Beware Two-Factor Authentication: A True Story
On the first day of my InfoSec class, we learned about the weakest link of information security: the people problem. This seemed like old news to me, because I had heard the whole spiel before; attackers won’t try to take on the front door if a legitimate user unwittingly opens the back door to them.
I laughed along with my classmates when my professor finished his talk with the admission that “people are great, just bad at security.” The point was that information confidentiality and integrity had to be balanced with availability, and that most users favored the latter than the former.
I did not believe I was one of those people.
This changed at 10PM on February 23rd. I received a text message from Verizon congratulating me on purchasing their Total Protection Plan for my phone. This struck me as odd, as my phone is still under AppleCare and I had not authorized any of this. Thinking my parents had enrolled me in the program, I tried calling home from my cell.
Except the phone said I was roaming. This was the moment when I new something was wrong.
I immediately tried to log into my Verizon account to see what changes were made.
Verizon told me my password had been changed moments before.
I requested an email password reset from Verizon, and went to my Gmail to check. Right at that moment, my devices were all pinging me to tell me my Google account had to be updated due to a changed password.
All I could do was stare at that notification. My roommate says he heard me use more profanities that night than our entire year. I was locked out of my Gmail.
Like most people (I assume), my Gmail is the final barrier to my personal information. It is used for password resets on almost all of my accounts (certainly the big 5 — Amazon, iCloud, Dropbox, GitHub, and my bank accounts). I had just lost access to all of that, presumably to a malicious agent.
After a few second of nausea, I found the 10 “backup codes” I had printed out from Google when I set up my account (>10 years ago — talk about a miracle) and used them to regain access to my Gmail. I then changed my password and had it log out of all other sessions. Then, to obey my justifiably flaring OCD, I changed it four more times. I then found the Verizon password reset email, used it to log into my account and noticed that yes, indeed, a new iPhone X had been added to my account. In addition, my iCloud account was now saying my password had changed as well. In a final desperate action I used my iPhone to lock my iCloud account (at the time I’m writing this, my iCloud is still on lockdown).
I called Verizon after changing my Verizon password (five times) and was directed to the fraudulent order resolution area after 30 minutes of dealing with machines that seemed none too pleased at being awoken at 11PM. The Verizon agent froze my account so that no more changes could be made, which I appreciated. However, the agent said he was unable to delete the phones from my account or make changes to them, since they were bought in a Verizon store.
This floored me. As far as what the agent told me, and what I have reconstructed, this is what happened:
- On February 22nd, somebody went to a Verizon store 20 minutes away from my house and used fake identification to pose as my father. This person evidently purchased a new iPhone X on the spot and registered it to my account without confirming any of this with the account holder (Why should they? As far as Verizon was concerned, the account holder was in the store!) and set it up to transfer my data onto this new phone.
- The crook brought the phone home with them, and on the 23rd activated it to the Verizon account the store had conveniently set them up with.
- Then, the crook used whatever information was synced with “my new” device to realize I had a Gmail, and used the “new” phone to authorize a password reset. Once he or she had access to my Gmail, it was a cakewalk to lock me out of Verizon and my Gmail and start attempting to get into my iCloud.
What was most eery about this is that I felt we were almost in direct competition with the perp as he or she was going through my accounts. I was stuck in a game of catch-up, and for a few intense minutes I was far behind. If I had lost my Google 2-step passwords (or if I hadn’t printed them out in the first place), I would be SOL. After regaining control of accounts and flagging the fake logins with Google, I felt better. By this time, it was already 2AM (somehow) and I basically crashed in bed.
It was not an easy night.
This morning, I found other traces of attempted attacks. Overnight the perps attempted to reset my Microsoft account and Dropbox information, and they almost succeeded, but were foiled when Microsoft put the account changes on hold and Dropbox had a Google Authenticator 2FA. My Google account was apparently still secure, and canceling the account changes were easy.
As proof to you (and myself) that this actually happened, I am including screens of the logs from Google showing the unauthorized phone accessing my Gmail account last night. As a cherry on the cake, I also received an email from Verizon asking me to rate “my” in-store experience from the 22nd.
I believe there were several agents that contributed to this debacle:
Over my 20 years on this planet, I have accrued a web of accounts that are dependent on other accounts. For instance I realized today a Yahoo account I had set up in the 6th grade was still a backup for my current Gmail account. The most important and often-frequented accounts are dependent on my Gmail. So control of an old account provided control of every other major account. This cobweb effect very nearly broke my security on other sites.
Mobile Two-Factor Authentication
I thought this was the ultimate protection. But for most of my accounts, this two-step authentication is the same phone number used for password resets. If someone buys a new phone and links your number to it (which I now realize is much simpler to do than I thought), your security is moot and actually works against you.
They sold a phone to a person that happened to show ID matching the person on the account, without any other level of security. It is clear that such a flaw could be exploited easily. With Verizon, not very much information is necessary to buy or set up a new phone, and the crooks had a friendly, smiley Verizon agent walk them through it. This image is hard for me to shake.
My actions to prevent this from happening in the future:
- Verizon has lost my trust. Even if they couldn’t have done anything to prevent this, I am angry that they are unable to immediately unregister the fraudulent phone from my account. Having my parents go to the physical store to “figure it out” is terrible; the store didn’t open until 11AM on Saturday, which meant the perpetuators have had access for over 12 hours. This is unacceptable. I will be switching providers.
- I will be purchasing a U2F key to use on my Google account, and unregistering my phone. I was utterly crippled by my text-message two-factor authentication, and I want to ensure my Google account is kept safe. Hardware seems to be the answer.
- I removed all extensions from Chrome, deleted all cached passwords on Google Passwords, and did the same for Apple Keychain Access to ensure future breaches will stop at my Google account.
In an effort to make a more generalized checklist of best security practices, I spent the morning thinking of good things to recommend to my family and friends. The list is currently as follows:
Checklist of Security
- Use a U2F key instead of text-message two-factor authentication for all compatible accounts.
- Delete old, unused accounts to reduce the potential “domino effect” of old accounts being used to sign into new accounts. Do not use Google Passwords or Apple Keychains, as these are too easy to have synced to malicious users with access to either accounts.
- Routinely check phone provider accounts to ensure no fraudulent behavior is occurring.
- If a breach does occur, be ready to have accounts logout of all sessions and change the password immediately.
- Use my personal domain emails to sign into different accounts, and have them all forward to my Gmail. This way my gmail account isn’t the actual email used for signing into those other accounts.
If there are more items to add here, please suggest them. If I am setting myself up for failure with something above, please tell me as well!
I hope if nothing else this article will demonstrate how an entity that should be secure (your cellphone) can be made to work against you. I believe the hardest work the attackers had to do was get a fake identification. From that point on, the emphasis our informational security protocols have on our data’s availability worked against my confidentiality and integrity.
Over brunch my friends jokingly said this ordeal was probably an exam administered by my InfoSec professor, and their conversation debated wether or not I would have passed. I laughed along, but I see this as a warning to myself: my approach to securing my personal data has been misinformed and flawed, and I almost lost everything.
I sincerely hope this article inspires some to rethink how their accounts are setup. I am grateful for this warning shot; and I hope no one else has to suffer it.
Federal Trade Commission (FTC) article detailing this sort of attack:
The Verizon employee at the store, after being told what had happened to the account, said this has happened before. The crook was able to walk into the store armed with nothing but confidence and a plastic id. Without confirming account numbers or the pin Verizon had me set up with my phone number, he “purchased” a new iPhone X, two Apple Watch Series 3, and an Apple tablet.
Verizon’s employees did not make any record of the ID itself, just that it had been checked.
When my father called Verizon to report the fraud, the ‘forensics’ team initially told him that since the Verizon store had “confirmed” the ID, they could not claim the purchase was fraudulent and that we would have to pay off the charges. After a heated discussion, the Verizon ‘forensics’ team backtracked and said that, on second observation, the purchase had happened in Oregon, and therefore could be claimed as fraudulent. When the Verizon employee at the store heard this, he rolled his eyes and said that the company was probably just trying to cover their base. When my dad asked if Verizon would be filing a report for the stolen property, the employee simply replied “that’s what insurance is for… At the end of the day this was just a bad customer experience.” The phone was deactivated by Verizon, and the watches and tablet are probably on the market already.
This is an important development: Verizon does not care that this happens. It has insurance set up for such events, and it has no security check to keep this from happening. Crooks can continue to take advantage of Verizon customers, and Verizon will emerge unscathed.