Earlier this month, activist DeRay McKesson explained on Twitter that his account had been hacked not because he lacked two-factor authenticationā€”the standard for those who donā€™t want to get hackedā€”but because the hackers found a workaround for the text-based system he relied on for security.

According to a new Wired article, this is just one of the ways SMS-based security fails to really protect youā€”even if youā€™re not a prime target for faux Trump endorsements.

ā€œSMS is just not the best way to do this,ā€ says security researcher and forensics expert Jonathan Zdziarski. ā€œItā€™s depending on your mobile phone as a means of authentication [in a way] that can be socially engineered out of your control.ā€

Advertisement

This sort of IRL subterfuge (duping a service rep [or working in cahoots with a state-owned telecom company, if youā€™re a government agent looking to snoop]) is only one level of hacking. Relying on text messages for your two-factor authentication (and you are using two-factor authentication, right?) leaves you vulnerable to semi-sophisticated virtual attacks as well.

ā€œSMS has turned that ā€˜something you haveā€™ into ā€˜something they sent you,ā€™ā€ says Zdziarski. ā€œIf that transaction is happening, it can be intercepted. And that means youā€™re potentially at some level of risk.ā€

Dedicated hackers can make use of fake cell towers or systematic weaknesses in the global network that connects phone companies (known as SS7) to digitally nab the code that comprises the second step for supposed secure log-in.

Advertisement

So whatā€™s an appropriately paranoid modern tech-user to do?

Any two-factor verification system that doesnā€™t rely on SMS messaging is an improvement. Googleā€™s recent update aims to make security more palatable by replacing the six-digit code with a simple ā€œyesā€ or ā€œnoā€ questionā€”but itā€™s also much less susceptible to hacks because the code is generated within the phone or app that displays it. Other in-app systems on Facebook and Twitter allow those accounts to be locked behind two-factor authentication without relying on any outside messaging system.

Of course, itā€™s likely only time until the hackers figure out how to crack these new systems. So you might as well go off the grid now.

Advertisement