Two-Factor Authentication Not All It's Cracked Up to Be

(Image from nakedsecurity.sophos.com)

Not being a computer expert, I foolishly took comfort in the security of two-factor authentication (2FA).

I log in to the accounts at three different banks by typing the user name and password on my regular computer. When I try to gain access using a new device, such as another computer or an iPad, the bank sends a numerical text to my cellphone-of-record. Entering the numerical code on the new device causes the bank to be confident that it's me---I know the name and password, and I have physical possession of the phone.

Crooks have found several ways to hack 2FA. They usually exploit features that aid hapless consumers who have "forgotten" their passwords or have "lost" their phones.

Cathal McDaid, Adaptive Mobile: One very popular way of doing it is that you ring up the carrier and you say, “My name is X and my phone number is X. However, I’ve lost my SIM card or it’s been damaged or been destroyed somehow and I need to get it assigned to a new phone.”

Allison Nixon, Flashpoint: When the SIM swappers steal a phone number, for that very short period of time they own the victim’s phone number. Then they do a password reset against their emails until they take over the victim’s financial accounts and steal what they want.

To review, the first move by a thief is to transfer the phone number to a different cellphone by claiming that the equipment was "lost". The next step is to log in to the bank website with the victim's email account (some sites require that the userid be the same as the email, I actually prefer to have a user name--e.g., My3rdDogFido--that's harder for the hacker to know), and go through the "forgot password" routine. The bank will send a code to the stolen phone number, and the hacker now controls the bank account.

There are technical solutions, but they all involve inconvenience. For example,

Allison Nixon: if [banks’] policy required a period of time to pass [after a password was reset] before you could empty out an account, that would definitely prevent SIM swapping. The attackers can only hold on to a phone number until the victim gets it back—usually not that long. However, most of the time when people are doing password resets, it’s legitimate, and when you lock down an account for a period of time it makes people very frustrated.

A phone that doesn't need electricity

My solutions are old-school. For any account the theft of which would be very painful I have never allowed electronic transfers. (Setting up the capability for the first time in these accounts would take at least three days.) Yes, I have to wait to get a mailed check from them, but that's how we did it in the 20th century, kids.

The accounts that I use for electronic bill-paying each have a few thousand dollars, and their loss would make me angry but not cause permanent grief. Finally, the UserID's on all my accounts are not an email address.

If the hackers become too proficient, I can disable all outgoing electronic payments and go back to writing checks. Modern systems are complex and convenient, but you should have a back-up plan.