Login notifications are a last resort in security. They notify the victim that their account has been compromised, prompting them to change their password. This usually sucks for the attacker as all the work they put into getting the credentials is undone. In this article, we will go over ways to prevent login notifications from reaching victims.
Email Deletion
This method assumes you have access to the target’s email and that the target service only sends email notifications. Immediately after you log in, go to the target’s email and delete the notification. Depending on how the target’s device is configured, they may still get a notification on their phone. This can be prevented by finding any previous login notification emails and reporting them as spam or by blocking the notification email address before you log in.
Separate Email Server
Some companies have email addresses that can be logged in from regular email services like Gmail and from a server hosted by the company, such as Outlook. In this case, logging in from Gmail causes a notification to show on the target’s phone and email. This can be prevented by logging in from the company server, which does not always send a notification.
Network Disconnect
This method assumes you have a way to cut off the target’s internet connection. By cutting the connection notifications are unable to reach the target. This gives you ample time to use the account. Depending on the service, a notification may still show once you restore the target’s connection.
Phishing
By logging into a phishing page the target is less likely to care about the login notification as they think the login was legitimate. However, you should make sure to log in around the same time as the target, or else the login notification may show a different time, raising red flags. Having a VPN or being near the target will also help as some notifications include the IP location.
Cookie Saving
Some services don’t change the cookies after a password change. By saving the cookies a password is not needed to log in. This method has a low success rate as most websites change cookies or force logout when the password is changed.
Conclusion
In this article, we only went through a few methods of stopping login notifications. I’m sure there are better ways but I just went over the ones that worked for me. Login notifications can be prevented but that does not mean they are ineffective. Every website should implement this as it does have a positive impact on their security.
Leave a Reply
You must be logged in to post a comment.