would describe it more as an ignorance of proper security protocols. Scammers also target the elderly who might be infirmed and are just hoping they'll receive a call from a family member and excited to talk to anyone. It’s probably best to allow any noncontact call to go to voicemail. For elderly relatives maybe help them out and configure their phone not to ring when a noncontact calls. Be sure the elderly relatives know not to respond to any of these noncontact voice mails but to instead call the number on their ATM/CREDIT card or account statement.
As numbers can be spoofed, I always opt out of phone call contact from my financial accounts. If you do get a call, verify the company and call them using your ATM/CREDIT card.
AWESOME TOPIC! Thanks Leo.
@@knutblaise9437 I'm one of the old farts, a year away from 80! But I'm VERY suspicious!
Great topic thanks
Certainly. Look who people vote for.
So this is not 100% accurate. There are instances where _it is_ legitimate to give the codes over the phone. Sometimes, if you call into a company they will send you a text to verify that it is you. In that case, it is OK to provide the code as long as the text *does not say* not to share the code, and that you were the one that initiated the call to the company at a known number of the company. Do not share the code under any other scenarios over the phone. When the company expects you to give them the code back over the phone they will not include a do not share indication in the text message.
If you have called a number listed on your ATM/CREDIT card, you could be asked for a code for identity verification.