Most people who are even vaguely aware of infosec or personal data security know that the number one step you should take to protect your online accounts is to enable two-step verification. This is especially true when it comes to your email, as this serves as the hub as so much of your online identities. Once someone gains access to your email, they have instant access to a whole host of other things too, and your identity is severely compromised.
But once 2FA is enabled, most people’s concerns stop there. They think “A hacker would have to gain access to my account and have my phone to receive the text” which seems like a remote enough possibility that there is no need to worry. The problem is that getting access to one’s phone number to reroute confirmation texts is easier than you might think. There is a growing number of cases where hackers find your mobile phone account details, reroute your number to their phone, and use that information to get into all of your accounts. This is known as “social engineering hacking”.
There is a huge risk factor here, because people assume enabling 2FA is a security blanket, when in reality it could represent a more profound point of vulnerability. As Wired wrote, “The last few months have demonstrated that SMS text messages are often the weakest link in two-step logins: Attacks on political activists in Iran, Russia, and even here in the US have shown that determined hackers can sometimes hijack the SMS messages meant to keep you safe.”
As security researcher and forensics expert Jonathan Zdziarski told Wired: “SMS is just not the best way to do this. It’s depending on your mobile phone as a means of authentication [in a way] that can be socially engineered out of your control.”
So what is the solution to this insecure method? It should be noted that the solution is definitely not to remove 2FA from your accounts completely, and especially not from your email. Having it enabled even with a text message as the second layer is more secure than not, but it’s certainly not foolproof. The best course of action, though, is to de-link your phone number from your main accounts and use an alternative, hardware-based layer for authentication.
The first option is to use an authenticator app on your mobile phone, instead of receiving a text. Google Authenticator is a good option, and can be used for an array of non-Google accounts like Dropbox. In the setup process, you simply scan a QR code that then generates a slew of authentication codes that are unique to your IMEI number. That way, a hacker wouldn’t just have to have your phone number to get your code, but your actual physical phone, which is much less likely.
The second option is to use an authentication token, such as Yubikey. These tokens are paired individually with a service and the computer that’s logging into it; you simply plug it into a USB port when you need to authenticate. This means that a hacker couldn’t log in to your account even if they had your password, because they wouldn’t have this physical token.
Lastly, generating a list of one-time codes when you turn on 2FA, which you print out and do not store digitally, is perhaps the most secure way. All of these mentioned methods are hardware based, meaning that they cannot be “socially engineered” from afar. A hacker would need access to these exact hardware methods (i.e. break into your house) to get them.
Unfortunately, not all tech companies have woken up to the insecurity of SMS-based 2FA. As Wired said, “And for services like Twitter that only offer second factor protections that depend on SMS, it’s time to wake up, smell the targeted attacks, and give users better options.”