In the wake of the recent hack of Bo Shen, it’s time to take a look at the security of our own accounts. This article will cover two aspects of account security: switching from text messaging Two-Factor Authentication to Google Authenticator and deleting recovery phone numbers from your email accounts.
If you didn’t hear about it, let me give you the basics: it’s believed that a hacker got Bo Shen’s mobile phone account through a tactic known as social engineering. There seems to be a hacking group working together within the Augur community. Here’s an example of how a hacker could get your phone data through this tactic.
Now many of us might think that Two-Factor Authentication (2FA) using text messages is a good, extra security measure. I know I did. Not anymore. Through researching this, I have come to the conclusion that text messages are not secure at all. If you use text messaging 2FA, I would change it to Google Authenticator 2FA as soon as possible.
I’ll show you how in the steps below.
Here’s why: hackers can easily gain possession of your cell phone account by calling up your phone provider. They can then have all of your text messages rerouted to a different SIM card. So, basically, they would be receiving your messages instead of you. There are also a number of other ways to intercept text messages either from an electronic device (used by police and NSA) or through hacking. So, what’s the alternative to text messaging 2FA? According to Wired, Google Authenticator is a much better tool. I'll explain why shortly.
Better tools like Google Authenticator or an RSA token prove that possession, by generating a unique code that matches one generated on a web service’s server. It’s a test that, thanks to some clever crypto tricks, doesn’t involve any communication between the two computers. -Wired
On your gmail accounts, you can switch from using text messaging 2FA to using Google Authenticator 2FA. You will need to add the Google Authenticator settings to Gmail from a desktop computer. But add the Google Authenticator app on your smartphone. Here’s the basic process:
1. Download the Google Authenticator app on your smartphone:
2. In your gmail account, go to your SETTINGS.
Then go to ACCOUNTS AND IMPORT.
Then OTHER GOOGLE ACCOUNT SETTINGS.
Then SIGN-IN & SECURITY
Then under PASSWORD AND SIGN-IN METHOD
Click on 2-STEP VERIFICATION
Choose GOOGLE AUTHENTICATOR.
Follow the instructions to set it up.
After you have set up Google Authenticator, you can delete the text messaging 2FA.
The reason that Google Authenticator is a better tool is that no communication is sent between Google’s servers and your phone. The codes are created in a mathematical way, both at the same time, so there is no data being sent to your phone. Nothing can be intercepted because nothing is being sent.
The other thing you should do right this second is remove your recovery phone number and recovery email address from your gmail account. Think about it, if a hacker gets control of your phone, all he would need to do is submit a “Forgot Password” request, and then he’d have control of your gmail account, too. From there, he could take control of any of your accounts that are connected to that email, by simply requesting a “reset my password” on those other accounts.
If your phone number is set up as a recovery phone in your gmail account, go and delete it right now.
It appears that a number of attacks have been carried out recently because recovery phone numbers were exploited. Here’s the CoinDesk article about the hack of Bo Shen: http://www.coindesk.com/hackers-stole-300k-blockchain-investor/
Kraken has issued a more robust method for securing accounts. You can read the full article about what to do here.
The steps I outlined in this article are not to be considered completely fail-safe methods for securing your accounts. These are beginning steps to take for people unaware of what risks phone numbers pose in account security. Social engineering hacking is a big problem right now, so it's best to become aware of the vulnerabilities.
If any of you think using Tutanota and Protonmail, both of which don't have 2FA, with accounts is a good idea, let me know in the comments below.
On a more personal note, I've received several phishing attempts via text messages recently that were trying to gain access to my gmail account. The most disturbing aspect of this phishing attempt was that the text message was sent from the exact same number as the official Google account. This indicates that the hackers had somehow been able to mask their true location identity. Text messages are really problematic and they should be considered to be scams.
(
