Voice Bots Are Coming for Your Passwords

You might want to be more careful who you talk to on the phone. 

Hackers are using sophisticated voice bots to steal passwords. The attackers are increasingly targeting the two-factor authentication codes (also known as 2FA) that are used to secure everything from Apple to Amazon accounts. 

"Voice bots are so good that users can easily believe they are authentic, especially when it appears to be helping by stopping malicious activity, such as a suspicious purchase," Joseph Carson of cybersecurity firm ThycoticCentrify, told Lifewire in an email interview. "Unfortunately, in reality, hackers are stealing your money." 

Chatty Bots

Hackers use customized bots to make automated calls asking for your temporary password, Jonathan Tian, the co-founder of Mobitrix Perfix, an iPhone solution, told Lifewire. Some bots make you think you're talking to an actual customer service rep before asking for your code. The issue was recently highlighted in Motherboard. 

"The hacker may easily connect to your account and perform transactions or whatever they want once you submit the verification code," Tian added. 

An attacker using a bot can get their hands on a compromised account list that contains emails, names, and phone numbers, cybersecurity expert Steve Tcherchian told Lifewire. The hacker can then try to log in to services like Amazon or Google. Clicking the 'reset password' link will trigger a text message sent to the unsuspecting owner. 

"The attacker then calls the owner using a bot saying their account has been compromised and to enter the code sent to their phone to validate their account ownership," he added. "When the owner enters the code, the thief now has the missing second factor to compromise the user's account."

Experts say that hacker voice bots are a growing problem. 

"There are far more voice bots on the market now than there were ten months ago—although they remain an expensive investment," privacy expert Hannah Hart told Lifewire. 

Bots can imitate all sorts of services for the hackers that do pay the price, meaning there's potential for a broad swathe of customers to be contacted and duped into handing over a 2FA code or OTP (one-time password), Hart said. 

Because the voice bots don't require hackers to be exceptionally skilled at using social engineering techniques, anyone could feasibly use one, "so it's likely that we'll see copycat hackers who want to try their luck," Hart added. 

Fraud and cyberattacks of all kinds have rapidly increased in recent years, Bob Lyle, a senior VP at cybersecurity firm SpyCloud, told Lifewire. And criminals' use of stolen credentials has grown increasingly sophisticated. 

"One major challenge is a lack of understanding the threat," he said. "Because of the proliferation of telemarketing scams and automated calls, many consumers assume their phone number has already been compromised without realizing how it could be used to access their accounts."

Protecting Yourself

There are ways to keep voice bots from stealing your precious security codes. 

Never enter your 2FA code unless you initiated the request, Carson said. He also suggests that you always be suspicious of any request that asks for your 2FA code that you did not expect.  

"Make sure you periodically change your passwords and use a password manager to help you create unique long, strong passwords for each account," he added. 

Don't send personal information via text, and hang up on any calls that insist that you hand them over, Hart said. Instead, check out the service directly to keep tabs on your account activity and report any suspicions or concerns to the customer care team. 

"It's also well worth spreading the word to friends and family about these nasty hacking attempts," Hart added. "After all, we could all find ourselves targeted by a would-be scammer, and it's not always easy to determine whether an automated system is legitimate or not."