- Apr 25, 2013
- 5,355
“It is easier than you think for someone to steal your password. The 2-Step Verification can help keep bad guys out, even if they have your password. With 2-Step Verification, you’ll protect your account with both your password and your phone.” This is written in the main site about the two-step verification for Google. But your account is not very safe with this also, there is a way around this.
Grant Blakeman, whose Instagram was hacked through his gmail account, wrote in Ello that even after using the Two-step Authentication he couldn’t stop his account being hacked, which shows that this two step auth doesn’t stand against every security threat. He checked with his cell phone provider and sure enough, call-frowarding had been enabled on his number to an unknown number. The attack initially started with the cell phone provider, which allowed some level of access or social engineering to his Google account, which in turn allowed the hackers to get a password reset email from Instagram, which gave them full access to his account.
As jasonisalive had written in Hacker News about his company,
“We have no organizational clarity about access privileges. Everyone makes up their own standards. Some people in the company are very strict and won’t do a SIM swap without photo ID or full ID over the phone. Some people will do one if the customer quotes the same last name and could be theoretically the account-holder’s child.”
But these things doesn’t matter because anyone can easily find out name, DOB and address, and then just make a call to request to change the phone.
“Anyone relying on two-factor authentication with a phone number who uses my company is vulnerable. It would take a determined attacker a day to get control of your number. All you’d notice was that your SIM stopped working. It would all be too late by the time you’d gotten a new one re-activated – and you’re still vulnerable.”
Here the writer talks about his company which is a telecom provider. He says about the constant tension between providing a good customer experience and protecting security and privacy. And that their commission is partly based on customer experience feedback scores.
There are advantages for the 2-Step Verification because it adds an extra layer of security to your Google Account, drastically reducing the chances of having the personal information in your account stolen. To break into an account with 2-Step Verification, the hackers would not only have to know your username and password, they’d also have to get a hold of your phone.
Whenever you sign in to Google, you’ll enter your password as usual. Then, a code will be sent to your phone via text, voice call, or our mobile app. Or, if you have a Security Key, you can insert it into your computer’s USB port.
The problem comes with the phone, because service representatives of telecom providers often receive commissions based on customer satisfaction, creating “a constant tension between providing a good customer experience and protecting security and privacy.”Which means a choice between upholding privacy standards and pissing off his customers.
It is not that the two-step verification is a total failure, it really does make it difficult for hackers to cross this layer, but to be on the safe side, disable SMS for two-step verification and SMS for password resets. Instead use a two-step mobile app. It is necessary that you disable both, otherwise you are still vulnerable. And as Blakeman said, add a voice authorization code to your account and move all important accounts that allow password reset emails to a different address that does not contain your name.
Grant Blakeman, whose Instagram was hacked through his gmail account, wrote in Ello that even after using the Two-step Authentication he couldn’t stop his account being hacked, which shows that this two step auth doesn’t stand against every security threat. He checked with his cell phone provider and sure enough, call-frowarding had been enabled on his number to an unknown number. The attack initially started with the cell phone provider, which allowed some level of access or social engineering to his Google account, which in turn allowed the hackers to get a password reset email from Instagram, which gave them full access to his account.
As jasonisalive had written in Hacker News about his company,
“We have no organizational clarity about access privileges. Everyone makes up their own standards. Some people in the company are very strict and won’t do a SIM swap without photo ID or full ID over the phone. Some people will do one if the customer quotes the same last name and could be theoretically the account-holder’s child.”
But these things doesn’t matter because anyone can easily find out name, DOB and address, and then just make a call to request to change the phone.
“Anyone relying on two-factor authentication with a phone number who uses my company is vulnerable. It would take a determined attacker a day to get control of your number. All you’d notice was that your SIM stopped working. It would all be too late by the time you’d gotten a new one re-activated – and you’re still vulnerable.”
Here the writer talks about his company which is a telecom provider. He says about the constant tension between providing a good customer experience and protecting security and privacy. And that their commission is partly based on customer experience feedback scores.
There are advantages for the 2-Step Verification because it adds an extra layer of security to your Google Account, drastically reducing the chances of having the personal information in your account stolen. To break into an account with 2-Step Verification, the hackers would not only have to know your username and password, they’d also have to get a hold of your phone.
Whenever you sign in to Google, you’ll enter your password as usual. Then, a code will be sent to your phone via text, voice call, or our mobile app. Or, if you have a Security Key, you can insert it into your computer’s USB port.
The problem comes with the phone, because service representatives of telecom providers often receive commissions based on customer satisfaction, creating “a constant tension between providing a good customer experience and protecting security and privacy.”Which means a choice between upholding privacy standards and pissing off his customers.
It is not that the two-step verification is a total failure, it really does make it difficult for hackers to cross this layer, but to be on the safe side, disable SMS for two-step verification and SMS for password resets. Instead use a two-step mobile app. It is necessary that you disable both, otherwise you are still vulnerable. And as Blakeman said, add a voice authorization code to your account and move all important accounts that allow password reset emails to a different address that does not contain your name.
