Walk me through the chain you’re thinking of. I want to understand it better.
If you’re thinking that - for example - someone is attempting to log into my account online and simultaneously call me pretending to be the bank. They are presented with an MFA check and tell me they initiated it. I give it to them unwittingly, and note they are in.
My understanding is that isn’t possible here, because this “MFA check” is different than the login one. The login one is the “Google Authenticator, 6 numbers”. This is a different code entirely. Obviously I didn’t specify that in the original post. My bad.
If that wasn’t what you were thinking and you can think of how this fails, I need to know and learn more!
Well, if I wanted to get into your account, apparently I just call the bank and then call you. Any time they ask me something I ask you the same thing and pass it along to them, and you'll faithfully tell me. They trigger the codegen and ask me to read it back and I ask you and you happily tell me. Then I "confirm your account is safe" to you, and continue my call with the bank except now I've authenticated as you.
The scammer calls the bank rather than trying to login. When calling, they will be asked to verify with info and the code which they will get from you. Think mitm but telephone based. The verification info (maybe just a zip code or last 4 of ssn or something publicly available) can be acquired beforehand so they only need the code to be relayed. Obviously they have to get the timing right, so you might be on the phone for a few minutes before they find a reason to ask for the code.
If you’re thinking that - for example - someone is attempting to log into my account online and simultaneously call me pretending to be the bank. They are presented with an MFA check and tell me they initiated it. I give it to them unwittingly, and note they are in.
My understanding is that isn’t possible here, because this “MFA check” is different than the login one. The login one is the “Google Authenticator, 6 numbers”. This is a different code entirely. Obviously I didn’t specify that in the original post. My bad.
If that wasn’t what you were thinking and you can think of how this fails, I need to know and learn more!