You’re Implementing This Basic Security Feature All Wrong
You’ve created different passwords for all your online accounts and set up a password manager to remember them all. You’ve also changed your passwords after all the recent hackings and implemented two-factor authentication, a tool that provides extra protection against breaches by requiring a second login code that is sent to your smartphone, for example, each time you sign on.
Nice job! This is the closest thing to hacker-proof you’ve ever been, right?
Hold the phone—literally. Because that last measure—two factor authentication—may have several vulnerabilities. The flaws here have to do with the way many Internet companies send security codes to your phone as part of the two-factor authentication process, as Wired points out.
Texts, or SMS messages, are not the ideal way to convey such information. Attackers can compromise your text-based two-factor authentication in a few ways.
Get Data Sheet, Fortune’s technology newsletter.
First, they can do it through social engineering—in other words, by calling your mobile service provider and asking them to redirect messages normally delivered to your phone to one containing a different SIM card. You can help block this by calling your provider and asking to set up a PIN code on your account, where applicable.
Second, attackers can intercept messages using a device called an IMSI—or international mobile subscriber identity—catcher. The machines are not cheap, sure—but hey, maybe your enemies are well off?
And third, hackers can exploit weaknesses in the protocols that allow telecom carriers to exchange data between networks. That became clear earlier this year after 60 Minutes aired a segment on Signaling System 7, one such vulnerable protocol.
The good news: there are alternatives. Instead of using a two-factor process tied to your mobile device’s SMS, consider downloading and implementing a separate two-factor authentication app. These apps generate random numbers on your device—time-based one-time passwords—that are coupled with your online accounts. Examples include EMC-owned (EMC) RSA SecurID, or Google (GOOG) Authenticator.
For more security advice, watch:
Now I know what some of you are probably thinking: this level of security must just be for the paranoids. Well, maybe.
Security is a risk based decision. But if you would like to be proactive, go ahead and make the change where you’re able. In this humble reporter’s opinion, it’s worth staying ahead of the attack curve when possible. Because when the lions approach, you don’t want to be the straggler left sipping at the watering hole.
This isn’t just a theoretical weakness, after all. Black Lives Matter activist DeRay McKesson had his Twitter (TWTR) account taken over, apparently by a hacker who duped someone at Verizon (VZ) into authorizing a fraudulent SIM card. Political activists in Russia and Iran have had their Telegram accounts hijacked. Even Lorrie Cranor, chief technologist of the U.S. Federal Trade Commission, got scammed.
If you’re an online business, here’s the takeaway: offer your users a non-SMS two-step login method. Besides, you might be keeping privacy-conscious users—ones who don’t wish to part with their phone numbers—from protecting their accounts.
For the rest of the Internet’s denizens: if you haven’t set up two-factor authentication, do! Even in the absence of an app-based option, you still should. SMS-based two-factor authentication is better than nothing.