Update: See also this important followup.
Or: why 2-factor authentication is important, and how to use and misuse it.
This is a really important post, and everyone should read it. There’s even a bonus at the end.
I’ve been using 2-factor authentication since forever now. A while ago, I had horrible security practices – I was basically using the same simple password everywhere “because it didn’t matter and I was lazy”.
Then, someone hacked into Pizza Hut’s website and got to my email. Not fun.
I’ve upgraded my security practices significantly since then. I use a very strong password, coupled with two-factor authentication. Sweet, right?
Well, it turns out there are edge cases.
My chosen method of doing two-factor auth was using SMS codes. Whenever I logged in to a service, a unique code was sent to me via SMS. Well, I recently started using the wonderful Pushbullet chrome extension that lets me send SMS messages from my laptop, and all kinds of wonderful thngs. Problem is: it’s a security hazard, especially when you’re using SMS as your two-factor component.
The whole point of two-factor auth is this: You separate your authentication into two factors: One thing you remember (password), and one thing you have (your phone). An attacker might take possession or guess one of these factors, but it’s much more difficult to simultaneously guess/know your password while having possession of your physical phone.
Using extensions such as pushbullet, or whatever equivalent thing Apple users do, defeats this purpose. If someone hacks into your computer and sniffs your password, they also have access to your phone because it’s synced to the computer. So they basically OWNz you.
So, my solution was to switch to the Google Authenticator app which is the standard solution to the problem I just described. Its purpose is to generate login codes in a secure way, and it is in no way synced to anywhere, so an attacker would still have to have your physical phone in order to use it. Problem solved, right?
Well, yes and no.
So the good news is that this covers most issues and works well most of the time. But, there are caveats. One major caveat is this: in some cases, if your phone is lost or damaged, you are fucked. Since the authentication isn’t based on something like a phone number / SIM card that you can recover if needed, but rather on an app that isn’t backed up anywhere by design … if your phone is lost you just cannot recreate these codes.
There are a few workarounds.
The common workaround is a “backup phone number“. You can enter a friend’s phone number (one that doesn’t use Pushbullet!), so that if your own phone is lost, you can contact your friend and have them help you log in.
Another, argubaly more secure alternative is backup codes. Now, this is rather advanced so I assume 99% of the people who use two-factor auth don’t do this, but you can prepare in advance and print out backup codes that help you login if your phone is lost. I haven’t been doing this systematically until now, but will start using them today on every supported service. Note: depending on your level of paranoia, you should keep this codes somewhere safe from burglars, loss, cats etc.
So, why did I pick today to start using backup codes? Because I was just hacked. Yes, me with all my paranoia… hacked.
What just happened? I don’t really know the full story.
TL;DR – I disabled my 2-factor auth for a few days for technical reasons. A hacker used this time to login into my account.
How do I know I was hacked? Because of this:
I just woke up to find two emails from Google that my account was accessed, one from Safari (which I never use), and another from Android. These emails are normal when you log in from a new device, but these login attempts happened while I was asleep/busy and from a device I never use which is a big freaking warning sign. I’m lucky the attacker wasn’t able to use their access to delete these emails, because otherwise I wouldn’t have known the hack even happened.
Note: The key icon which indicates this is not a phishing attempt, but rather the emails really came from Google. Note: the emails were addressed to “firstname.lastname@example.org” and not “email@example.com” or “firstname.lastname@example.org”, but they were sent to email@example.com – this is a detail that still puzzles me … if anyone can explain this inconsistency, they’ll earn my gratitude.
To summarize this post: Login security is still an unsolved problem. All the details I described above are way too difficult for the average user to bother to understand and follow. Accounts are not safe, but you can significantly upgrade your security by learning and applying some techniques. Stay safe.
P.S – Why did I disable 2-factor auth in the first place?
My primary phone had a malfunctioning GPS device, so I was having it fixed and I was using an alt phone. Before I put my phone in the repair shop, I had to switch my Google Authenticator from my primary phone to my alt one (you must do this for every account/service you use Authenticator with! Remember, you have to have your physical phone with you in order to login!)
The problem was that my alt phone was rather shitty and braindead. After a bit of usage, its charger outlet gave out, and now it can never be recharged again! As soon as I noticed this I made a mental note to myself that I need to keep a little bit of battery in order to move Authenticator apps from my alt back to my primary phone, after I get it back from the shop.
Once I got my primary phone, I realized the repair shop had formatted it completely, despite my explicit instructions (it’s Eline, don’t buy anything there!). Long story short, my alt phone with a working Authenticator was quickly running out of battery as I was trying to switch my Authenticator app to my new App. I was literally racing against time, because if my phone reached 0% battery then I would be locked out of my account. So in this race, I only had time to disable 2 factor auth, because installing the Authenticator app on my new formatted phone took a bit more time than I had battery left. I thought to myself “well, I’ll just turn off 2-factor auth for a few days, it won’t hurt … I have a strong password”. Well, guess I was wrong. In the 3 days since I did that, someone already hacked my account. I don’t know how, I had a working assumption that my laptop was mostly hacker free, but perhaps that’s not the case. In any case, another important thing you should take away (Luckily I already know this) – assume your laptop can be hacked, and don’t keep anything really important on it 🙂
P.S.S – Bonus
For those who survived this post until this point: A new website I just discovered and starting to use is haveibeenpwned.com. You can check if your login information is found in any known major hacking, and get notified on future hacks. Here is how I was pwned:
So, apparently I had an account at Forbes.com (I didn’t even remember this), and this account was haccked on Feb 2014. It’s not really critical to me since I don’t use the same password there, but it’s still nice to know a little bit about known hacks that uncover my details. Are you pwned?