If you’re worried about the security of your email account, your online access bank account, your credit card or even your email or cloud storage account, you hear often enough that all you need to do is to sign up for two-factor authentication with each service. When the Apple iCloud accounts of many celebrities were hacked into, for instance, the company was widely criticized for not having two-step authentication enabled by default. Consumer accounts are supposed to be completely secure when services offers this security measure. But is this true?
What is two-step authentication?
Two-step authentication is a widely applied security measure that is used to determine the identity of people signing in to their online services. The first of the two steps is a familiar one — the user signs in with a username and password. The second step involves providing an additional layer of proof – the service sends the user a one-time password over regular text message on their cell phone that the user must then key into the webpage. It’s additional proof of identity — if an imposter were attempting to sign in, the assumption is that it would be highly unlikely that he would be in a position to possess the account holder’s username, password, as well as his cell phone.
It’s important to understand, though, that it is hardly uncommon for sophisticated identity thieves to successfully find ways around two-step authentication.
The problem lies with the phone company
To anyone who has ever lost a SIM card and needed a replacement, the ease with which a new one is obtained should be obvious. Phone companies don’t even have their subscribers come to a store — it can all be done over the phone, or online.
Identity thieves are often in possession of various sign-in credentials, having obtained them from one of the mass database leaks often reported. If they already possess a potential victim’s sign-in credentials, they only need to call his phone company to report a lost SIM card. They’re likely to have access to all the personal information that the phone company asks for is proof of identity – the leaked database is likely to have it all. They will usually quickly be given set a replacement SIM card. They can then put it to use to receive the victim’s two-factor authentication passwords.
There is an even easier way that thieves use to access the messages of victims – they only need to set up call forwarding to have the victims messages diverted to their own number; alternatively they could hack into the victim’s voicemail. Most users do not set up voicemail pins. If there is a pin, the hacker can usually easily call the phone company to have it reset.
The papers are already full of two-step verification horror stories
News reports abound about people suddenly receiving messages from their phone company about how they’ve reported lost SIM cards. They subsequently tend to find that they’ve had their accounts emptied. It’s important to enable two-step authentication; it is a useful hurdle to put between your money and would-be thieves; it’s important to know, though, that it doesn’t actually offer all the security that it seems to promise.