Is the famed 2 Factor authentication enough to secure your account?
Independent app developer Blakeman this week realised that 2 factor authentication did not prove sufficient in securing his account when he found out that his gmail account had been hacked and his Instagram account stolen.
Service provider became a medium
Blakeman for a moment was confused as to how this hack happened, since he considered himself security-savvy, definitely much more knowledgeable than the average Joe. After some digging he realized that his phone service provider could’ve played matchmaker between the hacked accounts and the hackers. He had call forwarding activated on his phone. Utilizing this, the attackers managed to social engineer some amount of access to his accounts. They used this access to send an email regarding password reset to his phone which they forwarded onto their own devices. Blakeman was helped in this research by publisher Mat Honan of Wired, himself a victim of hacking 2 years ago.
Blakeman said one key mistake he made was: “My Instagram account was tied to an email that was basically in my name. I’ve since moved all important accounts that allow password reset emails to a different address that does not contain my name. You might want to consider doing that too.”
Commenting on the attack, Richard Cassidy, senior solutions architect at Alert Logic, said it does reveal problems with 2FA. He told SCMagazine UK.com by email: “Two-factor authentication has always been a welcome addition to users’ security when it comes to protecting valuable data and account access. It’s based on strong security principles and in the end acts as a deterrent to attackers.”
That said, the fact remains that you are only as strong as the weakest link in your chain of security. Often with 2FA activated, phones are the first choice in the chain of authentication, so if we find we don’t have a strong security question for our phone provider, attackers need only perform a little due diligence to correctly guess your most likely passphrase and get full access to your account.”
Cassidy advised: “Users need to pay a great deal more attention to the reset mechanisms they have in place, especially concerning their most important data – such as popular social media and important email accounts.”
“Users also need to take as great a deal of care in choosing strong (hard to guess or brute-force) security questions for account resets as they do for main account authentication. This doesn’t just extend to online accounts, it also applies to cell phone providers, utility, banking, insurance and services accounts that we use daily outside of the WWW.”
“Try to ensure that you link your password resets to an account that has no obvious link to your name, business or identity – that couldn’t be linked back through simple online searches.”