Google Taps Smartphone's Bluetooth To Foil Phishing Attempts On User Logins

pcmag.com:

To stop hackers from breaking into online accounts, Google is going to start using the Bluetooth functionality on user smartphones to verify that a login is legit.

The company announced the effort at Google I/O on Wednesday, citing the threat of more advanced phishing attacks from hackers.  

To stop such attempts, you can set up two-factor authentication over an online account. This requires anyone logging in to supply both the correct password and a one-time passcode, which is usually generated over the user’s smartphone. 

However, Google says more hackers are coming up with ways to beat such two-factor authentication systems. In some cases, the culprits will try to trick users into handing over the one-time passcode by sending a fake text message from the account provider, such as Google. 

In other cases, the attacker will send the user a fake website that’s capable of stealing and then re-using the login credentials —including the two-factor code— from a victim in real time.  

“In these attacks, a user thinks they're logging into the intended site, just as in a standard phishing attack,” Google wrote in a blog post. “But instead of deploying a simple static phishing page that saves the victim's email and password when the victim tries to login, the phisher has deployed a web service that logs into the actual website at the same time the user is falling for the phishing page.”

These phishing attempts underscore a vulnerability with traditional two-factor authentication systems: A savvy hacker can still remotely trick the victim into solving any authentication challenge during the login process.  

In response, Google says it’s come up with a promising solution, which requires anyone logging in to your online account to