the idea’s fairly easy for a hacker to hijack your mobile account, take control of your phone number, as well as also use the idea to bypass two-factor authentication you have set up as well as also break into your online accounts.
Your phone number is actually how quite a few companies, including your bank, email provider, as well as also social media services, verify the idea’s actually *you* when you log in. the idea’s also how many of those companies recover your account (using a text message or phone call) when you forget your password.
This kind of vulnerability is actually very scary — however the idea’s easy to protect yourself: by creating your passwords better, protecting your mobile carrier account, as well as also using non-SMS-based authentication when you can.
I talked to security expert Jessy Irwin about what ALL internet-using humans need to do in regard to the safety of their passwords on online accounts.
however before I get into how to lock down your digital life, here’s some background on why you should.
You might have heard a lot about “two-factor authentication,” “2FA,” or “two-step verification.”
the idea’s a type of account login which requires two factors, typically a password as well as also one more verification code.
support This kind of: Apple, Google, Facebook, as well as also your bank, probably.
You also might have heard which two-factor is actually important, because passwords alone aren’t Great enough.
Because a lot of people reuse passwords, one company’s security breach can affect multiple accounts. as well as also there are a lot of security breaches. In fact, cybercrime happens more often right now than ever, in part because so much of our stuff (our finances, communication, bills, etc.) lives online.
however if you’ve set up SMS-based two-factor authentication, the idea can be bypassed.
Hacks are becoming increasingly sophisticated. SMS-based verification isn’t necessarily safe because someone who has your personal info (like the last four digits of your Social Security number or credit card), or even a fake ID in hand, can fairly easily call your carrier’s customer service as well as also change the SIM or move the account over to another carrier. This kind of hack method redirects all of your texts — including two-factor authentication codes sent over SMS — to the hacker.
“which information might seem hard to get, however there are pretty simple ways to get the idea if you know how. One tactic which is actually very favorite is actually to offer the customer support person tidbits of relevant information which gain their trust, however also help you gain various other information about the account,” Irwin said.
the idea’s what happened to Black Lives Matter activist DeRay Mckesson last year. Mckesson’s Twitter account was hacked, even though he had two-factor authentication enabled. The hacker used the last four digits of Mckesson’s Social Security number to gain access to his Verizon account via customer service as well as also then change the SIM on the cell account.
Technology experts can get hacked too. The mobile account of Lorrie Cranor, the FTC’s chief technologist as well as also a Carnegie Mellon professor who studies passwords as well as also authentication systems, was hijacked in 2016. Someone had walked into the mobile carrier’s retail store that has a fake ID showing Cranor’s name as well as also provided the last four digits of her Social Security number. The thief was able to bill two brand new iPhones to Cranor’s account as well as also steal her phone number.
Hackers can also find a way into your carrier account using scams. In This kind of kind of attempt, someone will call you as well as also pose as your carrier, as well as also then ask you to read the code which was just sent over text. which SMS code may be used for your account’s backup password recovery, which means which hackers don’t even need your password to take over your phone number — just which SMS code.
If a hacker can get control of your mobile account, which can leave your accounts vulnerable in another way because some services use SMS or a phone call for account recovery when you forget your password.
Security expert Jessy Irwin said which while SMS is actually the least secure method For just two-factor authentication, the idea’s better than nothing, as well as also not inherently Great or evil. “Where things get sticky isn’t actually the two-factor auth, the idea is actually when SMS is actually configured to be used for account recovery,” Irwin warned.
This kind of isn’t a huge issue for most people who use computers, Irwin said, however is actually a much bigger problem for those at high risk, including people who own cryptocurrency.
This kind of type of attack — mobile account hijacking — is actually becoming so widespread which T-Mobile blasted This kind of message This kind of week, urging customers to add a passcode to their account.
T-Mobile is actually directing customers to a landing page dedicated to “port-out scam” protection. After a hacker has gained access to your carrier account, “porting” your cell phone number to another carrier is actually how the hacker receives your two-factor codes or resets your passwords.
The company is actually urging customers to add a passcode to their accounts, which is actually another line of defense in case a hacker comes calling.
1. Everyone who incorporates a cell phone (not just those using T-Mobile) should call their carrier as well as also add a *unique* passcode or confirm they already have one.
Adding a PIN or passcode to your carrier (which you change regularly!) ensures which if you must use SMS-based two-factor authentication, your carrier account has an extra layer of security (like for those with an iCloud account, who only have one Apple device).
As long as you can create your own PIN, Irwin says the idea’s a Great way to keep hackers at bay: “If there is actually a PIN/passcode [for your account], the idea’s on the attacker to figure out what the idea is actually, as well as also try to make the idea to the next step of the process. Usually if [the PIN] is actually customer-controlled as well as also not something stupid like your house number, the idea’s a pretty Great deterrent.”
Make sure which 1) you’re not reusing a passcode via another account as well as also 2) which the idea’s not the last four digits of your Social Security number, because the idea’s likely for sale on the black market already.
Dial 611 via your T-Mobile phone or 1-800-937-8997, as well as also you’ll be able to add a passcode that has a six-digit minimum.
Go to vzw.com/PIN, call (800) 922-0204, or visit a store in person with government identification.
After logging on to your account online, click on your name within the upper right > View Profile > Sign-in Info > under Wireless passcode > select Manage extra security.
Extra security requires one more passcode when you attempt to get online access to the account, discuss the account in any retail store, or call AT&T’s customer service line.
Sprint requires all of its customers to add a PIN as well as also security questions to their account. You can update which information by logging on to Sprint.com > My Sprint > Profile as well as also security > scroll to Security information > Save.
2. Use a password manager like LastPass (which has the best free type) or 1Password (for people who own iOS as well as also Mac devices) to remember your PINs, as well as also also to create strong, *unique* passwords for every website.
Make a list of all of your online accounts. Great password managers can generate strong, random passwords for you. Set up those strong passwords for all of your accounts as soon as possible.
Then, make your life easier by downloading the app type of the password manager on your mobile phone as well as also, if available, the manager’s browser extension. This kind of way, you’ll be able to easily copy as well as also paste your complex passwords when you need them.
If you have an iPhone, you can even use Face ID or Touch ID to unlock LastPass or 1Password on your phone. If you have an Android phone running Android 6.0 or newer, you can also use your fingerprint.
3. Review your online accounts. Do any of them use SMS-based two-factor authentication? If so, see if you can use an alternative.
There are several various other methods you can use as your second “factor” which are safer than text message-based verification.
I like using security keys, like the ones via Yubico called Yubikeys. the idea’s a physical thumb drive-shaped accessory which fits on your keychain. To use the idea as a second factor, you plug the key into a USB port on your computer, or, if the idea has an NFC wireless chip within the idea, hold the key up to your NFC-enabled Android phone. People with iPhones will need to use an authenticator app (more on which below).
These keys are much safer because hackers have to have your physical key, as well as also have your correct password, in order to breach your account. I will note which security keys won’t work for people who use the Safari browser, however they will work for those who surf the web on Chrome.
You can use security keys as secure logins on sites like Google, Facebook, Dropbox; password managers Dashlane as well as also LastPass; as well as also a bunch of various other services.
however the main problem with keys is actually which not enough services are compatible with them. “Yubikeys are one of the strongest second factors of authentication, however security keys in general are the least prevalent of second factors,” said Irwin.
Another issue, according to Irwin, is actually which they can be lost: “Having worked with younger kids as well as also the elderly, losing or misplacing a yubikey is actually a very real usability problem. Some people put them on their keys, however if keys are lost or stolen, account lockouts are likely.” So, when you set up your key, you should set up a second, backup key in case anything bad happens to the first.
Physical keys won’t work for everyone. iPhone users, for example, can’t use keys on mobile, as well as also This kind of system could be frustrating when you’re traveling abroad as well as also can’t easily get to your backup key.
For those who want to learn a LOT about security keys, here’s a super technical, thorough review of all kinds of security keys as well as also who should use them.
4. which brings me to the next best method: third-party authenticator apps.
An authenticator app, like Authy (for iOS as well as also Android) as well as also Google Authenticator (for iOS as well as also Android), can serve as a backup for your security key or a standalone second factor for an account. Some apps don’t support security keys, however they DO support authenticator apps, like Twitter.
Here’s how to set up the Google Authenticator app or Authy app for your Google account. You can set up your app with Facebook, Amazon (see step 5), Dropbox, as well as also Twitter as well.
“Authenticators are great because they do quite a few things well: They can be used to authenticate into an account if you’re on a plane as well as also the device is actually offline, or if you’re traveling as well as also you can’t receive SMS messages,” said Irwin.
These apps generate temporary, time-based verification codes. You don’t need to be connected to the Internet to receive them, as well as also they aren’t vulnerable to being hacked via SIM hijacking.
5. Print out a hard copy of your single-use backup codes.
Just in case your phone with the authenticator app installed gets stolen, make sure you’re able to refer to your single-use backup codes. Many services will give you a certain number of backup codes when you set up two-factor authentication. Each code can only be entered once as well as also you can generate more at any time.
Here’s a shortcut to viewing your backup codes on Google as well as also Facebook. Print them out. Put them in a literal safe or various other safe space.
This kind of backup code will allow you to get into your account, revoke access to the authenticator apps, as well as also change your account password.
The onus is actually, ultimately, on companies to implement secure methods of authentication as well as also protect their customers.
Adding a PIN to your mobile account as well as also creating sure you have some form of two-factor authentication set up is actually This kind of best way you can take your online security into your own hands. No protection method is actually a 100% guarantee which you won’t be hacked, however having some protection rather than nothing at all is actually a much better place to be.
Irwin, meanwhile, is actually urging companies to rethink personal information-based security systems: “When technologists build systems which rely on a phone number, address, or Social Security account as a unique identifier for a customer or a user, they are choosing to externalize risk to users.”
I know — This kind of is actually all kind of a lot, as well as also I’m sure you have a million questions. Hit me up within the comments or tweet Irwin @jessysaurusrex. Until then, keep calm as well as also carry on with two-factor!
Nicole Nguyen covers products as well as also personal technology for BuzzFeed News as well as also is actually based in San Francisco.
Contact Nicole Nguyen at firstname.lastname@example.org.
Got a confidential tip? Submit the idea here.