Two-factor authentication (2FA) is one of the most widely touted advances in online security. Earlier this week, news broke that it had been hacked.
Grant Blakeman — a designer and owner of the @gb Instagram account — woke to find his Gmail account had compromised and hackers had stolen his Instagram handle. This was despite having 2FA enabled.
2FA: The Short Version
2FA is a strategy for making online accounts harder to hack. My colleague Tina has written a great article on what 2FA is and why you should use it; if you want a more detailed introduction you should check it out.
In a typical one-factor authentication setup (1FA) you only use a password. This makes it incredibly vulnerable; if someone has your password they can login as you. Unfortunately, this is the setup up most websites use.
2FA adds an additional factor: typically a one time code sent to your phone when you log in to your account from a new device or location. Someone trying to break into your account needs to not only steal your password but also, in theory, have access to your phone when they try to log in. More services, like Apple and Google, are implementing 2FA.
Grant’s story is very similar to Wired writer Mat Honan’s. Mat had his entire digital life destroyed by hackers who wanted to gain access to his Twitter account: he has the user name @mat. Grant, similarly, has the two-letter @gb Instagram account which made him a target.
On his Ello account Grant describes how, for as long as he’s had his Instagram account, he’s been dealing with unsolicited password reset emails a few times a week. That’s a big red flag that someone’s trying to hack into your account. Occasionally he’d get a 2FA code for the Gmail account that was attached to his Instagram account.
One morning things were different. He woke up to a text telling him his Google Account password had been changed. Fortunately, he was able to regain access to his Gmail account but the hackers had acted quickly and deleted his Instagram account, stealing the @gb handle for themselves.
What happened to Grant is particularly worrying because it occurred despite him using 2FA.
Hubs and Weak Points
Both Mat’s and Grant’s hacks relied on hackers using weak points in other services to get into a key hub account: their Gmail account. From this, the hackers were able to do a standard password reset on any account associated with that email address. If a hacker gained access to my Gmail, they’d be able to get access to my account here at MakeUseOf, my Steam account and everything else.
Mat has written an excellent, detailed account of exactly how he was hacked. It explains how the hackers gained access using weak points in Amazon’s security to take over his account, used the information they gained from there to access his Apple account and then used that to get into his Gmail account – and his entire digital life.
Grant’s situation was different. Mat’s hack wouldn’t have worked if he’d had 2FA enabled on his Gmail account. In Grant’s case they got around it. The specifics of what happened to Grant aren’t as clear but some details can be inferred. Writing on his Ello account, Grant says:
So, as far I can tell, the attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.
The hackers enabled call-forwarding on his cell phone account. Whether this allowed the 2FA code to be sent to them or they used another method to get around it is unclear. Either way, by compromising Grant’s cell phone account they gained access to his Gmail and then his Instagram.
Avoiding This Situation Yourself
Firstly, the key takeaway from this is not that 2FA is broken and not worth setting up. It is an excellent security setup you should be using; it’s just not bulletproof. Rather than using your phone number for authentication, you can make it more secure by using Authy or Google Authenticator. If Grant’s hackers managed to redirect the verification text, this would have stopped it.
Second, consider why people would want to hack you. If you hold valuable usernames or domain names, you’re at a heightened risk. Similarly, if you’re a celebrity you’re more likely to be hacked. If you aren’t in either of these situations, you’re more likely to be hacked by someone you know or in an opportunistic hack after your password gets leaked online. In both cases, the best defence is secure, unique passwords for each individual service. I personally use 1Password which is an useful way to secure your passwords and is available on every major platform.
Third, minimise the impact of hub accounts. Hub accounts make life easy for you but also for hackers. Set up a secret email account and use that as the password reset account for your important online services. Mat had done this but the attackers were able to view the first and last letters of it; they saw m••••firstname.lastname@example.org. Be a bit more imaginative. You should use this email for important accounts too. Especially ones that have financial information attached like Amazon. That way, even if hackers get access to your hub accounts, they won’t gain access to important services.
Finally, avoid posting sensitive information online. Mat’s hackers found his address using a WhoIs lookup — which tells you information about who owns a site — which helped them get into his Amazon account. Grant’s cell number was likely available somewhere online also. Both their hub email addresses were publicly available which gave hackers a starting point.
I love 2FA but I can understand how this would change some people’s opinion of it. What steps are you taking to protect your self after the Mat Honan and Grant Blakeman hacks?
Image Credits: 1Password.