T-Mobile has spent the last week doing damage control after the wireless carrier. Thus far, T-Mobile has discovered that have had their personal information, including names, addresses, birth dates, and social security numbers accessed.
Whenever breaches like this happen, it’s common to wonder what more you can do to. The answer is: A lot. Start by creating and using complex passwords stored in a , and then enable two-factor authentication for every account you have that supports boosting the security of your account. You should also check to see if your , and then change them; again, using a password manager.
Two-factor authentication may sound technical, but it’s more time-consuming to set up than anything. Below I’ll explain what two-factor authentication is and how it works, offer some best practices, and provide a shortlist of popular websites that support your accounts’ added layer of security. Trust me, it’s worth it.
What is two-factor authentication?
Two-factor authentication (also sometimes written as 2FA) is also commonly referred to as two-step verification or multi-factor verification. For simplicity’s sake, I’m going to refer to it as 2FA or two-factor authentication for the duration of this post.
Think of two-factor authentication as an extra layer of security for your online accounts. If you’re not using 2FA on an account, your login process involves entering your username and password, and that’s it. Two-factor authentication adds an extra step to that process. First, you’ll enter your username and password, then you’ll be asked to enter a one-time passcode (sometimes also called OTP) which is typically a 6-8 digit number. You obtain that number, which changes every 30 to 60-seconds, via an app or a text message.
Once you’ve entered that code, only then are you granted access to your account.
Effectively, a would-be bad guy would need to know your username, password and have taken over your phone number or physical access to your phone and your authenticator app of choice to sign in to your bank’s website or your email account.
Don’t use SMS to retrieve your codes. Use an app instead
When two-factor authentication first started to roll out to various websites and services, nearly all of them only supported sending your one-time password via text message. And while it’s a convenient and easy way to receive your codes, it’s alsodue to .
For those not familiar, SIM swap fraud occurs when someone calls your wireless carrier impersonating you and convinces the employee to change the SIM card linked to your phone number. With all incoming calls and text messages now being routed to the bad guy’s phone, they can sign in to any online account of yours that’s been part of any sort of data breach or hack.
Making matters even worse are hacks like the recent T-Mobile breach that not only included enough of a customer’s personal information for anyone to impersonate you when they call customer care, the hack also included the PIN codes that customers added as an extra security step.
See how quickly things can spiral out of hand if you’re receiving, say, your bank’s 2FA codes via text messages?
If at all possible, use an authenticator app like Google Authenticator or a.
I use a password manager to create and store all of my account passwords, along with my one-time passwords. The app not only lets me know when a new service supports two-factor authentication, but it also will copy/paste the code when I’m logging into an app or website, making the entire process of using 2FA painless.
In addition to being more secure, an app doesn’t require an active internet connection to show you the current code assigned to your account. That means if you are traveling and on a plane, you can still access your code — something you can’t do if you have to receive it via SMS.
But two-factor authentication seems like a hassle!
You’re right, to some extent 2FA is a hassle. But it could be worse. The longest part of the two-factor authentication process is getting it set up for all the online accounts you have that support it. After that, waiting for a code via text messaging, or using an app to access the code is a breeze and something you’ll quickly adjust to just being part of your normal routine.
I don’t particularly enjoy using two-factor authentication, especially on my Apple account because it sends an alert to every single device I own, but I do it because it keeps my personal data and financial information secure. If someone were to gain access to my accounts, they could quickly wreak havoc with my personal and professional life, and it would take weeks or even months to put all of the pieces back together.
Don’t believe me? Read this story from CNET’s sister site ZDNet. Mobile contributor Matthew Miller had his T-Mobile SIM card swapped, and the perpetrator then quickly deleted his entire Google account, used $25,000 from his bank account to purchase bitcoin, and locked him out of his Twitter account — and that was just in the first hour or so.
This small inconvenience will go a long way in keeping you from an even bigger hassle.
Don’t gloss over saving your recovery codes
When you go through the process of setting up two-factor authentication, you’ll be prompted to save a recovery code (or a series of recovery codes). DO NOT SKIP THIS STEP.
That recovery code is what you’ll use to get back into your account should something happen and you lose access to your two-factor authentication codes. It’s not something that companies like Apple take lightly. Without that code, your account is as good as closed, and with it all of the data it holds.
Hypothetically, let’s say you have your 2FA codes arriving via text messaging. After a fun night out with friends, you realize your phone is gone, and with it, access to your OTP codes. And the only way to sign in to your bank account or your carrier is either with a one-time password, unless you have a recovery code.
Trust me, as someone who has had to use a recovery code a time or two, future you will thank present you for saving your recovery code.
I suggest saving anything related to recovery in a password manager and taking a screenshot of the code that you can store in a secure place; even if that means printing it out and keeping it in a file.
Instructions for two-factor authentication on popular websites and services
Here are the links either directly to the proper account settings page to set up 2FA, or to the appropriate support page detailing how to enable two-factor authentication for popular companies and websites. If a company isn’t listed below, I recommend searching for the company name with two-factor in the query (Ex., “Facebook two factor”).
The list, as you can see, can get very long, very easily. The website 2fa.directory has a searchable database with direct links to the appropriate support page for many websites. You should also, and to limit the chances of experiencing SIM swap fraud yourself.