Two-Factor Authentication: it’s an excellent way to secure your account. (In fact, if you don’t have it, you need it, STAT).
But, like all security measures, it’s only as effective as your own security savviness, and that of the companies you’re trusting with your accounts.
A host of famous YouTube content creators learned this the hard way, beginning with gaming commentator Markiplier back in January 2016, and continuing with many more highly-subscribed channels throughout the year.
In this article, we’ll look at the ways in which the two-factor protection on your accounts can be bypassed – and the sneaky tricks to watch out for.
##1. Your Phone Company Might Be A Liability## You’re holding your phone in your hand, so it’s safe… right? Not so fast. Have you ever lost your cell phone and had your number transferred to a new SIM?
Using social engineering, an attacker can have your number moved over to a new SIM card just by pretending to be you. All they need to know are your digits and a few other small details about you (e.g: your address, birthday, last few digits of a credit card, etc.). Depending on the phone company, they might not even need that extra information.
Even more simply, a hacker could use your own forwarding service to divert any incoming calls to your number straight to theirs. This can work in the case of PayPal and Google’s automated call service, which are often used when a user has forgotten their password.
Yet another method can involve an attacker using your voicemail against you, without even knowing your phone number. Certain phone companies have automated customer service lines during ‘out of hours’ periods, where sensitive information can sometimes be sent straight to your voicemail inbox. This system is a very stealthy way for hackers to collect your information, often without you suspecting anything.
Make sure you’re aware of your phone company’s security standards, particularly when it comes to their customer service and technical support line. Red flags of a lax security policy can include not asking for proof of identity, or a customer support officer reading out sensitive information like credit card numbers or passwords over the phone.
Wherever possible, set a passcode to your voicemail inbox to avoid instant access to anyone who might be calling from your number.
##2. Protect Your Phone Number## Just knowing your phone number in full can allow an attacker to remove the two-factor authentication from your account. An SMS recovery code sent to you could be hijacked if your phone number is ever stolen by an attacker.
Some providers, like Microsoft, allow you to use secret one-time recovery codes that you can write down and keep for emergencies. If your account is mission-critical (for example, a work account holding company information and emails), this might be the most secure way to allow recovery.
##3. Built-In Loopholes## Let’s say you lose your phone. Is it still possible to access your 2FA-enabled account? In many cases, it is. While that might be good news when you’ve actually lost your phone, it’s also great for those who want to access your account without it.
Take a look at how different online services deal with your requests to log in without your phone. Do they ask you for your email address, a security question, or other details about you?
Unfortunately, these safety net features are commonplace (even on sites like Google) can’t be turned off by users. However, you can make them work to your advantage. For our hints on how to do this, take a look at Secret Questions, Secret Weapons: our guide to creating air-tight security questions.
Most importantly, be aware of these forms of attack, but don’t let them stop you from embracing two-factor authentication. While it’s not foolproof, neither is any security measure, and adding a second factor makes it far more difficult for your accounts to become compromised.
The moral of the story? A combination of user awareness, two-factor authentication, and the use of password managers are your best bet for strong security, but don’t rely on just one method to secure your account.