Two-factor is great, but what about when it goes wrong?


Even the best security can be worthless

Two factor security is all the rage, but what about when it doesn't work? At Reddit, the company learnt the hard way about the limitations of doing everything right when hackers broke in by hijacking employee SMS messages.

Many services rely on SMS-based two-factor authentication, which sends a randomized code to your phone number after logging in to verify that it's really you.

The problem is just how many ways this method of verification can be exploited: there's SMS interception, which is being exploited often without the user's knowledge at all. More advanced attacks can even hijack your entire SIM card, rendering you unable to help yourself at all, as Motherboard found out:

“With someone's phone number,” a hacker who does SIM swapping told me, “you can get into every account they own within minutes and they can't do anything about it.”

In Reddit's case, the hijacker reset employee passwords via SMS, circumventing the two-factor token and eventually gaining access to some of the company's systems. It supposedly only lost a 2007 database backup and user email addresses, but that's still a ton of data.

As phone number based authentication has become more widespread – everything from Instagram to iCloud now requires it – breaking in to every account someone owns is just a phone number away.

There's now a big push to divorce these two authentication methods from one another. Google, for example, announced just this week that it's building a hardware-based security key that anyone will be able to buy later this year. Hardware security keys require you to be physically present to plug in (or scan the key) prove your identity, making it much harder for remote attackers to break in. Google proudly touts these as "no phone required' solutions.

Hardware keys are great, but something of a hassle for the majority of us to use. If you forget your keys, you can't use your email. That's a small price to pay for higher security, but also one that many people aren't willing to make.

What's the best you can do, then? Well, first of all, enabling two-factor on all of your accounts with a service like Authy, 1Password or Google Authenticator is crucial. This prevents many of the issues surrounding SMS-based authentication, and is a great first step.

Second, use a password manager if you aren't already! I use and recommend 1Password, but Dashlane is great too. Generate a unique password for each service, and get in the habit of autocompleting them instead of typing (I swear, it's actually easier!).

I've experienced many of the problems discussed here today myself, and I promise it's worth the hassle. When I moved to the Netherlands I lost control of my primary phone number (for over a decade) thanks to my NZ carrier releasing it, leaving my accounts wide open for the taking. 

The moral of the lesson is simple: phone numbers are a crappy substitution for proving your identity, so be wary of any service that insists on it (or allows the account to be reset this way). Even big organizations like Reddit aren't immune, so take the time to do what you can to protect yourself.

🌎 Reddit's security breach due to SMS interception


Around the web

💕 Facebook is doing internal testing of its dating app (sounds awkward?)

🎮 Fortnite makes end-run around Google on Android to avoid 30% cut

🍎 Apple became the first to crack the $1 trillion market cap

🙉 Google plans censored version of search in China 


Technology moves fast, and it's hard to keep up. RE:Charged is my weekday briefing for busy people who want to know about the technology industry, but don't have time to read news sites. Get the TL;DR, on your way to work.

This week we've launched new features, including real-time chat! Join 370 others in our budding community and sign up here today. 💌


The expensive education of Zuckerberg and Silicon Valley

This is a fabulous piece from Recode's Kara Swisher on Mark Zuckerberg, and how nobody saw the upheaval of the industry coming, yet we're all paying the price of social media's unraveling. 

🌎 Read on The New York Times


Other great reads

Facebook lenses (Stratechery)

Are things getting better or worse? (The New Yorker)

"I have a secret. My father is Steve Jobs." (Vanity Fair)

What it's like to have an ADHD brain (Medium)


Next-generation prototyping

There's a bunch of hype out there in the design industry this week for Framer X, a tool built from the ground up to help designers build rich, interactive prototypes. A prototype is worth 1,000 words, and even in beta, this looks like it'll be a fantastic way to get the message across before writing any code.

The design space is getting increasingly advanced. With powerful options like Figma and Atomic as well, we're seeing a big shift into designing realistic, usable prototypes earlier in the process, before committing to actually build something. It's a welcome shift, and should save a bunch of wasted time.

🌎 Framer X


Thanks for reading! You're a part of a community of 15,000 others getting the best in tech news every week.