It’s fairly easy for a hacker to hijack your mobile account, take control of your phone number, and use it to bypass two-factor authentication you have set up and break into your online accounts.
Your phone number is how a number of companies, including your bank, email provider, and social media services, verify it’s actually *you* when you log in. It’s also how many of those companies recover your account (using a text message or phone call) when you forget your password.
This vulnerability is very scary — but it’s easy to protect yourself: by making your passwords better, protecting your mobile carrier account, and using non-SMS-based authentication when you can.
I talked to security expert Jessy Irwin about what ALL internet-using humans need to do in regard to the safety of their passwords on online accounts.
But before I get into how to lock down your digital life, here’s some background on why you should.
You might have heard a lot about “two-factor authentication,” “2FA,” or “two-step verification.”
It’s a type of account login that requires two factors, typically a password and an additional verification code.Many websites
support this: Apple, Google, Facebook, and your bank, probably.
You also might have heard that two-factor is important, because passwords alone aren’t good enough.
Because a lot of people reuse passwords, one company’s security breach can affect multiple accounts. And there are a lot of security breaches. In fact, cybercrime happens more often now than ever, in part because so much of our stuff (our finances, communication, bills, etc.) lives online.
But if you’ve set up SMS-based two-factor authentication, it can be bypassed.
Hacks are becoming increasingly sophisticated. SMS-based verification isn’t necessarily safe because someone who has your personal info (like the last four digits of your Social Security number or credit card), or even a fake ID in hand, can fairly easily call your carrier’s customer service and change the SIM or move the account over to another carrier. This hack method redirects all of your texts — including two-factor authentication codes sent over SMS — to the hacker.
“That information might seem hard to get, but there are pretty simple ways to get it if you know how. One tactic that is very popular is to offer the customer support person tidbits of relevant information that gain their trust, but also help you gain other information about the account,” Irwin said.
It’s what happened to Black Lives Matter activist DeRay Mckesson last year. Mckesson’s Twitter account was hacked, even though he had two-factor authentication enabled. The hacker used the last four digits of Mckesson’s Social Security number to gain access to his Verizon account via customer service and then change the SIM on the cell account.
Technology experts can get hacked too. The mobile account of Lorrie Cranor, the FTC’s chief technologist and a Carnegie Mellon professor who studies passwords and authentication systems, was hijacked in 2016. Someone had walked into the mobile carrier’s retail store with a fake ID showing Cranor’s name and provided the last four digits of her Social Security number. The thief was able to bill two new iPhones to Cranor’s account and steal her phone number.
Hackers can also find a way into your carrier account using scams. In this kind of attempt, someone will call you and pose as your carrier, and then ask you to read the code that was just sent over text. That SMS code may be used for your account’s backup password recovery, which means that hackers don’t even need your password to take over your phone number — just that SMS code.
If a hacker can get control of your mobile account, that can leave your accounts vulnerable in another way because some services use SMS or a phone call for account recovery when you forget your password.
Security expert Jessy Irwin said that while SMS is the least secure method for two-factor authentication, it’s better than nothing, and not inherently good or evil. “Where things get sticky isn’t actually the two-factor auth, it is when SMS is configured to be used for account recovery,” Irwin warned.
This isn’t a huge issue for most people who use computers, Irwin said, but is a much bigger problem for those at high risk, including people who own cryptocurrency.
This type of attack — mobile account hijacking — is becoming so widespread that T-Mobile blasted this message this week, urging customers to add a passcode to their account.
T-Mobile is directing customers to a landing page dedicated to “port-out scam” protection. After a hacker has gained access to your carrier account, “porting” your cell phone number to another carrier is how the hacker receives your two-factor codes or resets your passwords.
The company is urging customers to add a passcode to their accounts, which is another line of defense in case a hacker comes calling.
So, here’s what you can do about protecting your online accounts right now.
1. Everyone who has a cell phone (not just those using T-Mobile) should call their carrier and add a *unique* passcode or confirm they already have one.
Adding a PIN or passcode to your carrier (that you change regularly!) ensures that if you must use SMS-based two-factor authentication, your carrier account has an extra layer of security (like for those with an iCloud account, who only have one Apple device).
As long as you can create your own PIN, Irwin says it’s a good way to keep hackers at bay: “If there is a PIN/passcode [for your account], it’s on the attacker to figure out what it is, and try to make it to the next step of the process. Usually if [the PIN] is customer-controlled and not something stupid like your house number, it's a pretty good deterrent.”
Make sure that 1) you’re not reusing a passcode from another account and 2) that it’s not the last four digits of your Social Security number, because it's likely for sale on the black market already.
Dial 611 from your T-Mobile phone or 1-800-937-8997, and you’ll be able to add a passcode with a six-digit minimum.
Go to vzw.com/PIN, call (800) 922-0204, or visit a store in person with government identification.
After logging on to your account online, click on your name in the upper right > View Profile > Sign-in Info > under Wireless passcode > select Manage extra security.
Extra security requires an additional passcode when you attempt to get online access to the account, discuss the account in any retail store, or call AT&T's customer service line.
Sprint requires all of its customers to add a PIN and security questions to their account. You can update that information by logging on to Sprint.com > My Sprint > Profile and security > scroll to Security information > Save.
2. Use a password manager like LastPass (which has the best free version) or 1Password (for people who own iOS and Mac devices) to remember your PINs, and also to create strong, *unique* passwords for every website.
Make a list of all of your online accounts. Good password managers can generate strong, random passwords for you. Set up those strong passwords for all of your accounts as soon as possible.
Then, make your life easier by downloading the app version of the password manager on your mobile phone and, if available, the manager’s browser extension. This way, you’ll be able to easily copy and paste your complex passwords when you need them.
If you have an iPhone, you can even use Face ID or Touch ID to unlock LastPass or 1Password on your phone. If you have an Android phone running Android 6.0 or newer, you can also use your fingerprint.
3. Review your online accounts. Do any of them use SMS-based two-factor authentication? If so, see if you can use an alternative.
There are several other methods you can use as your second “factor” that are safer than text message-based verification.
I like using security keys, like the ones from Yubico called Yubikeys. It’s a physical thumb drive-shaped accessory that fits on your keychain. To use it as a second factor, you plug the key into a USB port on your computer, or, if it has an NFC wireless chip in it, hold the key up to your NFC-enabled Android phone. People with iPhones will need to use an authenticator app (more on that below).
These keys are much safer because hackers have to have your physical key, and have your correct password, in order to breach your account. I will note that security keys won’t work for people who use the Safari browser, but they will work for those who surf the web on Chrome.
You can use security keys as secure logins on sites like Google, Facebook, Dropbox; password managers Dashlane and LastPass; and a bunch of other services.
But the main problem with keys is that not enough services are compatible with them. “Yubikeys are one of the strongest second factors of authentication, but security keys in general are the least prevalent of second factors,” said Irwin.
Another issue, according to Irwin, is that they can be lost: “Having worked with younger kids and the elderly, losing or misplacing a yubikey is a very real usability problem. Some people put them on their keys, but if keys are lost or stolen, account lockouts are likely.” So, when you set up your key, you should set up a second, backup key in case anything bad happens to the first.
Physical keys won’t work for everyone. iPhone users, for example, can’t use keys on mobile, and this system could be frustrating when you’re traveling abroad and can’t easily get to your backup key.
For those who want to learn a LOT about security keys, here’s a super technical, thorough review of all kinds of security keys and who should use them.
4. That brings me to the next best method: third-party authenticator apps.
An authenticator app, like Authy (for iOS and Android) and Google Authenticator (for iOS and Android), can serve as a backup for your security key or a standalone second factor for an account. Some apps don’t support security keys, but they DO support authenticator apps, like Twitter.
Here's how to set up the Google Authenticator app or Authy app for your Google account. You can set up your app with Facebook, Amazon (see step 5), Dropbox, and Twitter as well.
“Authenticators are great because they do quite a few things well: They can be used to authenticate into an account if you’re on a plane and the device is offline, or if you’re traveling and you can’t receive SMS messages,” said Irwin.
These apps generate temporary, time-based verification codes. You don’t need to be connected to the Internet to receive them, and they aren’t vulnerable to being hacked via SIM hijacking.
5. Print out a hard copy of your single-use backup codes.
Just in case your phone with the authenticator app installed gets stolen, make sure you’re able to refer to your single-use backup codes. Many services will give you a certain number of backup codes when you set up two-factor authentication. Each code can only be entered once and you can generate more at any time.
Here’s a shortcut to viewing your backup codes on Google and Facebook. Print them out. Put them in a literal safe or other safe space.
This backup code will allow you to get into your account, revoke access to the authenticator apps, and change your account password.
The onus is, ultimately, on companies to implement secure methods of authentication and protect their customers.
Adding a PIN to your mobile account and making sure you have some form of two-factor authentication set up is this best way you can take your online security into your own hands. No protection method is a 100% guarantee that you won’t be hacked, but having some protection rather than nothing at all is a much better place to be.
Irwin, meanwhile, is urging companies to rethink personal information-based security systems: “When technologists build systems that rely on a phone number, address, or Social Security account as a unique identifier for a customer or a user, they are choosing to externalize risk to users.”
I know — this is all kind of a lot, and I’m sure you have a million questions. Hit me up in the comments or tweet Irwin @jessysaurusrex. Until then, keep calm and carry on with two-factor!