There’s a better way to protect yourself from hackers and identity thieves

Authenticator apps like Google Authenticator might seem intimidating, but they’re easy to use and safer than texts. | S3studio/Getty ImagesIf you’re using texts for two-factor authentication, it’s time to change to an app. Here’s what you need to know. When people ask me for security tips, I give them the basics. One is a strong and long password with upper and lower case letters, numbers, and special characters. (No, “Passw0rd!” is not good enough.) Each password should also be unique to each account (We love a good password manager!). And you always use two-factor authentication, or 2FA. (Don’t be like me, who didn’t have 2FA on her bank account until a hacker wired $13,000 out of it.) But the type of 2FA you use is also increasingly important. Text-based 2FA, where a text with a six-digit code is sent to your phone to verify your identity, is better known and better understood because it uses technology most of us use all the time anyway. But it’s a technology that wasn’t meant to serve as an identify verifier, and it’s an increasingly insecure option as hackers continue to find ways to exploit it. That’s why I recommend using an authenticator app, like Google Authenticator, instead. Don’t let the name intimidate you: There are a few extra steps involved, but the effort is worth it. SIMjacking: Why your phone number isn’t good enough to verify your identity By the time Mykal Burns got the security text from T-Mobile informing him that his SIM card had been changed to a different phone, it was already too late. In the 20 minutes it took Burns to get the SIM switched back to his phone, his Instagram account was gone. With access to Burns’s SIM card, the hacker simply asked Instagram to send Burns a password recovery text in order to take over Burns’s account and lock him out. All Burns could do was watch the hacker destroy that part of his online life. “It had been wiped clean of the 1,200 or so photos I had shared since creating the account in 2012,” Burns, a Los Angeles-based television producer, told Recode. SIMjacking, or SIM swapping, was famously used to take over Twitter co-founder and CEO Jack Dorsey’s own Twitter account in 2019. But as Burns’s story shows, you don’t have to be a famous billionaire to be a target. If a hacker knows enough about you to convince your mobile carrier that they are you, an unsuspecting customer service representative might switch your SIM to them. There have also been cases of mobile carrier employees accepting bribes to switch SIMs, in which case a hacker wouldn’t have to know much about you at all. Putting a PIN on your SIM might prevent some of this, but it’s not foolproof. And, as Vice reported in March, hackers have found other SMS exploits that don’t even require access to your SIM card. “SMS, as a technology, has been around for a long time,” Marc Rogers, executive director of cybersecurity at Okta, an identity authentication technology company, told Recode. “It was designed to be a cheap way of sending messages. It wasn’t designed to be secure. And we built a bunch of security services on top of it. ... There are now more ways to compromise an SMS service than they can hope to fix.” Basically, if you’re using texts or your phone number to verify your identity, it’s time to consider something else. Authenticator apps — which are usually free — take a few more steps to set up than text-based authentication. Some people might find that — choosing and downloading another app, scanning QR codes, accepting tokens — to be too intimidating or simply not worth the extra effort. I’m here to tell you that it’s not intimidating, and it is worth it. “That’s our whole purpose of really promoting these authentication apps,” Akhil Talwar, director of product management for LastPass, which makes a password manager and an authenticator app, told Recode. “They’re really easy to use, they’re super secure, and they’re also convenient. You’re just getting a push notification in some cases.” How to choose and use an authenticator app Authenticator apps work the same way text-based 2FA does, but instead of having a code sent to you via text, the code appears in the app. The code also changes every 30 seconds or so as an added measure of protection — it’s next to impossible for a hacker to guess at the right code when it changes so frequently. A hacker would have to be ridiculously lucky (anything’s possible, I guess) or have possession of your physical device to gain access to the code. Several sites have recommendations for good authenticator apps and their respective features, which should help you figure out which one works best for you. Google Authenticator is one of the most popular and it comes from Google, so you can trust that it’ll be around for a long time and that the company knows what it’s doing to keep the app secure. But it’s also one of the most basic authenticator apps out there. If you’re looking for a few more features, Authy is highly recommended by most, ha

May 6, 2021 - VOX
Authenticator apps like Google Authenticator might seem intimidating, but they’re easy to use and safer than texts. | S3studio/Getty ImagesIf you’re using texts for two-factor authentication, it’s time to change to an app. Here’s what you need to know. When people ask me for security tips, I give them the basics. One is a strong and long password with upper and lower case letters, numbers, and special characters. (No, “Passw0rd!” is not good enough.) Each password should also be unique to each account..