Hackers Exploit Two-factor Authentication to Steal Millions and How to Fix It
Summary: Hackers hijack phone numbers to reset password and take over accounts, thereby stealing millions. Authenticator apps offer a better solution than using phone numbers for two-factor authentication.
When you log into your bank, chances are it will send a code to your phone to confirm that it’s really you and not some imposter. In addition, if you forget your password the bank will send you a code to confirm that it is you before letting you create a new password.
This is called two-factor authentication. The first factor is your password. The second is you phone number. Since you control both, it’s twice as secure, and it’s the basis of most current security systems on the web. It seems secure. Or is it?
SIM swapping
The emerging threat known as SIM swapping puts this method at risk. In SIM swaps, hackers take over your phone number, either by physically stealing your phone’s SIM card or by persuading your provider to assign your number to a new phone that they control. Once your number has been hijacked, they then proceed to log visit your web sites and reset your passwords using the forgotten password link.
The web site sends your phone number a code, which will now go the hacker’s new phone. The hacker enters the code and creates a new password. The web site will probably send you an email notifying you of this, but since your phone isn’t connected to the network any more it won’t receive the email.
It’s easy to steal your phone number once hackers have your phone. For AT&T, T-mobile and others, you phone number is tied to your SIM card. This small card is usually located in a small slide-out slot on the side of your phone, easily accessible to anyone who is able to hold your phone for more than few seconds. Once they have the SIM card, they can insert into a new phone that will receive new text messages and calls.
Another way to steal your number is to call your provider — AT&T, Verizon, T-mobile — and persuade them to transfer your phone number, perhaps by telling them your phone was stolen or lost. To do this you just need to know enough to answer some security question. If you show up to a store in person, sometimes you don’t even need that.
Losses mounting
The problem has been growing for several years and may soon reach a critical point. In January 2020, six Senators sent a letter to the FCC, asking it to combat the rising danger of SIM swapping.
There is even a web site dedicated to this problem, where you can read about hundred (or thousands) of hacks:
Crypocurrency accounts, social media and email are prime targets. In the most obvious cases, hackers reset your password in order to clean out your bank accounts and hold your other accounts for ransom, promising to disclose the new password only after being paid off.
Crypocurrency accounts are particularly vulnerable because unlike with bank accounts, transfers are virtually untraceable and unrecoverable. For example, in a recent SIM swap heist, Michael Terpin, a successful cryptocurrency investor, lost $24 million in 2018. He recently won $75 million in a lawsuit against AT&T for enabling hacker to steal his phone number. His number was hijacked not once, but twice.
Often, these crimes are perpetrated by criminal networks. For example, in May 2019, the US Justice Department filed charges against 9 AT&T and Verizon employees for providing criminals with private customer information that was then used to impersonate wealthy customers in order to perform the swap. One employee earned $3500 for information that enabled criminals to impersonate a single high-value customer.
Hackers are even using the COVID-19 pandemic to extract information aimed at stealing your personal information, leading to SIM swapping. Read CNet article to learn more:
In more elaborate cases, hackers may gather information about your associates and businesses in order to prepare for a larger scam. They add additional recovery information to your account so that they can easily regain access to your accounts at a later time. Then they transfer the phone back by returning your SIM card or telling the provider the undo the change — perhaps under the pretense that the lost phone has been found again. Unsuspecting victims might think they’ve merely forgotten their passwords when they try to log in again.
For more chilling reading, Vice wrote an expose that involved ordinary people:
Solution
Granted, the problem is not necessarily using a phone number to perform two-factor authentication. Rather the problem lies in using a phone number to recover lost passwords. However, that distinction is lost in most cases. The majority of web sites implement both.
You’d think providers would be more careful about swapping phone numbers, but that would be wishful thinking. AT&T and Verizon live and die by customer service. If a customer calls asking to transfer the phone number to an exciting new phone, they want to make the transition as smooth and hassle-free as possible.
The other side of the problem is that it is common for people to have hundreds of passwords and so forgetting passwords is normal and frequent, which exacerbates the problem because people want the least amount of hassle when resetting passwords, especially since they’re already annoyed at having to remember so many passwords.
A promising solution to this dilemma is the use of authentication apps such as Authy, Authenticator by Google (Android, iOS) and Microsoft Authenticator. To use these apps, you first unlock your phone and then confirm access, either by entering a code or via a direct connection to the web site. These apps use complex encryption to ensure that it’s really your phone. In this case, the phone’s locking mechanism ensures only you can access it. So the Authenticator app is only as secure as your phone’s locking mechanism.
It’s well-known that older phone locking measures such as PIN codes and swipe patterns were susceptible to hacking. In one well-known hack, all that is required is angling the phone in order to observe the grease marks left on the screen and discern the last code entered on the phone. In addition, customers don’t like it and don’t turn it on.
But with biometric identification such as fingerprint scanners and 3D facial recognition, people are now able to easily secure their phones against tampering with very little additional effort. Because of this, unlike hijacking a phone number, taking over a phone’s apps is proving more challenging than ever.
It’s time to abandon the use of phone numbers and text codes. These techniques don’t improve security very much and they have glaring shortcomings that are impossible to protect against. Web sites should use an authenticator app instead. It’s about the same amount of work for the user, but far more secure.
