7 ways I can attack you if you don’t use U2F.

If you use SMS instead of U2F…

Attack #1: Retrieving codes by attacking voicemail systems

Martin Vigo’s talk on attacking voicemail systems


  1. Don’t have phone-based account recovery on any site.
    For WhatsApp, you can’t avoid this, so you’ll need to enable the two-factor WhatsApp PIN setting.
  2. Call your carrier and disable voicemail. If you don’t want to disable voicemail, at least set a voicemail PIN if you haven’t already.

Attack #2: Phone porting

SMS-based account recovery on Gmail


  1. Call your carrier and set a customer support PIN or passphrase while on the phone with the representative. Any future caller claiming to be you can only make changes to your account if they provide the correct PIN/passphrase over the phone.
  2. Tell your carrier to lock your phone number to your SIM card, and to reject all requests to port your number to another SIM.
  3. Instead of ever using your real phone number, use Google Voice or Google Fi. There are virtual phone numbers which can’t be ported, and have the same authentication protections as a Google account.
  4. Set a voicemail PIN or call your carrier and disable it entirely.

Attack #3: Intercepting texts and calls via fake cell towers

BlackHat demo of spoofing a cell tower

If you use an authenticator app (Duo, Google Authenticator, etc.) instead of U2F…

Attack #4: Multi-Device Support


  1. Disable multi-device support in your authenticator app.

Attack #5: Shoulder-Surfing for your Seed

Example QR code scanning for authenticator app

Attacks that work on both SMS and authenticator apps…

Attack #6: “Real-Time” Phishing

An example of real-time phishing from FireEye’s “ReelPhish” tool. The consultant is the attacker.
Real-time phishing tool Modlishka


  1. Always double-check the URL of any site to which you provide your password.

Attack #7: Mobile malware


  1. Be cognizant of what applications you run on your phone.
  2. Limit the permissions you give applications installed on your phone.

Why is U2F better?

What gets signed by a U2F device.

Use U2F as your second-factor for sites that support it, and never worry about getting phished on that site again.




Building something new! Bitcoin, security, mining. Former early @Gemini.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

WriteUps @ FireShell

Suppliers Have Procurement Cycle Risk, Too


What is identity verification? And why is it necessary?

Aleo. 1st part

The State of OSWE

Endpoint detection Superpowers on the cheap — part 3 — Sysmon Tampering

Use Mailfence for Encrypted email notifications from Facebook!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brandon Arvanaghi

Brandon Arvanaghi

Building something new! Bitcoin, security, mining. Former early @Gemini.

More from Medium

I Too Want a Key Collection — OSINT Challenge 15

Crypto security tips you must know!

They Know What You Searched On Incognito: How VPNs Collect Your Data.

2022.04.25 Weekly Note