Now I don’t want to scare you — but you have a truly important piece of personal information that is extremely vulnerable, and you probably don’t know about it. Your friends already have access to it, and so do most of your online accounts. It’s more important than a credit card number, and yet more exposed than one. Can you guess what this is?
It’s your mobile phone number. And it’s complicated why your number is at risk. Let’s start with some background…
Just a few weeks ago, Facebook disclosed yet another data breach, this time an unsecured database containing phone numbers, account IDs, gender, and location by country. This breach has exposed about 419 million users’ phone numbers to an increased risk of spam calls and SIM swap attacks.
We’ll save the countless breaches and privacy issues that Facebook has for another time, and let’s focus on the possible attacks that could happen. A couple of weeks ago, we saw just how easily anyone can become a target of SIM-swapping — Twitter CEO Jack Dorsey’s account was hijacked for about 20 minutes before the company was able to get things back to normal. The root cause was Dorsey’s phone number, which was linked to his Twitter account so he could tweet by sending an SMS text message. The attacker convinced AT&T support to transfer Dorsey’s number over to their AT&T account, and activate it on a new device, gaining the ability to tweet from Dorsey’s account via SMS.
SIM swap attacks are an increasingly common way to take over innocent users’ accounts and wreak havoc on their online lives. Once the attacker switches your phone number to their device, they can intercept all of your SMS messages and phone calls. And not just that… you probably receive a few one-time passcodes (OTP) when you sign into your bank or social media accounts, right? Well, if the attacker knows your email address, all they need to do is try your email on your online accounts and wait for the OTP code to arrive on their device. They can then login without any hassle to your social media, bank, or medical records.
So not using an OTP at all should keep you safe, right? Not so fast… let’s talk about what OTP does and why it’s crucial.
2FA, OTP, what?
Cybersecurity became a major part of the world’s online infrastructure just a few years ago. To secure our accounts from hackers, methods like multi-factor authentication (MFA) were developed. These security measures are based on the premise that to grant access to an account, one needs to provide multiple pieces of evidence (factors) to the authentication mechanism. The most popular form of MFA is 2FA, or two-factor authentication, which requires two separate factors: something only you should know — your password — and something only you should have — a token, PIN, or one-time password (OTP). A perfect example of 2FA is an ATM. The combination of your ATM card and your PIN is used to verify your identity. A thief could steal your physical card, but it’s hard to steal the PIN that only you know.
You are probably familiar with 2FA and OTP because many online accounts today require 2FA to be enabled. The combination of the password and an OTP makes sure you are indeed the person trying to access your account, and in general, this is a very big step in preventing your accounts from being compromised. But there is a glaring problem with OTP as an authentication option for 2FA, and that has to do with how we obtain OTP codes — through SMS.
SMS technology and mobile phone security haven’t really changed in over a decade. While SMS use has largely declined due to apps like iMessage and WhatsApp for secure, encrypted messaging, it is still used for insecurely sending OTPs, which are by purpose meant to be secure and secret. It’s difficult, but not impossible, for a hacker to intercept SMS messages. And as other attacks like SIM swapping become more common, almost anyone can be targeted. It’s no longer enough to enable SMS-based 2FA. Fear not, however, because technology always has a solution!
Okay, so what is the solution?
First of all, set up a PIN with your mobile carrier. Every major US carrier allows you to set a PIN that must be provided before any modification can be made to your account. It’s not a fool-proof solution, but exponentially better than nothing at all.
Second, enable 2FA/MFA on every account that supports it. For a running list of websites and accounts that support 2FA and all of the OTP methods they support, you can visit Two Factor Auth List.
Third, avoid using SMS or phone options for OTP. Most accounts offer OTPs via email, software token, or hardware token — always use these over SMS or phone call. If you use the email method, you should secure your email account with 2FA using another email account or a software or hardware token. Hardware tokens are the hardest to crack for hackers since they require a physical USB key to be plugged into your computer at the time of login, but not all devices and websites support these just yet.
So as of today, the most secure and versatile 2FA method is the software token. This involves a simple app on your phone and/or computer that generates OTPs using a unique pattern. The pattern is also random, and shown to you only once when setting up 2FA. Since no one can ever see the pattern again, no one can guess the next OTP code. Best of all, software tokens (and hardware tokens) work offline, anywhere in the world, so there is absolutely no data being sent to you that could possibly be intercepted. Two of the most popular and trusted software token apps are Authy and LastPass. Some password managers (if you don’t use one yet, you should!) also support software tokens, such as 1Password.
It’s very easy to leave our online lives insecure but the risks involved with that are not worth it. Just a few moments setting up everything we’ve discussed above can save you hours of frustration, while also protecting your data and your privacy, which are priceless.