Mat Honan’s article from November of last year about the weakness of using passwords for online security details a terrifyingly easy method to crack Google’s 2-step verification:
On the consumer side, we hear a lot about the magic of Google’s two-factor authentication for Gmail. It works like this: First you confirm a mobile phone number with Google. After that, whenever you try to log in from an unfamiliar IP address, the company sends an additional code to your phone: the second factor. Does this keep your account safer? Absolutely, and if you’re a Gmail user, you should enable it this very minute. Will a two-factor system like Gmail’s save passwords from obsolescence? Let me tell you about what happened to Matthew Prince.
This past summer UGNazi decided to go after Prince, CEO of a web performance and security company called CloudFlare. They wanted to get into his Google Apps account, but it was protected by two-factor. What to do? The hackers hit his AT&T cell phone account. As it turns out, AT&T uses Social Security numbers essentially as an over-the-phone password. Give the carrier those nine digits—or even just the last four—along with the name, phone number, and billing address on an account and it lets anyone add a forwarding number to any account in its system. And getting a Social Security number these days is simple: They’re sold openly online, in shockingly complete databases.
Prince’s hackers used the SSN to add a forwarding number to his AT&T service and then made a password-reset request with Google. So when the automated call came in, it was forwarded to them. Voilà—the account was theirs. Two-factor just added a second step and a little expense. The longer we stay on this outdated system—the more Social Security numbers that get passed around in databases, the more login combinations that get dumped, the more we put our entire lives online for all to see—the faster these hacks will get.
It’s extremely easy to get someone’s social security number. I don’t know about other telephone providers other than AT&T, but the fix for this is easy. You can call AT&T’s customer support and lock your account with a password. The password you create should be strong and unique, and have absolutely no connection to anything else in your life, and thus unavailable for sale on the black market. Once your account is locked with a password, AT&T representatives will refuse to make any account changes whatsoever without the password. If you forget or lose your password, the only way into your account is to go into a brick-and-mortar AT&T store and present a government-issued ID.
Will this solution achieve perfect security? Of course it won’t. Nothing is 100% secure. AT&T representatives might not comply, and government IDs can be forged, but a hacker would have to be much more determined, and would have to conduct their entire operation in a very difficult time frame, before the targeted account holder is notified and figures out that something is amiss.