When 2-step verification became available, I was glad that it made my internet accounts safer. But of course, we can only stay ahead of cyber attackers for so long. As we saw last year, 2-step verification can now be hacked, too. How is that possible?
SMS messages are often the weakest point in a typical 2-step verification. Black Lives Matter activist Deray Mckesson’s Twitter account was hacked even though it was protected with 2-step verification. An attacker contacted Verizon Wireless, impersonating him to change his SIM card. With the SIM reset, the attacker was able to receive text messages intended for Mckesson and bypass the 2-factor authentication. You can read the whole story here.
Fake cell phone interceptors such as IMSI catchers, which are used in some countries by law enforcement and intelligence agencies, can also be used by malicious attackers to intercept text messages. They do this by using an SS7 protocol vulnerability that allows them to intercept people’s calls or text messages. More on this here.
A third way to break your 2-step verification is to trick you into sending the security code to a malicious hacker. This happened to Alex MacCaw, co-founder of Clearbit.com. He received an SMS that looked like it came from Google and was designed to trick him into forwarding the security code to the attacker. You can see the SMS here. He didn’t fall for the trick, however.
As you can see, you have to be aware of social engineering and avoid receiving security codes via SMS. One way to eliminate the SMS vulnerability is to use Google Authenticator. It provides a one-time password that you can use for 2-step authentication for Google services or 3rd party apps that support it. It is also convenient when you travel without cell connectivity because the security code is directly generated on your phone, so you can log in to your accounts over WiFi.
So, be alert and use Google Authenticator to avoid getting hacked.