After Replacing FBI Devices Two Times, the Bureau Still Fails to Collect 10% of Agent Text Messages
Today, DOJ’s Inspector General released its report on the efforts it made to restore all of Peter Strzok and Lisa Page’s text messages. The report is actually better used to illustrate how, three years into beginning to respond to its failures to collect all of the texts sent or received using FBI issued phones, and after twice upgrading the phones Agents get issued, it still fails to retain 10% of texts that Agents send and receive.
With regards to Strzok and Page, the report describes the efforts it made to obtain all their texts, which includes:
- Obtaining both the Samsung (Galaxy 5, then Galaxy 7) phones they used during this period, as well the iPhones issued for their brief stint in Mueller’s office, the latter of which neither appears to have used
- Using the existing collection tool, which included big gaps for key periods of interest
- Asking DOD’s Computer Forensic Lab for help
- Searching the Enterprise database, which found a bunch more texts, for reasons no one could explain
- Hiring an outside Android consultant, who found 62 additional text messages
The upshot is, FBI doesn’t know whether they recovered all Strzok and Page’s texts, and doesn’t know why they didn’t, if in fact they didn’t.
And we’re only learning this because the two of them decided to conduct an extramarital affair on their FBI-issued devices while serving on the two most high profile investigations in recent FBI history.
Which raises the question: is this also true for Agents investigating defendants without the clout of Hillary Clinton or Donald Trump? If necessary, would the FBI be able to find their texts?
The answer is, maybe not.
Here’s what this report says about FBI’s retention rules, generally.
First, important texts are retained by policy, not (technologically-assisted) procedure. So the country’s premier law enforcement agency ensures that important law enforcement related texts are retained by saying anything covering these topics must be retained.
- Factual information about investigative activity
- Factual information obtained during interviews or interactions with witnesses (including victims), potential witnesses, experts, informants, or cooperators
- Factual discussions related to the merits of evidence
- Factual information or opinions relating to the credibility or bias of witnesses, informants and potential witnesses; and
- Other factual information that is potentially discoverable under Brady, Giglio, Rule 16 or Rule 26.2 (Jencks Act)
But it’s up to the Agents to do that. And if they don’t for some reason, they’re instructed to ask the Enterprise Security Operations Center if they retained them. But the ESOC is not mandated to retain texts. They happen to, but it’s not tied to any mandate to retain substantive communications required to be saved by policy.
The ESOC has a tool, by a vendor whose name may not even appear in redacted form in this report, that “wirelessly collect[s] text messages sent to or from FBI-issued mobile devices.”
As the FBI’s response to this report reveals, the Bureau has known for some time that that tool didn’t collect everything, because they’ve told the OIG that on two prior occasions.
Prior to the OIG’s investigation into the FBI’s actions in advance of the 2016 election, during at least two unrelated investigations, one of which dates back to 2015, the FBI made the OIG aware of gaps in FBI text message collection capabilities.
As DOJ IG was trying to puzzle through why they couldn’t find all of Strzok and Page’s texts, the unnamed vendor got squirrelly when asked how the retention tool interacts with administrative privileges.
Upon OIG’s request, ESOC Information Technology Specialist [redacted] consulted with the FBl’s collection tool vendor, who informed the FBI that the collection application does not write to enterprise.db. [Redacted] further stated that ESOC’s mobile device team and the vendor believed enterprise.db is intended to track applications with administrative privileges and may have been collecting the logs from the collection tool or another source such as the Short Message Service (SMS) texting application. The collection tool vendor preferred not to share specific details regarding where it saves collected data, maintaining that such information was proprietary; however, [redacted] represented that he could revisit the issue with the vendor if deemed necessary.
Maybe it’s me, but I find it pretty sketchy that this unnamed collection tool vendor doesn’t want to tell the FBI precisely what they’re doing with all these FBI Agents’ texts. “Proprietary” doesn’t cut it, in my opinion.
In any case, the FBI started trying to fix the problem, starting in 2016. At the time they started, they were losing 20% of the texts sent and received. After two upgrades of Samsung phones and a fix to a “bug” later, they’re still not collecting 10%.
During calendar year 2017, the FBI phased out use of the Samsung Galaxy S5 devices by its employees and replaced them with Samsung Galaxy S7 devices because of software and other issues that prevented the data collection tool from reliably capturing text messages sent and received via FBI issued Samsung Galaxy SS mobile devices. According to FBl’s Information and Technology Branch, as of November 15, 2018, the data collection tool utilized by FBI was still not reliably collecting text messages from approximately IO percent of FBI issued mobile devices, which included Samsung S7s and subsequently issued S9s. By comparison, the estimated failure rate of the collection tool was 20 percent for the Samsung S5s.
The FBI’s tech folks provided these explanations for why the tool by the unnamed vendor still doesn’t work.
- In calendar year 2016 the collection application vendor reported a “bug” in a version of the collection tool which caused the application to stop collecting text message or log data- This application version was replaced by a newer version that corrected the issue in March 2017.
- Errors during the initial installation of the collection application, such as misconfiguration during setup.
- Errors in the collection application’s ability to send text message data caused by software updates or operating system updates on the mobile device itself.
- Hardware errors, such as the device not being powered on, being located in a poor cellular signal area, or being located in an area with no cellular service.
Among the other excuses FBI offers for implementing a fix to a 20% failure with one that still results in a 10% failure is to say, “complete collection of text messages is neither required nor necessary to meet the FBI’s legal preservation obligations” (which goes back to how they’re requiring retention via policy, but not technologically-assisted procedure). The FBI also says that it “is not aware of any solution that closes the collection gap entirely on its current mobile device platforms,” which makes me wonder why they keep buying new Samsungs if the Samsungs aren’t serving their needs? Aside from the question of why we’d ask FBI Agents to use less secure Korean phones rather than more secure American ones (note, Mueller’s team is using iPhones)?
This story, like so many with the hoaxes that Republicans have ginned up to try to delegitimize the Mueller investigation, seems to be the big story, not what Strzok and Page sent themselves two years ago (the IG Report concluded the non-discoverable texts did not cover one subject area, so weren’t by themselves suspect, and doubted either Strzok or Page had the technical capability to selectively destroy only incriminating texts).
The FBI is an agency that routinely demands that people respond to subpoenas by pulling all the relevant texts on a given subject. If you were to fail, they would be at least consider whether your failure to do so amounted to obstruction. But they don’t guarantee they would be able to meet that same standard — they’re happy with their 10% failure rate, apparently.
And while it is an interesting topic for Strzok and Page and Donald Trump’s attempts to claim Witch hunt! it’s the instances where criminal defendants are asking the FBI to search for relevant texts among agents (in just one example, MalwareTech asked the FBI for texts between Agents surveilling and then arresting him in Las Vegas, but got nothing) that I care about. Because if you only aspire to 90% retention, and if you attribute any failure to do better to an individual Agent’s failure to meet a policy (but how would you prove it, if the point is that a given text no longer exists to be discovered?), then you’re pretty much ensuring that you can’t fully comply with discovery requests from defendants.
Apparently, the FBI seems okay with that.
I can recall high school classmates trying a version of this argument on our math teacher when they got seriously marked down on their homework. Maybe if they had phrased their response to the teacher like “I prefer not to show you my work – it’s proprietary,” they would have gotten better grades.
Or, more likely, the conversation between the calculus teacher and the government teacher in the teacher’s lounge would have been filled with lots of laughter.
More seriously, if a vendor wants a contract like this, the obligation is on them to show that they can meet the terms of the contract. If the contract says “all text messages,” then 90% is a failure, and the government should be able to demand to know exactly why they failed.
Vendors should learn that failure like this will result in an unrefusable “Show me the code . . .” letter.
I just wallposted a detailed breakdown of the errors described in the article and what it likely means as far as the FBI being able to get to 100% compliance and it appears to have evaporated. Do you need to have a login to do a top-level reply?
Tech Support needs some tech support. :-/
Sometimes if a comment is really long, it sits in moderation. Break it up in two parts or try to edit it down.
I don’t see it in moderation.
You mean the government has the same one-sided contract relationship with vendors that the rest of us do?
Looks like the government procurement office failed to read the fine print in the Software and hardware suppliers’ service use agreement.
“In the event of catastrophic data loss or compromise, ________________ can’t be held legally responsible for anything except initial individual item purchase price and customer is required to pay return postage; unless package has been opened, in which case this warranty is void, Too bad suckers, you trusted us again because we put so much confusing verbiage in the service use agreement that even tech experts tire of trying to figure out what is and isn’t relevant; and incidentally the data we collect from the spyware surreptitiously installed in our state-of-the-art labor saving devices is only available to us and the commercial applicants with whom we share the data, but definitely don’t sell.”
We have seen the enemy, but unfortunately, due to federal, state and local regulations applicable to proprietary information copyright laws, are unable to reveal any further information.
Shorter software explanation:
Fast, secure, user-friendly, cheap.
Choice is limited to one!
So, the FBI IM data retention process fails to record 20% of the messages (what about phone records?). The Bureau, it claims, fixed half the problem at some unknown cost. Doctor, we’re happy that you have cut by half the number of newborns you drop on their heads at birth, but could you try a little harder?
And, no, indeed, “proprietary” does not cut it here any more than it cuts it when it comes to voting machine software, communications protocols, and data storage. All of those processes should be known and subject to debate and oversight by the government.
For one reason, it’s paying for all. More importantly, how well that information is recorded, stored, and handled is an essential tool in evaluating whether and how well we are maintaining our system of government. That should rank first on the priority list.
In my former life as a Fed @DoN, our rule was to never put anything in any sort of digital format that would embarrass you or the outfit on the front page. Nevertheless many, many did. Including my boss who made a gaff in email about his biggest job being to ensure his Adm was promoted. Definitely not politically correct.
Tech savvy (I owned a CBT group at one point in the early oughts) but deeply suspicious since before Snowden, I have never had a FB or other SM account. I had a flip phone until very recently (couldn’t find a battery). My 1st text was a couple of months ago.
So I marvel at the sheer recklessness that almost everyone I know has with these devices.
An affair on your Gov phone for folks supposedly assigned to Counter Intelligence who were familiar with surveillance capabilities seems imbecilic.
True – I’ve seen the same behavior on private corporate networks – but does that make the judgment of these two exceptional or the norm?
More importantly, and despite spending billions, the Bureau has lagged in computer use, telecomms, and digital security for decades. Will it ever get up to speed? (It won’t with vendors who hide what they’re doing and how well.)
Normally stupid, lol.
I could tell you many horror stories (some I would have to kill you after) about DoD tech too. And don’t get me started about contractors.
I couldn’t possibly comment on percentages, but I agree that it’s absurdly common by people who should know better, and are regularly reminded about FOIA, Congressional requests, and lawsuits.
I have a very strong feeling that we’ll be seeing the exact same issues coming up when the House starts demanding texts and other electronic communications from Trump’s people and folks like Pruitt. And while a lot of White House communications may not be required to be shared with the House, I’m sure the House will also be digging into whether they are being archived as required by law.
I recall going through the official corporate records-retention class – annual – and being relieved that very few of my emails would qualify as “records” under their rules. (We also got an annual introduction to anti-trust legalities, at the non-lawyer level, and that was something else I was greatly relieved to not have to deal with at my level.)
This seems like a BFD. NBC confirms Trump was in the room with Cohen and Pecker to discuss means (payments, etc.) in support of Trump and campaign in 2015.
https://www.nbcnews.com/politics/justice-department/trump-was-room-during-hush-money-discussions-nbc-news-confirms
Link that works:
https://www.nbcnews.com/politics/justice-department/trump-was-room-during-hush-money-discussions-nbc-news-confirms-n947536
Chief of Staff Jared Kushner? Might as well. The Bureau of Prisons might not have set up a family wing before, but there’s no time like the present to try something new.
But who will take over Jared’s current portfolio? He has more on his plate than Mike Pompeo.
High tonite. Low tomorrow. Precipitation is expected.
(h/t Tom Waits)
Or to quote Robert Cray, the forecast calls for pain.
Anytime is a good time for Tom Waits and Robert Cray.
I second the motion!
This one right now:
Tom Waits – “God’s Away On Business”
break/https://www.youtube.com/watch?v=W9mhsW5aWJM
I’d sell your heart to the junkman Baby, for a buck, for a buck
If you’re looking for someone to pull you out of that ditch
You’re out of luck, you’re out of luck
Ship is sinking
The ship is sinking
The ship is sinking
There’s leak, there’s a leak, in the boiler room
The poor, the lame, the blind
Who are the ones that we kept in charge?
Killers, thieves, and lawyers
Ohhh, I definitely feel some Albert Collins coming on. If Jared thinks he’s going to clean up the old man’s kitchen he’s gonna end up singing “Too many dirty dishes”.
While Kushner as COS would be hilarious, it would not be quite as hilarious as Gingrich.
Maybe the two of them can split the job.
I’m wondering who Person-1 and Person-2 are, in Butina’s plea papers. Person-2 seems to have expected to be close to the White House, no matter who won – which implies either senior in Congress or a big name in DC.
“as of November 15, 2018, the data collection tool utilized by FBI was still not reliably collecting text messages from approximately IO percent of FBI issued mobile devices”
IO, not 10.
Since texts within the agency would create two copies that could be recovered, I wonder whether that 10% actually represents a higher failure rate, or if it is actually lower than that number.
I just want to know if the iMessages are covered by some kind of Apple institutional contract now…
The filing was said nothing could be recovered from wiped iPhones as a fact. This doesn’t rule out an archive of SCO iMessages for each user name and the IG saying no harm, no foul because the device can’t be shown *not* to match the archive.
I’m not a terribly good programmer. But I could code something in my sleep that wouldn’t send a message to the recipient until it was recorded in two different databases. What we’re discussing here is absolute, complete steer manure.
It really makes me wonder about the grade of the vendor. Jeez, most of the low rent spyware available would do a better job of capturing whatever was sent from a given phone.
Maybe the 10% missing messages are a miscount, including things like messages begun but not sent, or messages sent To: people who are gone, or some similar rabbit-hole that is overlooked.
OT would one of the IMAL be very kind and explain to this IANAL the difference between the protections that the system provides for Weisselberg, AMI, Cohen and Flynn, all seem different to this IANAL.
OK, some of these issues are probably obvious, even to a dunderhead like me, but FMD when dealing with the legal system, some do not…
Txs
My second comment here. I am amazed at the depth of ability of Ms. Wheeler and knowledge of the commentators here. I can’t keep up with y’all.
I lost my reëlection to my village board (city council) by two votes to a write-in candidate. (That’s a whole different story.)
In my time on the board, I have always used my wife’s Website for my official E-mails to state and county officials, because I was not provided with a government account. Thus, my personal E-mail and official E-mail are mixed from the same account. (That said, I am not embarrassed by stuff I put in private E-mail.) I used to troll our Republican county prosecutor about using a private E-mail server for government business (ala Hillary Clinton).
This idea of using official accounts or equipment for private messages doesn’t make any sense to me; when I was in the US Navy I had official accounts and the last thing I would have done is sent a personal message from any of those accounts. Apparently growing up in the age Before Internet (BI) I learned different things about using it than people who came after me. (Perhaps that’s why the majority of my communications with friends and family are still by my rotary-dial landline and physical letters—You couldn’t pay me enough to get an account at Faceborg or Twitplace.)
I worked in information technology as a software developer. My last nearly 20 years was in state level environmental protection regulatory data capture work. Obviously I also worked with EPA as our data was required to be reported to EPA. I was shocked to learn that EPA’s data staff was nearly 100% contracted staff, and more shocked when the folks I was working with were all gone one day, as their consulting company had lost the contract, having been underbid, I guess.
My agency hired many contract software staff, most were foreign educated and highly skilled, dedicated to doing a great job for us. We caught a lot of static from political appointees for hiring these excellent foreign-born non-citizens, and worked to hire native white boys to lessen the attacks on our recruiting style. Those guys were procured to create a web-based development platform that all the software team could use to create a high-level online web based system for use by permit applicants to enter complex scientific and engineering data relating to very complex environmental permits for major industrial facilities
After months of work, they were discovered to have spent their time building a commercial web auto dealer system instead, and were fired. We wanted to prosecute them for their acts, but doing that would have stopped all work on all systems by all the other software teams. Depositions, testimony, etc. So management decided to just send them away. We also had a couple employees who turned out to be not capable of doing work as software developers; they could talk about it, act like they were doing it, make progress reports as if they were doing it, but no actual working code was ever ready to implement into a system
My point here is that there is a lot of variety in ability and dedication among contractors and employees. Software development is among the most difficult of technical things to do well — it is still as much a black art as it is a well developed engineering effort. But for huge government agencies to rely on contractors to go away and come back with a turnkey system is pretty much worst case method for getting a well designed, usable, flexible software tool. In my long experience, the user community is an essential member of any real development team, because they know the problem set.
For DOD, DOJ, EPA, etc to do a huge bid proposal to undertake support of their software and hardware requirements, then pretend to evaluate those bids, to determine which company will actually be the best source for the project AND be the least expensive vendor is completely absurd. They need to stop the gushing flow of money to giant contract houses and actually hire people with a real track record to manage development and acquisition, and those people need to be free to hire people they are convinced can do the work, as employees.
It is never cheaper to use a external contract house, because they must add a terrific profit margin to the cost of hiring a person. Plus they have built in operating expenses of their own before that profit margin kicks in. So the cost of an employee is at least double as a contractor. And it’s two years before you can be sure that contractor is actually capable of working at a high enough level to get what is needed created. And then a new contractor wins the bid, and all your institutional knowledge is gone as though it never existed.
No wonder the FBI can’t capture their employees’ texts and emails, they have contractors attempting to do that work. Wonder why they don’t use contractors to actually do the investigationi work? I’m sure there are great reasons not to do that, many of them, and well considered.
Those reasons also apply to doing the IT development and support, both software and hardware. Having some stranger who doesn’t work for your organization performing mission critical tasks for you is never going to be a good thing, ever. And that’s why the FBI doesn’t use contractors for investigations. Why they don’t connect that to their IT problems? Well, some folks just never make the connection, even when it’s so obvious to me.
Excellent comment, thanks. I imagine that, at times, those selected for contracts also have had lobbying efforts behind them, which doesn’t make competence a guarantee either.
I was a contract employee at a major utility company – they were, at that time, using long-term temps to do jobs that they didn’t want to have to hire permanent employees for (and then find spots for them after that project was done, because it involved about 80 temps). That company still uses outside contractors, but they’re restricted to a year of work, unless they’re really good at it, when they can be picked up as independent (inside) contractors, which puts them on the second-class payroll list (that’s the one with paid holidays and vacation, but not paid sick time). Some of the people turned out to be so good that we all said “hire this one” – and sometimes they did that. A few turned out to be incapable, and one was a BS artist, who couldn’t do the job and had lied about qualifications. I understand that the premium that they paid to agencies was 25 to 30% over the pay the temp got. (I did two stints as a long-term temp for them – totaling about 12 years – and had more knowledge than a lot of permanent employees. I then got several years as an inside contractor, which gets me a teeny pension payment each month.)
What you describe is not limited to software development but has spread throughout the federal government. It is a result of an unshakable ideological belief that small government works better than large government. For a few ultra-rich people, this may even be true.
Some of me thinks this is just a smoke screen.
Regardless, surely they can just call over to the NSA, who has everything.
Dear Lawfare Blog, “the dossier hasn’t been disproven” is a stupid thing to claim. That’s not the way burden of proof works in law or logic.
For fuck’s sake, stop embarrassing yourselves.
Like Emptywheel, I find Lawfare Blog to be informative, relevant and another great blog to use to get a handle on what is going on with Trump (although the blog is more general in nature and focused on International Law). Regarding the Steele Dossier article from today, the authors revisit the Dossier and compare the info in the Dossier to what is now out in the public domain. The general gist the authors make is that the Dossier is similar to a FBI 302 and it is holding up well over time, contrary to what one hears on Hannity, Levin and other Right Wing Radio Programs. Yes, much in the Dossier has not been collaborated, but that is due in part to the natural unwillingness of intelligence agencies to release sources of information, not because it is untrue. It seems to me, with every passing month, Mueller’s indictments are proving that the Steele Dossier is a credible document.
I love Lawfare, don’t get me wrong. But, “nothing has been disproven” is a logically stupid statement. That’s not the way the burden of proof works. You cannot disprove that there isn’t a giant dragon in my garage.
In response to Vern:
“Trump was in the room”? Come on talking heads, FFS! When has Trump ever been in a room when he just sat there like a Mike Pence eyebrow only reaction doll? He was in the room for a reason. He summoned everyone else in the room to put his mighty words into action. Shouldn’t the revelation state the obvious?
“Trump dominated the conversation, as aways, making everything about him, his campaign, his attempt to right the wrongs perpetrated on the poor, blue collar, salt of the earth working class white people, so loved by the Blue Collar Billionaire that he sacrificed his only real estate empire so that whosoever believeth in him shall not falter, but through faith and belief in the master enter unto eternal prosperity.”
The real purpose of this and every other Trump meeting was to control the narrative and steer the message to how wonderful Donald J Trump truly is.
How could a few lowly women be permitted to bring down God’s chosen savior of capitalism, pass through income and tax avoidance? The only relevant question is also the answer: What can you do to help my campaign?
Haha. Also, Pence moved an eyebrow?
“Donald J. Trump truly is”
…and this popped into my head – “truly scrumptious, he’s truly, truly scrumptious” – Well done Shitty Shitty Bang Bang!
“Trump was in the room”? FFS! When has Trump ever been in a room when he just sat there like a Mike Pence reaction doll? He was in the room for a reason. He summoned everyone else in the room to put his mighty words into action. Shouldn’t the revelation state the obvious?
“Trump dominated the conversation, as aways, making everything about him, his campaign, his attempt to right the wrongs perpetrated on the long forgotten, blue collar, salt of the earth working class white people, so loved by the Blue Collar Billionaire that he sacrificed his only real estate empire so that whosoever believeth in him shall not falter, but through faith and belief in the master enter unto eternal prosperity.”
The real purpose of this and every other Trump meeting was to control the narrative and steer the message to how wonderful Donald J Trump truly is.
How could a few lowly women be permitted to bring down God’s chosen savior of capitalism, pass through income and tax avoidance? Why can you do to help my campaign indeed?
What’s the over/under on today being Big Indictment Friday?
I’ll take the under. Grand Jury stuff going on today and next week, and the Flynn sentencing. I think the next volley will come in January.
https://twitter.com/SarahNLynch/status/1073607244514820098
https://twitter.com/dsamuelsohn/status/1072252112229281793
Intriguing.
Hannity 🤣
“Friday On My Mind”
https://m.youtube.com/watch?v=n3DK95SwWek
Huh. I thought that was a Bowie song. Learn something new every day.
Original version, guys playing guitar wrote it (Vander and Young).
When Govnah Chris Crispie Creme turns down CoS, you know shit is bad.
OT
bmaz, any chance your tillman retweet and your Vox retweet are related?
Would be curious about what charges would be filed re the Vox piece? Anything beyond obstruction?
Vox piece
The Washington Post has this piece by Devlin Barrett which seems… not well thought out.
https://www.washingtonpost.com/world/national-security/muellers-treatment-of-cooperating-witnesses-suggests-end-of-russia-investigation-may-be-near/2018/12/13/849c7c24-ff0e-11e8-862a-b6a6f3ce8199_story.html
He ressurects the idea that Mueller is writing a report, based on the idea that the sentencing of Flynn and Cohen implies that he is done with them and won’t be using them to testify in court. Setting aside the issue that Mueller has been releasing his public statements by way of his filings, he acknowledges that Gates is not sentenced, and leaves out the entire Roger Stone story.
He closes with an acknowledgement of other possible reasons for Mueller’s moves regarding the sentenced people, but misses an obvious one — he may not need them to move forward. A key piece of any article should stress how little we know about what evidence Mueller has, and how he will be using witnesses to support that evidence.
I think an unspoken assumption in a lot of Mueller coverage is that trials will consist mostly of witnesses making statements about suspects, but I think that’s a very shaky idea. Barrett also doesn’t acknowledge that key witnesses may be people who were never indicted.
It’s certainly possible Mueller is past the midpoint, but I think it’s unreasonable to read as much into the sentencing as he does. It’s also possible there is a major area yet to be revealed that we don’t really know about.
I agree. It is impossible to know, but my guess is that this could go on for another year. Investigations take time, especially sensitive ones where every “i” needs to be dotted and “t” crossed and rechecked. Every defendant flipped usually names more names, which may lead finding additional crimes, etc. I wouldn’t mind having his office’s Public Relations job though! LOL!
> my guess is that this could go on for another year.
I’ll take the over
BTW, another method of hacking two-factor authentication which may have been used to gain access to the DNC servers. This one might be the easiest of all. It is a form of “Spear phishing” https://en.wikipedia.org/wiki/Phishing#Spear_phishing
Reports on Friday say it’s in active use by Iranian hackers, and may have been in use for a few years. I’m going to tack it here instead of digging back thru old posts:
1. Hackers set up a fake login page that looks legit, for example amazon-console.com
2. Hackers send an email to target directing them to fake login page, for example, “We posted an important message to your account. Please login to read it at amazon-console.com.”
3. Target goes to fake login page which asks them to login. The page looks legit, so the target types in their username and password.
4. Hackers redirect the target to a web page that requests the second factor.
5. Hackers immediately use their own computer to visit the real login page.
6. Hackers immediately take the target’s username and password that they captured in Step 3 and type them into the real login page that they bought up on their own computer.
7. Real login page causes the temporary code (second factor) to be sent or displayed on the target’s phone.
8. Target types the second factor into the fake login page (see step 4 above).
9. Hackers immediately take the second factor and type it into the real login page that they bought up on their own computer.
10. Viola, the hackers are in.
Conclusion: two-factor authentication sounds impressive, but it has a lot of weaknesses, some of which are fairly easy for hackers to exploit.