Only using a password barred between cybercriminals and your sensitive accounts is nothing we recommend. Two-step verification has therefore sailed up as a popular complement. With this option option, the user can, for example, receive a text with a one-time code that must be entered when other login details are entered.
The procedure is much safer than just relying on passwords – but completely foolproof is not. This proved a German security scientist TechCrunch When he came across a database with 26 million sms, both password reset and two-step verification codes contain. These were originally sent from a variety of services, including Microsoft and Google Accounts.
The database, which was updated with new codes in close real-time, belonged to the US communications company Voxox. The company acts, inter alia, as a sort of intermediary that converts auto-generated codes from the online services to the sms that actually reaches the user who wants to log in. After the leak was discovered, the database was quickly closed.
The Techcrunch article shows how both the user’s phone number and recovery code are printed in plain text. The database was found through the niche search service Shodan, which is open to anyone to use. Dedicated hackers could have read and read the database in theory and then “hijack” the codes before they were used by the actual user.
Getting additional login credentials sent by sms is not the only option for two-step verification. It is becoming more common to secure their login with authentication apps like Google Authenticator, or even encrypted hardware keys that can be attached to the key ring.