Photo: David Murphy
Just last week, Instagram confirmed reports that it’s working on modifications to its two-factor authentication setup that will allow you to create passcodes in your favourite security app – like Google Authenticator, for example. While this isn’t the sexiest of news, it’s great to see this security practice growing in popularity: using an app, rather than a text message, to authenticate into other apps and services.
You should be doing this whenever possible. There are plenty of reports that have shown just how easy it is for a hacker to call up a telecommunications carrier, find an unsuspecting customer service agent, and pretend they’re you. The bitcoin exchange Kraken (humorously) described the process in a 2016 blog post:
Somehow, the masses have been led to believe that phone numbers are inextricably bound to identities and therefore make good authentication tools. There’s a reason that Kraken has never supported SMS-based authentication: The painful reality is that your telco operates at the security level of a third-rate coat check. Here’s an example interaction:
Hacker: Can I have my jacket? Telco: Sure, can I have your ticket? Hacker: I lost it. Telco: Do you remember the number? Hacker: Nope, but it’s that one right there. Telco: OK cool. Here ya go. Please rate 10/10 on survey ^_^
And even though telcos know about the prevalence of this hack – often called “SIM hijacking” or “SIM porting” – this Motherboard article notes that some carriers are only now beginning to offer basic measures to thwart this line of attack.
And you’re only “more secure” if you’ve actually done something like add a special PIN code to your account that a person would have to submit to verify they’re you when calling up a wireless carrier’s customer service. If you didn’t do that, or even knew you could, having your number stolen by a hacker can be cyber-catastrophic, as Motherboard notes:
“One hacker who used to SIM swap told me it happens “all the time,” despite telecom providers having known about this attack method for years. According to T-Mobile, hundreds of people have been hit by this scam. In the last few months, Motherboard has spoken to more than 30 victims who have gotten their numbers stolen. In addition to her Instagram handle, one SIM hijacking victim I spoke to got her Amazon, Ebay, Paypal, Netflix, and Hulu accounts hacked as a result.”
Stop letting sites and services text you two-factor authentication codes
Screenshot: David Murphy
There are some sites – I won’t name which ones – that still send me text messages whenever I need to log in. It’s a bad security practice that I blame entirely on my laziness; that, and I don’t really keep as up to date as I should about which sites and services offer app-based two-factor authentication instead of text-based two-factor authentication.
If you’re not sure whether your favourite sites or services support this kind of “token-based” two-factor authentication, you have two options. First, you can scroll through your text messages and find when companies have messaged you a login code, and then go and scan the site’s settings to see if you can set up a software token in your favourite app.
And since I mentioned it, if you’re just getting started with two-factor authentication apps and have no idea what to even use, sites that support token-based two-factor authentication typically have recommendations for apps you should use. Otherwise, here are a handful of popular options:
Facebook’s Code GeneratorScreenshot: David Murphy
Your favourite service might even use its own mobile app as an authenticator of-sorts – like Facebook’s Code Generator, for example. If it’s enabled, and you go to log in to Facebook on a new web browser, you’ll be prompted to enter a code from your Facebook mobile app. (Though you can always set up Facebook’s two-factor authentication with something like Google Authenticator, if you want.)
If you don’t have any text messages with login codes to go through, perhaps because you delete them once you’ve logged in to a site or service, you can also check out the ever-helpful Two Factor Auth website. Click on any category and you’ll see a comprehensive listing of apps and services, as well as which two-factor authentication setups they support – if any.
Screenshot: David Murphy (Two Factor Auth)
No matter how you do it, even if you have to manually go through your browser history to see which sites you most frequent, you should switch everything you access over to token-based two-factor authentication. That way, if a hacker ever gets a hold of your phone number, they won’t be able to break into the rest of your digital life.