Interesting article by Brian Krebs (here) about a social engineering fraud which obviously uses “human as the weakest link” but also some aspects of “using security to defeat security” itself.

In very few words, the scammer calls by phone the victim and asks the victim to prove to be the rightful owner of her/his bank account by providing the username and a code that she/he will receive as a 2nd factor authentication code. What the scammer is actually doing with the username and the 2FA code is to reset the password of the victim’s bank account and then to transfer some money out of the bank account. 

What goes wrong here is, first, that the victim should identify the caller, not viceversa, and that the victim should never divulge to a person a 2FA code. Thus by abusing the human weakest link and a “secure” reset password process, the scammer manages to perform the fraud.

On the technical side, one should be very careful on evaluating security risks associated to a self-service reset password process, including social engineering attacks like this one.