Justin Williams did the right things to secure his PayPal (PYPL) account. And for his trouble he got hacked anyway.
The Denver-based app developer had protected his PayPal account with his mobile number, ensuring that nobody could log in without first entering a random code sent to him via text. And his account at his wireless service, AT&T (T), was itself locked with a passcode separate from his password.
But an attacker kept calling AT&T and eventually got a support representative to ignore the passcode requirement and transfer Williams’ number to a new SIM card. As Williams wrote in his recap, the attacker used that to take over his PayPal account and withdraw a surprisingly low sum: $200 Australian, or about $155.
And that’s how a system meant to keep your money safe could instead leave it in danger — just not as much as if you relied on a password alone.
Your number has to stay your number
But that’s not how phone-based “two-step verification” should work. Your phone number is supposed to stick to the handset in your pocket, ensuring that only you see the text sent to confirm your login and that only you can enter that number at the site asking for the confirmation.
AT&T media-relations vice president Fletcher Cook said in a statement forwarded by a publicist that the carrier’s “various security measures and protocols” weren’t followed this time. He then add: “We are taking additional steps to prevent it from happening again.”
Williams said that after I asked AT&T and PayPal about his case, the carrier offered him “a few months” of service credit and PayPal refunded the fraudulent withdrawal.
AT&T’s competitors Sprint (S), T-Mobile (TMUS) and Verizon (VZ) offer similar secondary-security systems. Sprint’s is mandatory, while T-Mobile and Verizon’s are optional; the former requires you to call in to set up an account verification code, while the latter lets you create an account PIN online.
But if somebody can employ pleasant persuasiveness — “social engineering” — to convince an account rep to transfer a number, you’re not much safer than you were with a password alone protecting your account.
Data breaches can also compromise your account. On Wednesday, the security-research firm Upguard reported that its research director Chris Vickery had found a database of “as many as 14 million” Verizon subscribers — including some account PINs — left accessible online by a contractor.
In a post later that day, Yahoo Finance’s parent firm put the number at 6 million and said the only outsider to view that data was Upguard’s researcher.
SMS can’t be the only “2FA” option
In Williams’ case, AT&T’s mistake intersected with PayPal’s decision to limit two-step verification — sometimes also called “two-factor authentication,” “2FA” for short” — to text confirmations.
The firm once advertised an alternate way to secure a login: using a physical security key or Symantec’s VIP app to generate one-time codes.
You can’t navigate to that option anymore from your account, but a link in an Electronic Frontier Foundation post from December worked Friday morning, allowing me to enable that app to verify my logins. (Tip: When it asks for a “serial number,” enter the “Credential ID” shown in the app.) PayPal publicists did not explain this.
PayPal shouldn’t keep this as an undocumented option — and should support the widely-used Google (GOOG, GOOGL) Authenticator app. But it’s not the only company to assume SMS suffices, as the unofficial Two Factor Auth database shows.
(Besides, wireless numbers are useless on planes and, unless your carrier has sufficiently generous international roaming, when overseas.)
“That is becoming an increasingly practical avenue of attack,” Stephan Somogyi, security product manager at Google, said in a phone interview Wednesday. “You are only as secure as a company’s front-line customer service is trained.”
Google lets you remove a phone number as a two-step verification option once you’ve enabled others, although its online help doesn’t make that obvious. Sign into your account’s security settings, click “2-Step Verification” and click the pencil next to “Voice or text message.”
Thursday, Google announced in a blog post that it would begin pushing users of its G Suite mail and productivity services to stop relying on phones for two-step verification.
Yahoo defaults to phone 2FA too, but enabling “Security Key” login confirmation in its mobile apps will disable that.
But the other alternatives may be worse
The hard-core security advice is not to rely on phone numbers for account verification at all. But the usual alternative, switching to apps like Authenticator that generate login codes in real time or let you confirm a login by responding to a push notification, breaks once you change phones.
You must then associate the new device with the old account somehow. If you don’t have text-based 2FA, you’ll generally need to enter one of the backup codes you were shown and told to print out when you set up two-step verification.
“It is a complete, total and unmitigated pain,” Somogyi said.
A newer option, USB “security keys” that you associate with your account and then plug into a device to confirm a login, keep working as you upgrade devices. But so-called U2F (“Universal 2nd Factor”) keys work in far fewer services and in even fewer browsers — Chrome and Opera are the only ones to support this standard.
Meanwhile, most people’s threat model doesn’t involve determined, personalized attacks. They just need to be more secure than the next random user — and phone-based authentication has the advantage of being free and reasonably simple.
So we may be stuck with it for a while, and the alternative could be much worse. As Somogyi said: “SMS-based two-factor is by far better than not having two-factor at all.”
More from Rob: