I Thought 2-Factor Authentication Made Me Untouchable. I Was Wrong.

At 3 AM on a cold morning in December of 2016, I woke up.

This isn’t when I normally wake up. I just really needed to use the bathroom all of a sudden. If you’re like me, though, you can’t walk past your charging phone on the nightstand without glancing at the notifications, even when it’s some ungodly hour and all you can think about is going back to bed.

Unfortunately, what I saw on my lockscreen (and then confirmed in my email) drove me wide awake.

It wasn’t until much later that day, after dozens of frantic phone calls and password resets, that I figured out the entirety of what happened, but here’s the full story:

A person of unknown origin called my cell service provider (T-Mobile), impersonating me, and requested that my phone number be transferred to his SIM card. I presume their excuse was that “my phone was broken.”

Normal T-Mobile policy seems to be that they won’t do this without verifying a one-time code texted to a line on the account. Unfortunately, this person called nearly a dozen times, and eventually they found a service representative who could be convinced to do the swap without that code. (Why they could call again and again without raising a giant red security flag, I couldn’t tell you.)

Quick aside: This is a thing, and it’s officially called SIM-swapping. There are several fraudulent schemes that are apparently performed with this trick, sometimes they use your number to call up numbers that charge by the minute to rack up charges for their business partners at your expense. Unfortunately, my thief had bigger plans.

Now having access to my phone number, they began to systematically break into any online account that they could. As a savvy user of technology, I’ve enabled 2-Factor Authentication (from herein shortened to 2FA) on pretty much everything I can.

Unfortunately, many of those implementations were tied to my phone number, instead of something like Google Authenticator or Authy. Even more unfortunately, I had foolishly thought 2FA was bulletproof, and therefore many of these accounts had old, re-used passwords that had long been leaked through website hacks. So, with access to a big chunk of my 2FA codes and my passwords, they got pretty deep into my accounts.

I had been lazy. And the price of my laziness was nearly $3,000: This attacker gained access to my Circle Pay account, bought themselves a boatload of Bitcoin via my linked debit card, and sent it off into a wallet they controlled. I did eventually dispute this transaction with my bank after a lot of hardship and regained those funds, but it took months, and it was very possible that I would’ve never gotten that money back.

Lessons learned:

  1. SMS/Phone-based 2FA is not to be trusted. Here’s what you should do: Ideally, don’t use any SMS-based 2FA. This is probably impossible for most users who want to use 2FA anywhere they can, since some apps/sites offer it as their only 2FA choice. Semi-ideal: Use as little as possible. Anything you can use some other 2FA method for, do it. Bare minimum: Don’t use SMS-based 2FA for email accounts (which can often be used to get around other security roadblocks) and anything that can be used to digitally rob you. (Important side note: Many services/sites (such as Google’s) encourage you to have as many ways as possible to unlock your account. Having redundancy means more ways to get back in if you get locked out, but also means more potential security holes, as an attacker can use any one method to gain access, as my attacker did via my phone number. So, even if you don’t use SMS as verification for login, make sure your phone number isn’t added as a “just in case” option in your accounts.)
  2. 2FA is NOT an excuse for lazy password management. Not only did I re-use passwords, I often didn’t change those passwords when other sites I had used those passwords on were hacked, figuring 2FA would keep me secure. Needless to say, this was dumb as hell. Change your passwords when sites are compromised, don’t re-use passwords, consider using a password manager, etc.
  3. Keep the whole onion safe. 2FA should be viewed as what it is: One layer of a multi-layer security system. Even 2FA methods you and I believe to be secure may turn out not to be one day; they can potentially be compromised or exploited like anything else, therefore all layers should be kept secure to minimize chance of disaster. This goes back to my previous point…if I had been steadfastly managing my passwords, I likely would’ve had no issues.
  4. You are the only one that can be trusted to keep yourself safe online. I’m not the only one who has been betrayed via poor customer service rep practices. Take a look at How I Lost My $50,000 Twitter Username for an even scarier example, where the victim arguably didn’t even make major mistakes.

EDIT: 02/12/2018 — I want to quickly add two notes:

  1. You should also make sure you are properly defending your authenticator app that you decide to use. Here’s a quick example why — Authy had an exploit involving multi-device support at one point (I believe default options now protect against this, but you should seriously consider having a second device as a backup and you’ll want to know how to lock this down if so. TL;DR — After installing Authy on your other devices, turn multi-device back off to disable future abuse.
  2. Strongly consider using a hardware token if you can. Gmail, for example, now supports several. Your primary email addresses are huge value targets, so I highly recommend looking into them if they’re an option for anything you want to protect. I personally use a Yubikey, it has held up very well despite being attached to my keychain for years.

Thank you for reading. I hope this was informative and I tried to be as thorough as possible, but if you have any questions and/or want to call me a stupid moron for letting this happen (100% deserved) I’m on Twitter at https://twitter.com/TxdoHawk (my DMs are open if you’d prefer to talk in private.)

EDIT: 01/31/2019 — I see SIM-swapping and SMS-based 2FA has been in the news again, notably with Motherboard’s story about cybercriminals exploiting a major backbone of phone networks to intercept texts and calls, so I’m freshening this article up a bit. The main point remains — SMS-based 2FA is horrifyingly insecure!

Also, I (ashamedly) have another reason for bringing this story back in front of eyeballs…my job is being outsourced and I’m looking for new work!

If you have a lead on any good IT Support roles in the NYC area, please let me know! I have a wide range of experience with both remote support and deskside/onsite support, software/hardware break-fix, mobile device support/deployment, and more. Here’s my LinkedIn.

I’d also be happy to do some writing work for you, or just about anything else I can do with my skillset that will pay the rent (Crypto community admin? Proofread your writing? Twitter’s equivalent of a circus clown?) Get in touch, I’m keeping an open mind at this point.

On the internet: Least famous Twitter obsessive. In real life: Stupid, stupid nerd. It's a living.