Who among us hasn’t been hounded to adopt two-factor authentication?
You know the drill: This security feature requires people to enter an additional code, beyond the usual password, when logging in to online accounts. On that front, I come bearing good news and bad news.
First, the good news: If you are one of the many people who uses 2FA, as the hippest people abbreviate the defensive measure, good on you. Frequently, that means juggling a phone while attempting account logins; it’s a small price to pay for the added protection and peace of mind. Congratulations, 2FA-ers, you are ahead of the game.
Now for the bad news. Many people who implement 2FA opt, for the sake of convenience, to receive text message-based confirmation codes. That means a service will shoot a text message containing a short passcode to a phone number on file—ideally, one possessed by the account holder. The recipient then may enter that temporary passcode on a secondary log-in screen to gain access to the account in question.
Sounds simple enough, right? Well, there’s a problem. Text messaging is a far less secure method of authentication than other options. I know I just congratulated some of you for using 2FA. But now—surprise twist—I’m here to shame some of you. Keep up!
Text messaging has long had big security holes. Sometimes hackers get their hands on other people’s phone numbers by bribing or deceiving telecom workers, a trick called “SIM swapping” since it involves transferring information between SIM cards. Savvy spies can also exploit vulnerabilities in SS7, or Signaling System 7, a back-end mobile data network used by carriers, that lets them tap or track calls.
Now add another flaw to the list. Joseph Cox, a security reporter at Vice Motherboard, recently granted a security researcher, the chief information officer for anti-phone hacking firm OkeySystems, who goes by the moniker Lucky225, permission to hack his accounts using a novel method. Lucky225 paid a marketing company, one that enables mass texting campaigns for businesses, to reroute messages bound for Cox to another phone. For a mere $16, Lucky225 could intercept Cox’s codes and use them to crack open his accounts.
For a technical explanation of the hijacking technique, you can read Lucky225’s own write-up here. Suffice it to say, his takeaway is that “it’s time to stop using SMS for anything.”
I’m here to tell you that you should still use two-factor authentication. But, please, do yourself a favor and opt for app-based codes—or, better yet, hardware security keys—wherever possible. To quote Eva Galperin, the Electronic Frontier Foundation’s cybersecurity director: “I would really like it if companies stopped implementing SMS 2FA now and required either app-generated codes or physical keys. Just sayin’.”
Personally, I recommend using Authy, a Twilio-owned app that lets you manage accounts and backups across multiple devices. I have only good things to say about the service. And for the real go-getters, I recommend Yubico’s YubiKey products, security fobs that obviate the need for secondary code-entry altogether. How nice is that?
Whatever you do though, just don’t be like this author, a former Google Authenticator user, who once lost access to his accounts after getting a new phone. ‘Twas a grueling experience I plan never to repeat.
Robert Hackett
Twitter: @rhhackett
NEWSWORTHY
When Apple falls far from the tree. Piling on top of the SMS concerns above, users of Apple's FaceTime video chat are reportedly getting bombarded with spam calls. If you're a target of these nuisance calls, you can turn off FaceTime in iOS settings—but, be warned, that will block calls you may want to receive too. Meanwhile, Apple's latest early code release—that's iOS 14.5, "beta" version 4—suggests the company is trying to figure out how to separate security updates from the usual mobile software upgrades.
When no one knows you're a dog. Facebook-owned Instagram just got a little safer. The photo-sharing app has added some new features that are designed to discourage unwanted interactions. For one thing, adults will no longer be able to direct message teens who don't "follow" them. For another, teens will be shown "safety prompts" urging them to "be careful" when messaging adults who have been “exhibiting potentially suspicious behavior"; teens will also be offered the option to report or block elder solicitors.
Light a match. Like Instagram, Tinder, the Match Group-owned dating service, is taking safety a bit more seriously too. The service is adding a background check feature in the U.S. as a perk for paying customers. The company has partnered with Garbo, a startup in which it earlier invested, to offer the public records-checks. The move follows Tinder's addition of a "panic button" for alerting emergency services in the event of a date-turned-crisis in Jan. 2020.
Hillbilly-onaire Elegy. Billionaire investor Peter Thiel is pouring $10 million into a political action committee that backs J.D. Vance, a former aid to the PayPal cofounder. Vance, a venture capitalist and author of the memoir Hillbilly Elegy, is mulling a run for an Ohio Senate seat that is slated to be vacated by retiring Republican Sen. Robert Portman. The contribution dwarfs Thiel's $1.25 million contribution to former President Donald Trump's 2016 campaign.
FOOD FOR THOUGHT
In January 2013, Google got off easy. Antitrust regulators chosen by former President Barack Obama opted not to sue the search giant, despite compiling ample evidence of the tech company's competition-harming abuses. As President Joe Biden and his regulators gear up to take on the monopolies of Silicon Valley almost a decade later, Politico is revisiting the misguided rationale behind the government's earlier decision.
The [Federal Trade] commission has never disclosed the full scope of its probe nor explained all its reasons for letting Google’s behavior slide.
But 312 pages of confidential internal memos obtained by POLITICO reveal what the FTC’s lawyers and economics experts were thinking—including assumptions that were contradictory at the time and many that turned out to be incorrect about the internet’s future, Google’s efforts to dominate it and the harm its rivals said they were suffering from the company’s actions. The memos show that at a crucial moment when Washington’s regulators might have had a chance to stem the growth of tech’s biggest giants, preventing a handful of trillion-dollar corporations from dominating a rising share of the economy, they misread the evidence in front of them and left much of the digital future in Google’s hands.
IN CASE YOU MISSED IT
Biden plots tax hikes on corporations and high-earners to fund ambitious infrastructure plan by Rey Mashayekhi
Stripe loses ex–Goldman Sachs exec to corporate card startup by Robert Hackett
Starbucks CEO Kevin Johnson says the pandemic has strengthened the company by Alan Murray
Volkswagen aims to knock Tesla out of top spot by 2025 in major EV push by Christoph Rauwald
Israeli startup raises $18.5 million to train A.I. with fake data by Jeremy Kahn
Where will vaccine passports actually take us? By Clay Chandler
(Some of these stories require a subscription to access.Thank you for supporting our journalism.)
BEFORE YOU GO
If the San Francisco Bay Area is Silicon Valley, then Taiwan may as well be Silicon Summit. The country, as CNBC points out, accounts for more than 60% of the market share for the global semiconductor foundry business, meaning the manufacturing of much in-demand (and out-of-stock) computer chips, per estimates by TrendForce, a Taipei-based research firm. TSMC, also known as Taiwan Semiconductor Manufacturing Co., which counts Apple, Nvidia, and Qualcomm among its customers, is the world's biggest such foundry, raking in more than half the global market's total revenue.
I guess that explains my preference for pairing iPhone with a piping-hot cup of yummy, high-mountain oolong.
