JMiks/ShutterstockPasswords aren’t easy. There’s only so many ways you can combine the name of your childhood pet, a series of numbers, and a B-side Alanis Morrisette song title to get something truly foolproof. And if you manage to lose that master list of all your passwords, you’re going to end up in the weeds. (Here are some reasons your password is probably too weak, anyway.)
One of the most common recovery methods one resorts to when trying to figure out a forgotten password is text message verification; it uses a separate network, seemingly only accessible to you, so it must be safe, right? Wrong, according to Forbes. Text message authentication may just provide a window for large enough for a hacker to bleed you dry.
The vulnerability was exposed in a video by Positive Technologies, a security firm which specializes in pinpointing the gaps in the cyber protections of companies, then providing solutions. The hack was executed on a user’s Coinbase account, a digital wallet used to store and exchange digital currency like Bitcoin for over 7 million users.
The process was simple; the hackers managed to gain access to the cell network and intercept all text messages to the designated recovery phone number for a select duration of time. With the intercept in place, all the hackers need is a phone number and a user’s name learn their username and then their password.
And this vulnerability is not unique to just Coinbase, because it was actually the cell network itself which was hacked into. Bitcoin accounts are particularly vulnerable because of their transaction permanence; once a transfer is made, it cannot be reversed (just like Venmo). The Verge dives a bit deeper into the potential dangers of this hack.
“The attack work just as well on any other web service. As long as you’re getting confirmation codes over SMS, you’ll be vulnerable to this kind of attack. Other groups have pulled off less sophisticated version of the same hack by breaking into carrier accounts to set up call-forwarding.”
There are ways to protect yourself from this form of hacking. Many online services offer other, one-off password recovery solutions, and your Google account allows you to remove your phone from the equation entirely. Also, remember that your password security questions are far from airtight.
Even the most seemingly secure, too big to fail systems can be incredibly vulnerable to hacks. Just ask Equifax.