Pinterest Stumbleupon Whatsapp

Two-factor authentication (2FA) is one of the most widely touted advances in online security. Earlier this week, news broke that it had been hacked.

Grant Blakeman — a designer and owner of the @gb Instagram account — woke to find his Gmail account had compromised and hackers had stolen his Instagram handle. This was despite having 2FA enabled.

2FA: The Short Version

2FA is a strategy for making online accounts harder to hack. My colleague Tina has written a great article on what 2FA is and why you should use it What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More ; if you want a more detailed introduction you should check it out.

In a typical one-factor authentication setup (1FA) you only use a password. This makes it incredibly vulnerable; if someone has your password they can login as you. Unfortunately, this is the setup up most websites use.


2FA adds an additional factor: typically a one time code sent to your phone when you log in to your account from a new device or location. Someone trying to break into your account needs to not only steal your password but also, in theory, have access to your phone when they try to log in. More services, like Apple and Google, are implementing 2FA Lock Down These Services Now With Two-Factor Authentication Lock Down These Services Now With Two-Factor Authentication Two-factor authentication is the smart way to protect your online accounts. Let's take a look at few of the services you can lock-down with better security. Read More .


Grant’s Story

Grant’s story is very similar to Wired writer Mat Honan’s. Mat had his entire digital life destroyed by hackers who wanted to gain access to his Twitter account: he has the user name @mat. Grant, similarly, has the two-letter @gb Instagram account which made him a target.


On his Ello account Grant describes how, for as long as he’s had his Instagram account, he’s been dealing with unsolicited password reset emails a few times a week. That’s a big red flag that someone’s trying to hack into your account. Occasionally he’d get a 2FA code for the Gmail account that was attached to his Instagram account.

One morning things were different. He woke up to a text telling him his Google Account password had been changed. Fortunately, he was able to regain access to his Gmail account but the hackers had acted quickly and deleted his Instagram account, stealing the @gb handle for themselves.

What happened to Grant is particularly worrying because it occurred despite him using 2FA.

Hubs and Weak Points

Both Mat’s and Grant’s hacks relied on hackers using weak points in other services to get into a key hub account: their Gmail account. From this, the hackers were able to do a standard password reset on any account associated with that email address. If a hacker gained access to my Gmail, they’d be able to get access to my account here at MakeUseOf, my Steam account and everything else.

Mat has written an excellent, detailed account of exactly how he was hacked. It explains how the hackers gained access using weak points in Amazon’s security to take over his account, used the information they gained from there to access his Apple account and then used that to get into his Gmail account – and his entire digital life.

Grant’s situation was different. Mat’s hack wouldn’t have worked if he’d had 2FA enabled on his Gmail account. In Grant’s case they got around it. The specifics of what happened to Grant aren’t as clear but some details can be inferred. Writing on his Ello account, Grant says:

So, as far I can tell, the attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.

The hackers enabled call-forwarding on his cell phone account. Whether this allowed the 2FA code to be sent to them or they used another method to get around it is unclear. Either way, by compromising Grant’s cell phone account they gained access to his Gmail and then his Instagram.

Avoiding This Situation Yourself

Firstly, the key takeaway from this is not that 2FA is broken and not worth setting up. It is an excellent security setup you should be using; it’s just not bulletproof. Rather than using your phone number for authentication, you can make it more secure by using Authy or Google Authenticator Can Two-Step Verification Be Less Irritating? Four Secret Hacks Guaranteed to Improve Security Can Two-Step Verification Be Less Irritating? Four Secret Hacks Guaranteed to Improve Security Do you want bullet-proof account security? I highly suggest enabling what's called "two-factor" authentication. Read More . If Grant’s hackers managed to redirect the verification text, this would have stopped it.

Second, consider why people would want to hack you. If you hold valuable usernames or domain names, you’re at a heightened risk. Similarly, if you’re a celebrity you’re more likely to be hacked 4 Ways To Avoid Being Hacked Like A Celebrity 4 Ways To Avoid Being Hacked Like A Celebrity Leaked celebrity nudes in 2014 made headlines around the world. Make sure it doesn't happen to you with these tips. Read More . If you aren’t in either of these situations, you’re more likely to be hacked by someone you know or in an opportunistic hack after your password gets leaked online. In both cases, the best defence is secure, unique passwords for each individual service. I personally use 1Password which is an useful way to secure your passwords Let 1Password for Mac Manage Your Passwords & Secure Data Let 1Password for Mac Manage Your Passwords & Secure Data Despite the new iCloud Keychain feature in OS X Mavericks, I still prefer the power of managing my passwords in AgileBits's classic and popular 1Password, now in its 4th version. Read More and is available on every major platform.


Third, minimise the impact of hub accounts. Hub accounts make life easy for you but also for hackers. Set up a secret email account and use that as the password reset account for your important online services. Mat had done this but the attackers were able to view the first and last letters of it; they saw m•••• Be a bit more imaginative. You should use this email for important accounts too. Especially ones that have financial information attached like Amazon. That way, even if hackers get access to your hub accounts, they won’t gain access to important services.

Finally, avoid posting sensitive information online. Mat’s hackers found his address using a WhoIs lookup — which tells you information about who owns a site WhoIsrequest: Find Out WhoIs Information About Any Site WhoIsrequest: Find Out WhoIs Information About Any Site Read More — which helped them get into his Amazon account. Grant’s cell number was likely available somewhere online also. Both their hub email addresses were publicly available which gave hackers a starting point.

I love 2FA but I can understand how this would change some people’s opinion of it. What steps are you taking to protect your self after the Mat Honan and Grant Blakeman hacks?

Image Credits: 1Password.

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Kai M.
    November 14, 2014 at 4:19 pm

    To true Harry, people are always the biggest problem in any security scenario. It reminds me of that old computer quote:

    "The only truly secure computer is one buried in concrete, with the power turned off and the network cable cut."

    • Harry
      November 15, 2014 at 1:19 pm

      Hey Kai, exactly! As soon as there's even the smallest hole to get through the whole system is weakened immeasurably. If someone is determined enough and goes after you in a targeted attack, there is almost nothing you can do. It's not a question of if, it's a question of how much will it cost them and, if they can afford it, when.

  2. Kevin Dethlefs
    November 14, 2014 at 6:02 am

    I'd be curious on the legal recourse against the phone company he has. They allowed themselves to be socially engineered. I'd certainly write a letter to have corporate investigate what happened and if any policies were broken. Far too many times does the human element bite the actual humans in the rear.

    • Harry
      November 14, 2014 at 12:24 pm

      I'd be curious too but I'm not sure there's a lot he can do. Even when they stick to policies these things are possible. But yes the problem with everything is always people! If you want something secure put it in a hole and fill it with concrete. It's only when you need a door to get to it that you have problems!

    • dragonmouth
      November 14, 2014 at 2:59 pm

      "the problem with everything is always people!"
      The only sure way of two people keeping a secret is for one of them to be dead. :-)

    • Harry
      November 15, 2014 at 1:17 pm

      @dragonmouth It's even easier if both are dead!

  3. Berny
    November 14, 2014 at 1:25 am

    That's the problem with SMS verification. If you want to be secure you really need to be using an authenticator app. If you use the Authy app for 2FA (Android) you can even put a PIN on it so even if your phone is stolen the can't get to your OTPs without cracking that PIN first.

    • Harry
      November 14, 2014 at 12:22 pm

      Hey Berny,

      I think they may have just used the phone to impersonate Blakeman and get around 2FA that way rather than intercept the code. If they did that then even Authy wouldn't have helped!

  4. Paul Moore
    November 13, 2014 at 2:17 pm

    Hi Harry. How it happened doesn't really matter, it's that it's possible without "having" the phone.

    Here's a flow diagram & explanation of the difference... published a couple of months before this attack happened.

    True "factors" are independent of each other. If you have to supply a factor to obtain a second 'factor', it's a multi-step process rather than multi-factor.


    • Harry
      November 14, 2014 at 12:25 pm

      Thanks for the clarification Paul! Though could it not still be two factor and use a phone? I think 2FA was disabled/ignored by a customer service rep and the phone forwarding was to prove that rather than intercept the code. If the company simply ignores their own security procedures they're not very good security procedures but in theory it's still two factors?

    • Paul Moore
      November 14, 2014 at 1:56 pm

      A phone can be a second factor through the use of Google Authenticator/Authy or similar. The difference being, the crypto seed (used to generate the OTP) is actually on the device itself, making it "something you have". Combined with your existing password (something you know), that's 2 of 3 factors... so can be called 2FA or multi-factor authentication.

      It's slightly confusing at first, because a phone (with crypto seed, not SMS and thus a second factor) can be used during a 2SV process. It doesn't matter if you use an email/SMS-based OTP (1FA) or a device (phone/smartcard/yubikey etc) (2FA), the process remains 2SV.

      Take DigitalOcean for example. That is, by definition, true 2FA. You're required to enter an OTP every time you sign in, and you must "have" the device which stores the crypto seed necessary to generate an OTP; in much the same way you need your ATM card and your PIN every time you want to withdraw money.

      As is so often the way though, it's revocation which undermines the entire process. As part of the 2FA enrollment process, you're required to provide an SMS number so DigitalOcean can remove 2FA and allow you to sign in, should you lose your phone. In much the same way that "security questions" undermine a strong password, an attacker isn't going to worry about 2FA if they're able to intercept your SMS and pretend you've lost your device.

      In reality, 2FA and 2SV reduces risk but in terms of actual security and resilience from a targeted attack, it doesn't add much.

  5. Paul Moore
    November 13, 2014 at 2:02 pm

    He didn't have 2FA enabled Harry, it was 2SV or two step verification.

    They are entirely different. Had it been 2FA or "something you have", the phone would need to be stolen to carry out the attack. Intercepting/re-routing the SMS is proof that far from being something you have, it's something you know... which is multiple steps of a single factor, hence two-step verification.

    • Harry
      November 13, 2014 at 2:06 pm

      Hey Paul, that's an interesting distinction and I'm still not sure which way it falls. There's no proof the message was rerouted. Far more likely in my mind is that they used the redirected phone number to socially engineer (lie) their way into his account. Otherwise it's odd that he got the your password was reset text but not the code, unless the redirection was only in place for a short while.

      • miro
        November 12, 2016 at 6:32 pm

        I found it by accident, just bought a new phone (I use 2 step verification from day 1 of it!), so when I did set it (the new phone) it just happened - my google account was set, I have *full* access to anything but all of that without the 2 step verification play the role it should. I will not reveal the model of the phone... So, that could be the same, no social engineering and etc... I have hacked myself using just a phone and obviously a glitch in the 2 step verification on Google