SMS Two-Factor Authentication Isn’t Secure: Do This Instead

“Someone is in my email, my Robinhood account, and I don’t know what else.” That’s how my pastor started a phone call on a recent Saturday. Not only had attackers gotten into his accounts and begun to move money, but they had bypassed two-factor authentication.

He was lucky to have spotted it before Monday at all. He began to get trade notifications from Robinhood — not unusual– except that he had just switched his trading app, so there were not enough funds for the trades to go through. When the trades failed, the attackers moved to transfer money through ACH, out of his account and into theirs. Fortunately, he was able to get ahold of someone at Robinhood and stop that.

It took a little bit longer to get back to an email. The bad guys had gotten in completely bypassing his two-factor authentication, or so it seemed. Oddly, they did not change the password or the phone number associated with two-factor authentication. He probably would not have gotten back into his Hotmail account if they had. This would be a crisis in and of itself, virtually every website ever allows you to reset passwords with your email address. If an attacker owns your email account, they can get into nearly any website where you have an account.

It’s impossible to overstate the potential for harm:

• The attackers could have gotten into his new investment platform and moved money from his bank account, through the platform, to their own 
• Attackers could have gotten into any of his online shopping accounts and begun to purchase items and have them shipped to themselves.
• The attackers could have unlocked his credit and, from there, applied for credit cards, loans, car leases, etc., in his name. He really was fortunate, maybe blessed, that none of these things happened. (I have a story for another day of a friend who was not so lucky.)

This is your sign of strengthening the security of all of your online data by using more than two-factor authentication. Give JM Addington a call today to have all your business and personal data secured.