Two-Factor Text Authentication Isn't Enough to Keep Your Accounts Secure

Photo: David Murphy

Just last week, Instagram confirmed reports that it’s modifying its two-factor authentication setup to allow users to log in with passcodes from security apps—like Google Authenticator. While this isn’t the sexiest of news, it’s great to see this practice growing in popularity: using a token-based app, rather than a text message, to authenticate into other apps and services.

You should be doing this whenever possible. There are plenty of reports that have shown just how easy it is for a hacker to call up a cellular carrier, find an unsuspecting customer service agent, and pretend they’re you. The bitcoin exchange Kraken (humorously) described the process in a 2016 blog post:

Somehow, the masses have been led to believe that phone numbers are inextricably bound to identities and therefore make good authentication tools. There’s a reason that Kraken has never supported SMS-based authentication: The painful reality is that your telco operates at the security level of a third-rate coat check. Here’s an example interaction:

Hacker: Can I have my jacket?
Telco: Sure, can I have your ticket?
Hacker: I lost it.
Telco: Do you remember the number?
Hacker: Nope, but it’s that one right there.
Telco: Ok cool. Here ya go. Please rate 10/10 on survey ^_^


And even though cellular carriers (and the FTC) know about the prevalence of this hack—often called “SIM hijacking” or “SIM porting”—this Motherboard article notes that some carriers are only now beginning to offer basic measures to thwart this line of attack.

And you’re only “more secure” if you’ve actually done something like add a special PIN code to your account that a person would have to submit to verify they’re you when calling up a wireless carrier’s customer service. If you didn’t do that, or even knew you could, having your number stolen by a hacker can be cyber-catastrophic, as Motherboard notes:

“One hacker who used to SIM swap told me it happens “all the time,” despite telecom providers having known about this attack method for years. According to T-Mobile, hundreds of people have been hit by this scam. In the last few months, Motherboard has spoken to more than 30 victims who have gotten their numbers stolen. In addition to her Instagram handle, one SIM hijacking victim I spoke to got her Amazon, Ebay, Paypal, Netflix, and Hulu accounts hacked as a result.”

Stop letting sites and services text you two-factor authentication codes

Screenshot: David Murphy

There are some sites—I won’t name which ones—that still send me text messages whenever I need to log in. It’s a bad security practice that I blame entirely on my laziness; that, and I don’t really keep as up to date as I should about which sites and services offer app-based two-factor authentication instead of text-based two-factor authentication.

If you’re not sure whether your favorite sites or services support this kind of “token-based” two-factor authentication, you have two options. First, you can scroll through your text messages and find when companies have messaged you a login code, and then go and scan the site’s settings to see if you can set up a software token in your favorite app.

And since I mentioned it, if you’re just getting started with two-factor authentication apps and have no idea what to even use, sites that support token-based two-factor authentication typically have recommendations for apps you should use. Otherwise, here are a handful of popular options:

Your favorite service might even use its own mobile app as an authenticator of-sorts—like Facebook’s Code Generator, for example. If it’s enabled, and you go to log in to Facebook on a new web browser, you’ll be prompted to enter a code from your Facebook mobile app. (Though you can always set up Facebook’s two-factor authentication with something like Google Authenticator, if you want.)




Add comment