Ditch SMS now: tales of a YouTube account shut down and why you should not use SMS for 2FA anymore
On August 6th YouTuber and Apple products leaker @jon_prosser shared that their YouTube Channel @frontpagetech got hacked. The reason? Two-factor authentication (2FA) via SMS.
Jon did not just lose access to their account but the attackers also started to stream a bitcoin scam to up to 40k people. Google suspended the account after a couple of hours and it took multiple weeks to get the account back live. You can now subscribe to the channel again 😉
Why did this happen?
Jon shared on Twitter that the attackers got access to their accounts via a complete SIM swap and thus got access to the account via the SMS 2FA token. SIM swaps are a common attack vector for spear phishing attacks on accounts. They happen when scammers hijack your phone number by calling your cell phone service provider and claiming that your phone was lost; they then ask the cell provider to activate a new SIM card connected to your phone number on a new phone that they have access to. If the cell phone provider believes the story and goes through with the process, the scammers now have access to all your data, texts and calls on their phone and could login to your accounts using multi-factor authentication via SMS (as they’ll get the verification text).
In Jon’s case, the sim swap fraud was combined with another type of scam, a YouTube front page hack: through 2FA via SMS, the scammers were able to get access to Jon’s YouTube channel, and then took complete control of it to lure people into a Bitcoin scam livestreamed on their YouTube channel. Scammers were able to do so through botting to push the video onto people's frontpages, and it reached over 100,000 viewers.
Remediation
So you got attacked and want to remediate this problem? Bad luck. YouTube Support doesn’t seem to be able to help you quickly. It took awhile for the streams to be taken down in this case.
Your immediate response should be to contact YouTube, regardless. Best to use Twitter (@TeamYouTube) and other official channels like creator support. After contacting and staying in contact with them you will want to communicate with your followers off platform or via separate channels. Let them know what’s happening and how they can react.
Now you can contact your phone provider to get your phone number back. Here you have to hope that your provider can securely and effectively identify you and enable you to gain access to your phone number. Because you may need to rely on that to gain access to your account again. And all the others tied to this phone number.
Prevention
Preventing an account takeover like the one described above is easy. Don’t use SMS or phone calls as a second factor. Instead, use a security app that handles this, like Google/Microsoft Authenticator Duo or Authy. Another really good way to secure yourself is by using a universal 2nd factor / security key like Google’s Titan or Yubico’s Yubikey. Those are easy to use small USB and NFC enabled devices that negotiate the second factor authentication with your service provider (like Google and YouTube) on your behalf. You don’t have to worry about getting out your phone, opening the 2FA or SMS app, and entering the 6 digit code you got sent. All this is handled by a simple tap on your small USB stick. The only downside is that you need to be careful not to lose it!
Conclusion
Ditch SMS for 2FA now. And move to a more secure option.
We at 22d can provide you with Yubikey security keys. Contact us to learn more about securing your business logins (sales@22dconsulting.com)
22d is a consultancy specialised in G Suite offerings, helping customers adapt to the future of work by making digital transitions a seamless process. Our values are curiosity, openness, and adaptability. They are at the core of 22d’s philosophy: to future-proof teams for the 22nd century!