If you happen to hang around the internet, you might remember last week when Twitter CEO Jack Dorsey’s own Twitter account was hijacked by a group of hackers and used to post a number of offensive tweets.
As the social media company later confirmed, Dorsey fell victim to what is known as a “SIM swap”, where the hackers were able to convince Dorsey’s phone service provider (officials have declined to specify which one he has a service plan with) to migrate his phone number from the SIM card, a small plastic card that links a mobile device to a phone number and mobile network, in his phone to another one in the hackers’ possession. Effectively, the hackers now had Dorsey’s phone number, meaning any calls or text messages destined for Dorsey’s phone would be rerouted to the hackers’ phone.
With this, the group was able to request a temporary login code from Twitter, which was delivered to Dorsey’s phone number, now in control by the group. The group was then able to use Dorsey’s number to post tweets via Cloudhopper, an old method of sending tweets through SMS.
As some media outlets have mentioned, Dorsey is hardly the first victim of the practice, with hackers frequently targeting big name celebrities and officials. And with customer service representatives at the service providers either easily tricked or easily bribed, there’s little the carriers can do to stop the attacks.
Now, in this case, the hackers did not need to know Dorsey’s password to access his account, since the phone number was linked to his account, so this wasn’t technically a breakdown of two-factor authentication. However, we can translate this to a situation where the hackers had Dorsey’s password, then used a SIM swap to receive a two-factor authentication code. In either situation, the weak link in the security chain is using SMS to verify a login.
So, stop doing that. Stop using SMS for two-factor authentication.
Really quickly, two-factor authentication is essentially a second step to log in to your account, often in the form of a second time-sensitive code you have to enter. You may have seen them in apps such as Google Authenticator or Authy, or perhaps DuoMobile, a popular two-factor system being implemented at a lot of universities. Some systems take it a step further, requiring physical devices such as security tokens or smart cards to validate a login attempt.
Right off the bat, let me say that two-factor authentication is crushingly under-utilized. More often than not, people fail to think about their online security until after a breach has occurred. Combine that with some general technological illiteracy and an somewhat-unfriendly process for newcomers (not to mention the fact that it simply takes longer for you to sign in to an account when you have to enter a second code), and two-factor authentication is still mostly used willingly by security-conscious individuals and not-so-willingly by those who work under strict IT policies.
That being said, of those that do use two-factor authentication, SMS (and email) verification is by far the most commonly used method of getting a login code. I myself will frequently just select “Text me a code” rather than pull out my phone, open an app, and furiously type away before the little timer on the code expires.
Unfortunately, as we’ve seen with Dorsey and numerous other incidents, this can backfire if someone can intercept that SMS with the code.
So, instead, let’s go over, in increasing security, what other ways you can secure your online accounts.
- Use a two-factor authentication app: As I mentioned earlier, mobile apps like Google Authenticator and Authy can easily generate and display time-sensitive two-factor authentication codes for a number of online accounts. Because these codes simply regenerate once they expire, they tend to only be valid for approximately ten seconds or so. While it may be more a challenge to type in and enter the code before the time expires, the shorter lifespan of the codes gives less time for someone to steal the code for malicious purposes. By comparison, since it’s expected there may be a delay in a user receiving a text message, the SMS codes often have longer lifespans, leaving more time for interception.
- Use a security token: While SIM swap attacks don’t give the hackers access to the authenticator apps stored on your phone, if your entire phone is stolen (which, let’s admit, is more likely than a SIM swap), then the hackers do have access to the codes and the apps become useless in protecting you. The best practice for two-factor authentication is to make it so a would-be attacker has to have multiple devices from you. Sure, your phone could be the secondary device to your laptop, but what is the secondary device to your phone? That’s where something like a security token comes in. These small, dedicated devices generate a two-factor code at the click of a button that can be used to validate a login. The devices are offline (the login server doesn’t send the code to the device, but can reverse-engineer when the entered code was generated using complex algorithms), meaning there is no real intercept point for attackers. In order to get the code, attackers would have to be able to see the physical device and the code it generates.
- Use a smart card: Like a security token, a smart card is a physical device that hackers would have to have access to in order to pass a two-factor authentication test. The difference here is, users never see the two-factor authentication code the device generates. Instead, the cards, which often come in the form of a USB stick (though some come with wireless NFC or Bluetooth connections for mobile devices), have to be physically connected to a device and activated with a physical touch to begin a two-factor authentication code exchange. This process is known as Universal 2nd Factor, or U2F, an open authentication standard that online services can implement, and it’s the future of two-factor authentication. In fact, the FIDO Alliance behind the technology is already rolling out FIDO2, where smart cards would replace not just two-factor authentication codes, but passwords as well. Unfortunately, while some big online players such as Google, Facebook, Dropbox and (finally) Twitter have added support for the standard, the adoption rate has been rather slow, with several others having yet to implement the technology. (Aside: The last time I checked, only a dozen or so websites, half of them enterprise corporations, supported U2F. Checking out Yubico’s list of supported companies now, it seems adoption has taken off; a number of password managers, Windows, MacOS and multiple Linux distros, and even the UK Government all now support U2F, along with several others supporting at least One-Time Passwords and traditional two-factor authentication codes)
I in some ways utilize all three of these methods. I carry two YubiKeys around with me at all times, which I can use as smart cards. One of the keys also stores the necessary data for generating two-factor authentication codes for a number of websites; when paired with a Yubico Authenticator app on a phone or computer, I can see the same codes that would appear in Google Authenticator or Authy. But even I’ll admit, I often find myself clicking the “SMS” option for a two-factor code, be it because I can’t use the card on my phone, or because Discord’s ten-second two-factor codes are always delayed when I try to use them. (Admittedly, owning a smart card for two-factor authentication isn’t going to do much if these sites still offer you (or attackers) the option to fall back to SMS codes; hopefully as U2F adoption continues and FIDO2 rolls out, that loophole will be fixed).
In the meantime, it’s important that you not only implement, but force yourself to use strong two-factor methods. Yes, it’s an extra step, I know; that’s the point. Just remember, that second step ensures that only you can access your account. I’d certainly trade a few extra seconds for a sense of security any day.