Over at the Wall Street Journal, tech columnist Christopher Mims wrote a piece about two-factor authentication and how awesome it is.
The idea of a code being sent to your phone to log you into a site — rather than relying just on a password that can be guessed or stolen — is so awesome that he thinks it’ll make the password completely irrelevant.
To show how awesome two-factor is, he decided to just give up his Twitter password to anyone who wants it. “Knowing that won’t help you hack [my Twitter account], however,” he wrote. “In fact, I’m publishing my password to make a point: The password is finally dying, if we want it to.” Ironically, you need a WSJ password to read the piece. But his handing out his password happens in the first paragraph which all can read, and it was, quite honestly, the only novel part of the piece. The rest explains device-based authentication to people who haven’t been paying attention to tech security, and haven’t set it up already for their Google, Facebook, Twitter, Yahoo, Bank of America, Paypal, or fill-in-the-online-service-here accounts.
As a journalism stunt to get clicks it was brilliant but as a practical approach to security, it was very dumb. So what happened after he handed his password out? The obvious. A whole bunch of people tried to log into his Twitter account. And every time one did, Mims got a text message with a verification code. He said on Twitter that he started receiving two text messages every minute.
He finally switched to getting the code via a designated “Twitter for iPhone” app, but there was still an option to send a verification code to his phone, and when you clicked on that, it revealed Mims’s full phone number, starting with a 301 Maryland area code. I tried calling him but got a message that his overworked phone was “out of service.” He says he now has to change the number associated with the account. Passwords alone do suck as a security measure, but until our smartphones can prick us for genetic material before letting us sign in, passwords do still play an important role in getting into a site.
Relying on smartphone-authentication alone means that a stolen smartphone is now a huge liability. “Cool contest: mug @mims for his phone, and you get his twitter account too!” tweeted New York Mag tech writer Kevin Roose.
I’m sure we’ll get another column from Mims about “what he learned” from the idiotic move. What happened was pretty predictable. And it has happened before. A British journalist published his bank account information online years ago to prove people were ridiculous in flipping out over the possible exposure of 25 million people’s bank account deets. His account got burgled by a Robin Hood.
The CEO of Lifelock, a service that promises to help protect people’s information online, famously used to print his Social Security number in ads because he was so confident in his company’s ability to protect him. Just as with Mims, the obvious happened. His identity was stolen at least 13 times. It is never ever a good idea to say, “Try to hack me.” Because hackers can almost always find a way.
One thing Mims was right about: his Twitter account hasn’t been hacked (yet). However, his phone was in a sense — in that it was buffeted with digital blows. And by revealing his password, he revealed his phone number to anyone who wants to screw with him further; cell phone numbers are awfully useful for social engineering or just ensuring someone has a very nasty day.
One of the best ways to approach security is to be careful and pragmatic about how and where you dish out your data, and trying to build a series of fences around accounts and information that are important to you to make it harder for attackers to get in. Mims needs to do a bit more research into that. The good thing to come out of exercises like these is getting companies to protect stupid users from themselves. As many pointed out, Twitter shouldn’t display people’s phone numbers in full as part of the two-factor log-in process.
