Two-Step Text Authentication Is Not Enough to Keep Your Accounts Secure
Literally on Instagram last week confirmed reports about the fact that it changes the security settings of your account, so that users can log in with passwords for security applications, such as Google Authenticator, instead of a simple code-based text messages. While this isn’t great news, it’s good to see this practice grow in popularity: using a token-based app, rather than a text message, to authenticate to other apps and services.
You should do this whenever possible (and if you have no other option, at least use 2-Step Verification, not nothing). There are many reports that show how easy it is for a hacker to call a cellular carrier, find an unsuspecting customer service agent, and pretend to be you. Bitcoin exchange Kraken (humorously) described the process in a 2016 blog post:
Somehow the masses were convinced that phone numbers are inextricably linked with personal data and, therefore, are good tools for authentication. There’s a reason Kraken has never supported SMS-based authentication: the sad reality is that your telco is running at Layer 3 security. Here’s an example of interaction:
Hacker: May I have a jacket? Telco: Of course, can I have your ticket? Hacker: I lost it. Telco: Do you remember the number? Hacker: No, but he’s right there. Telco: Okay, cool. That’s all. Rate this survey 10 out of 10 ^ _ ^
And while cellular carriers ( and the FTC ) are aware of the prevalence of this hack, often referred to as “SIM hijacking” or “SIM porting,” this motherboard article notes that some carriers are just now starting to offer basic measures. to thwart this line of attack.
And you’re only “safer” if you’ve actually done something like adding a special PIN to your account, which the person will have to send to verify that they are you when they call the wireless carrier’s support team. … If you didn’t, or even knew you could, then a cyber disaster could be stolen by a hacker, as Motherboard notes:
“One hacker who used a SIM swap told me it was happening“ all the time, ”even though carriers have known about this attack method for years. According to T-Mobile, hundreds of people have been affected by this scam. Over the past several months, Motherboard has spoken to over 30 victims whose numbers have been stolen. In addition to my Instagram account, one SIM theft victim I spoke to resulted in their Amazon, Ebay, Paypal, Netflix and Hulu accounts being hacked. “
Prevent sites and services from sending you 2-Step Verification text codes
There are some sites – I won’t name which ones – that still send me text messages when I need to sign in. This is bad security practice that I totally blame for my laziness; this, and I’m not always aware of which sites and services offer app-based two-factor authentication instead of text-based two-factor authentication.
If you’re not sure if your favorite sites or services support this kind of token-based two-factor authentication, you have two options. First, you can look at your text messages and find when companies sent you a login code, then look at the site settings to see if you can set up a software token in your favorite app.
And since I mentioned this already, if you’re just getting started with 2FA applications and don’t know what to use at all, sites that support token-based 2FA usually have guidelines for the applications you should use. Otherwise, here are some popular options:
- Google Authenticator ( Android , iOS )
- Authy
- Microsoft Authenticator
- LastPass Authenticator
- 1 Password
- Duo mobile
Your favorite service might even use its own mobile app as a kind of authenticator – like the Facebook Code Generator . If it is enabled and you log into Facebook in a new web browser, you will be prompted to enter a code from your Facebook mobile app. (Although you can always set up Facebook’s two-factor authentication using something like Google Authenticator if you like.)
If you don’t have text messages with login codes, possibly because you deleted them after logging into a site or service, you can also check out the ever-helpful Two Factor Auth website. Click any category and you will see a comprehensive list of applications and services, as well as the two-factor authentication settings they support, if any.
Regardless of how you do it, even if you need to manually review your browser history to see which sites you visit the most, you should switch whatever you access to token-based two-factor authentication. This way, if a hacker ever gets hold of your phone number, they won’t be able to infiltrate the rest of your digital life.