In the wake of the recent hack of Bo Shen, it’s time to take a look at the security of our own accounts. This article will cover two aspects of account security: switching from text messaging Two-Factor Authentication to Google Authenticator and deleting recovery phone numbers from your email accounts.
If you didn’t hear about it, let me give you the basics: it’s believed that a hacker got Bo Shen’s mobile phone account through a tactic known as social engineering. There seems to be a hacking group working together within the Augur community. Here’s an example of how a hacker could get your phone data through this tactic.
Now many of us might think that Two-Factor Authentication (2FA) using text messages is a good, extra security measure. I know I did. Not anymore. Through researching this, I have come to the conclusion that text messages are not secure at all. If you use text messaging 2FA, I would change it to Google Authenticator 2FA as soon as possible.
I’ll show you how in the steps below.
Here’s why: hackers can easily gain possession of your cell phone account by calling up your phone provider. They can then have all of your text messages rerouted to a different SIM card. So, basically, they would be receiving your messages instead of you. There are also a number of other ways to intercept text messages either from an electronic device (used by police and NSA) or through hacking. So, what’s the alternative to text messaging 2FA? According to Wired, Google Authenticator is a much better tool. I'll explain why shortly.
Better tools like Google Authenticator or an RSA token prove that possession, by generating a unique code that matches one generated on a web service’s server. It’s a test that, thanks to some clever crypto tricks, doesn’t involve any communication between the two computers. -Wired
On your gmail accounts, you can switch from using text messaging 2FA to using Google Authenticator 2FA. You will need to add the Google Authenticator settings to Gmail from a desktop computer. But add the Google Authenticator app on your smartphone. Here’s the basic process:
1. Download the Google Authenticator app on your smartphone:
2. In your gmail account, go to your SETTINGS.
Then go to ACCOUNTS AND IMPORT.
Then OTHER GOOGLE ACCOUNT SETTINGS.
Then SIGN-IN & SECURITY
Then under PASSWORD AND SIGN-IN METHOD
Click on 2-STEP VERIFICATION
Choose GOOGLE AUTHENTICATOR.
Follow the instructions to set it up.
After you have set up Google Authenticator, you can delete the text messaging 2FA.
The reason that Google Authenticator is a better tool is that no communication is sent between Google’s servers and your phone. The codes are created in a mathematical way, both at the same time, so there is no data being sent to your phone. Nothing can be intercepted because nothing is being sent.
The other thing you should do right this second is remove your recovery phone number and recovery email address from your gmail account. Think about it, if a hacker gets control of your phone, all he would need to do is submit a “Forgot Password” request, and then he’d have control of your gmail account, too. From there, he could take control of any of your accounts that are connected to that email, by simply requesting a “reset my password” on those other accounts.
If your phone number is set up as a recovery phone in your gmail account, go and delete it right now.
It appears that a number of attacks have been carried out recently because recovery phone numbers were exploited. Here’s the CoinDesk article about the hack of Bo Shen: http://www.coindesk.com/hackers-stole-300k-blockchain-investor/
Kraken has issued a more robust method for securing accounts. You can read the full article about what to do here.
The steps I outlined in this article are not to be considered completely fail-safe methods for securing your accounts. These are beginning steps to take for people unaware of what risks phone numbers pose in account security. Social engineering hacking is a big problem right now, so it's best to become aware of the vulnerabilities.
If any of you think using Tutanota and Protonmail, both of which don't have 2FA, with accounts is a good idea, let me know in the comments below.
On a more personal note, I've received several phishing attempts via text messages recently that were trying to gain access to my gmail account. The most disturbing aspect of this phishing attempt was that the text message was sent from the exact same number as the official Google account. This indicates that the hackers had somehow been able to mask their true location identity. Text messages are really problematic and they should be considered to be scams.
(
)
Shameless plug: I wrote a HOWTO on setting LastPass password manager Duo Personal for out of band MFA to protect Steemit account. Check it out here: https://steemit.com/steemit/@robrigo/security-how-to-how-anyone-can-avoid-losing-access-to-their-steemit-account-with-lastpass-and-duo
ah ok, thanks.
This is an important topic! Thanks for the information!
no problem
Personal Privacy is a thing of the past... but for Bitcoin... Paper Wallets.
what about trezor?
Absolutely a possibility for some,I travel a lot... any electronic or hard gadget can be seen on scanners... and you need to plug it into something. A paper wallet is harder to detect and easier to scan on a phone wallet if needed... just my choice, not suitable for all.
Paper wallets in SAFE places are the best backup from what I understand. Trezor was also recommended to me by someone trusted who knows a ton more about all this stuff than I do.
I think this post of yours today is a very very valuable source of info and the dialogue inside it by people is going to contain a ton of (lol) gold standard-nuggets of info (:
After reading about Bo Shen, I realized that I had some really naive assumptions about phone numbers. I also didn't know that social engineering was a big issue, RIGHT NOW. I read that there are 10 people who have been hacked via their mobile phones recently. Big accounts, too.
When I joined here, you were one of my heroes LOL.
Saying that and knowing you see a lot goes on here. You are a #SteemitQueen of info and knowledge.
If @charlieshrem puts up a post like he did about HIM being hacked and losing $1000's as per in his post last week (I am sure you saw, as the #SQ) ---- and you bringing up concerns similarly basically I stated in his post if it happens to him, it can happen to any of us, it is
SOBERING
.... to know such things.
It is nice hearing from you.
thanks for your compliments. yeah, i saw that charlie shrem post.........
Thanks @stellabelle. This is a valuable post. Resteemed.
Also, please, please, please use password management software like 1Password. I have two friends who have already "lost" their Steemit account because they wrote their password down somewhere and can't find it.
i'm so paranoid that using password managers feels unsecure to me.......
Alternatives are orders of magnitude worse. I know people who derive passwords themselves, reuse passwords, etc, etc. All a really bad idea. As a programmer, I understand encryption. I trust it when it's done correctly. That's why I like 1Password. I don't use a centralized server and the only thing shared is an encrypted file on dropbox. The Chrome plugin has to decrypt things every time it's activated. The smart phone apps also use strong encryption. Using a password manager is a security best practice.
what if someone gets control of your password manager though?
I see that as the same level of risk you take for your computer security in general. If, for example, they can access your computer directly, they could install a key logger and capture all your passwords as you use them anyway. Good password managers are always encrypted until you're in the act of using them. Also, using a disk encryption is key as well so even if they stole you laptop, the disk itself is encrypted (on top of the password manager data file being encrypted). The software itself has internal checks to ensure it hasn't been tampered with. For example, every time the software updates, you'll have to restart your browser because the plugin no longer matches exactly with what is expected.
But hey, do what you want. I'm not a salesman for them or anything. I just care about a secure Internet. Some systems like Lastpass have centralized servers which do increase the risk. That's why I prefer 1Password. Your concerns aren't unwarranted, but the alternatives (password reuse, storing your own "password file" somewhere, trying to create passwords you can remember, etc) are all much worse from a security perspective.
If interested, google "why should i use a password manager" and read on.
Loving your input, followed Luke.
I knew this thread would be a beauty like I said, for finding nuggets in the comments (:
Thanks an awful lot for writing this how-to guide. Upvoted and resteemed.
I've spent the last two days absolutely freaking out over this stuff.
I didn't understand the vulnerabilities of smart phones until now.
Well, I and many others are glad you've shared what you learned. It is scary when you realize how vulnerable Internet-connected devices can be. I would have been a bitcoiner in 2011 has I not gone into "nerd fright" when I learned about keylogger malware.
the identity issue really needs to be resolved.
Eventually, it will. The sad part about life on the frontier is that a lot of learnings are learned the hard way.
(Image from here.)
By the way, that's why frontiersy societies are full of "dogma": i.e., "Don't do that!" followed by "And don't ask stupid questions!"
what a "frontiersy" society? A new, cutting-edge one?
To answer your latest question, in a way that gets around the too-much-nesting block:
In a sense, yes. In a nation of settlers, frontiers were cutting-edge in that they were the forerunners of new cutting-edge geographical developments.
I use "frontier" as an analogy because the cryptocurrency world ain't kind to the sheltered.
Correct, well said.
This is really important. I think a big problem are those services that don't give you the option of an authenticator app.
Yeah, I agree. Not all providers give you that. Also, I wonder what the process is for new sign-ups on Steemit?
It uses a mobile phone to register (as you can see here) but that is for registration. I'm not sure if it is used again after that (e.g. for password recovery).
Upvoted.
I am still learning a lot about things like this and with where things are headed. I know for a fact, I don't trust Google and companies like it that have been exposed as causing harm to humanity, but look in the daily narratives like they care.
They don't.
Let's ask Edward Snowden how he feels about them again.
I learned about the IMSA scanners yesterday, the ones that intercept all cell phone transmissions. Pretty freaking scary.
It is a proven fact in Canada - they are using #Stingray technology to intercept transmissions and spy on regular people.
#PoliceState
As much as I hate the Google -- here is absolute proof of the fact in #Canadastan --- and I have had personal/activist dealings with SEVERAL of the agencies named on this search proving same. Including the #CCLA - the Canadian Civil Liberties Association who was involved when I was politically banned from my own city hall for calling out lies and Corruption and secret meetings and naming names and file names/numbers.
My public policy work as a whistleblower and activist for the people is documented online also, so I am not just a keyboard warrior LOL.
https://www.google.ca/webhp?sourceid=chrome-instant&rlz=1C1PRFC_enCA553CA554&ion=1&espv=2&ie=UTF-8#q=stingray%20cell%20phone%20canada
But the encrypted email providers like Tutanota don't have 2FA, right?
I looked briefly at Protonmail this week like you mentioned and TBH invested several hours and pages of notes last year looking into encrypted providers like you mentioned today, the top ones, maybe a dozen of them.
I have not invested much time in it since. Frankly I have a lot of distrust in a lot of the corporate structure and tech today and like you -- with good reason sister.
well, Tutanota and Protonmail are known encrypted email providers. Tutanota is based in Germany and Protonmail I think is in Sweden. Using encrypted email makes a lot of sense actually. I've tried both, and they are pretty good.
This post has been ranked within the top 50 most undervalued posts in the second half of Dec 08. We estimate that this post is undervalued by $12.84 as compared to a scenario in which every voter had an equal say.
See the full rankings and details in The Daily Tribune: Dec 08 - Part II. You can also read about some of our methodology, data analysis and technical details in our initial post.
If you are the author and would prefer not to receive these comments, simply reply "Stop" to this comment.
One of the many reasons why I don't have a smart phone. Thanks for the tips though as I think it's about time to delete all of subscriber and social media accounts in order to protect my passwords.
OTP Auth is open source!
It's not offered on many services though is it?