But an attacker kept calling AT&T and eventually got a support representative to ignore the passcode requirement and transfer Williams’ number to a new SIM card. AsWilliams wrote in his recap, the attacker used that to take over his PayPal account and withdraw a surprisingly low sum: $200 Australian, or about $155.
And that’s how a system meant to keep your money safe could instead leave it in danger — just not as much as if you relied on a password alone.
Your number has to stay your number
But that’s not how phone-based“two-step verification” should work. Your phone number is supposed to stick to the handset in your pocket, ensuring that only you see the text sent to confirm your login and that only you can enter that number at the site asking for the confirmation.
AT&T media-relations vice president Fletcher Cook said in a statement forwarded by a publicist that the carrier’s “various security measures and protocols” weren’t followed this time. He then add: “We are taking additional steps to prevent it from happening again.”
Williams said that after I asked AT&T and PayPal about his case, the carrier offered him “a few months” of service credit and PayPal refunded the fraudulent withdrawal.
But if somebody can employ pleasant persuasiveness — “social engineering” — to convince an account rep to transfer a number, you’re not much safer than you were with a password alone protecting your account.
Data breaches can also compromise your account. On Wednesday, the security-research firmUpguard reported that its research director Chris Vickery had found a database of “as many as 14 million” Verizon subscribers — including some account PINs — left accessible online by a contractor.
Ina post later that day, Yahoo Finance’s parent firm put the number at 6 million and said the only outsider to view that data was Upguard’s researcher.
SMS can’t be the only “2FA” option
In Williams’ case, AT&T’s mistake intersected with PayPal’s decision to limit two-step verification — sometimes also called “two-factor authentication,” “2FA” for short” — to text confirmations.
The firm once advertised an alternate way to secure a login: using a physical security key orSymantec’s VIP app to generate one-time codes.
You can’t navigate to that option anymore from your account, but a link inan Electronic Frontier Foundation post from December worked Friday morning, allowing me to enable that app to verify my logins. (Tip: When it asks for a “serial number,” enter the “Credential ID” shown in the app.) PayPal publicists did not explain this.
(Besides, wireless numbers are useless on planes and, unless your carrier has sufficiently generous international roaming, when overseas.)
“That is becoming an increasingly practical avenue of attack,”Stephan Somogyi, security product manager at Google, said in a phone interview Wednesday. “You are only as secure as a company’s front-line customer service is trained.”
Google lets you remove a phone number as atwo-step verification option once you’ve enabled others, althoughits online help doesn’t make that obvious. Sign intoyour account’s security settings, click “2-Step Verification” and click the pencil next to “Voice or text message.”
Thursday,Google announced in a blog post that it would begin pushing users of its G Suite mail and productivity services to stop relying on phones for two-step verification.
The hard-core security advice is not to rely on phone numbers for account verification at all. But the usual alternative, switching to apps like Authenticator that generate login codes in real time or let you confirm a login by responding to a push notification,breaks once you change phones.
You must then associate the new device with the old account somehow. If you don’t have text-based 2FA, you’ll generally need to enter one of the backup codes you were shown and told to print out when you set up two-step verification.
“It is a complete, total and unmitigated pain,” Somogyi said.
A newer option,USB “security keys” that you associate with your account and then plug into a device to confirm a login, keep working as you upgrade devices. But so-called U2F (“Universal 2nd Factor”) keys work infar fewer services and in even fewer browsers — Chrome and Opera are the only ones tosupport this standard.
Meanwhile, most people’sthreat model doesn’t involve determined, personalized attacks. They just need to be more secure than the next random user — and phone-based authentication has the advantage of being free and reasonably simple.
So we may be stuck with it for a while, and the alternative could be much worse. As Somogyi said: “SMS-based two-factor is by far better than not having two-factor at all.”
