Nowadays, it is almost mandatory to enable two-factor authentication (2FA) in all your internet accounts, whether they are social media or services that you use.
We have already explained everything here about what it is and how to install reliable apps that manage this:
➽ Two-step verification: using an authenticator app
However, there are scammers creating suspicious apps that induce the user to activate 2FA in them, thus exposing their data and still charging for it.
And this week, Apple decided to do a clean-up in its app store.
We’ve already given a short list of good 2FA authentication apps. They are the most reliable, and there is no reason to try other apps that suddenly appear.
Last week, the new Twitter announced that it would start charging those who authenticated their account via SMS.
For those less familiar with technology, this sounded like a bad thing, and with that, there was an explosion in the search for alternative authentication apps, which ended up giving scammers an opportunity to take advantage of the moment.
SMS authentication is insecure
For some time now, it has been a consensus that using SMS messages as one of the factors of authentication is quite insecure. This is because it is possible to steal the number and put it on another chip (the infamous SIM-swap), or allow someone who steals your phone to access the code.
Therefore, it is a good initiative for Twitter to make it harder to use this method, giving space to authentication apps.
However, this has generated a frantic search in the App Store by people who had never heard of two-factor authentication before.
But this is where the danger lies.
Apps that steal 2FA
A security expert noticed several similar apps that claimed to offer 2FA authentication, developed by various different developers, but that showed themselves to be identical when opened.
All these authenticator apps are free and offer in-app purchases. You install them to discover that you can’t scan any QR code until you subscribe, $40/year with 3 days free trial. The apps are very similar.
The expert suspects that these are “white-label” applications (that is, developers buy the basic code and customize it with their own brand), that many are using just to make money from inattentive users.
The very fact that an authentication app charges for its operation (while Google offers a secure and completely free alternative) is already quite questionable.
And the worst part is that these apps send the authentication QR code to a remote server, which means that this second factor of authentication is no longer an effective protection, as it is accessible to other people.
Apple cleans up
After the case received attention, Apple finally took action and on Thursday morning began cleaning up several of these apps, removing them from the App Store.
However, there are still many of these fraudulent apps still available.
Enabling two-factor authentication is very important, but it is crucial to use only reliable apps to perform this authentication.
Take a good read through our complete article on two-factor authentication and check out the list of reliable apps for it.