|
Two factor security is all the rage, but what about when it doesn't work? At Reddit, the company learnt the hard way about the limitations of doing everything right when hackers broke in by hijacking employee SMS messages.
Many services rely on SMS-based two-factor authentication, which sends a randomized code to your phone number after logging in to verify that it's really you.
The problem is just how many ways this method of verification can be exploited: there's SMS interception, which is being exploited often without the user's knowledge at all. More advanced attacks can even hijack your entire SIM card, rendering you unable to help yourself at all, as Motherboard found out:
“With someone's phone number,” a hacker who does SIM swapping told me, “you can get into every account they own within minutes and they can't do anything about it.”
In Reddit's case, the hijacker reset employee passwords via SMS, circumventing the two-factor token and eventually gaining access to some of the company's systems. It supposedly only lost a 2007 database backup and user email addresses, but that's still a ton of data.
As phone number based authentication has become more widespread – everything from Instagram to iCloud now requires it – breaking in to every account someone owns is just a phone number away.
There's now a big push to divorce these two authentication methods from one another. Google, for example, announced just this week that it's building a hardware-based security key that anyone will be able to buy later this year. Hardware security keys require you to be physically present to plug in (or scan the key) prove your identity, making it much harder for remote attackers to break in. Google proudly touts these as "no phone required' solutions.
Hardware keys are great, but something of a hassle for the majority of us to use. If you forget your keys, you can't use your email. That's a small price to pay for higher security, but also one that many people aren't willing to make.
What's the best you can do, then? Well, first of all, enabling two-factor on all of your accounts with a service like Authy, 1Password or Google Authenticator is crucial. This prevents many of the issues surrounding SMS-based authentication, and is a great first step.
Second, use a password manager if you aren't already! I use and recommend 1Password, but Dashlane is great too. Generate a unique password for each service, and get in the habit of autocompleting them instead of typing (I swear, it's actually easier!).
I've experienced many of the problems discussed here today myself, and I promise it's worth the hassle. When I moved to the Netherlands I lost control of my primary phone number (for over a decade) thanks to my NZ carrier releasing it, leaving my accounts wide open for the taking.
The moral of the lesson is simple: phone numbers are a crappy substitution for proving your identity, so be wary of any service that insists on it (or allows the account to be reset this way). Even big organizations like Reddit aren't immune, so take the time to do what you can to protect yourself.
🌎 Reddit's security breach due to SMS interception
|
