Recent security incidents with influential web3 figures including Vitalik Buterin have shone a spotlight on an alarming issue with SMS based 2 factor authentication (2FA). A significant number of these personalities have found their Twitter accounts compromised. The primary suspect? SIM swapping attacks targeting the widely-used SMS-based 2FA.
@Zachxbt highlighted that, in 2023, there were 54 SIM swap attacks in a span of four months, leading to a loss of $13.3M
Let us break it down: While SMS-based 2FA does provide a security layer, it’s not foolproof. Picture this - a cunning attacker convinces your telecom provider they're you. Just like that, they can get your number transferred to a new SIM. Your precious 2FA codes sent via SMS? They're now in the wrong hands.
There's a more secure path forward: a security key-based 2FA, like the ones from yubico. It’s a physical device, so unless someone nabs it from your pocket, your accounts remain locked tight.
Here’s how to add Yubikey and disable SMS based 2FA for protecting your X account from SIM swap attacks
Head over to x.com/settings/account/login_verification
Untick the box near‘ Text message’ and follow the instructions to turn it off.
3. Now, check the box for 'Security key'.
4. Sync your chosen security key as shown in below screenshot. Most keys, like @yubico's, will use USB, NFC, or Bluetooth.
5. You will be then asked to enter your windows PIN/ Password before setting up the security key, enter your Windows PIN/password.
6. After entering the windows PIN/Password, touch your Yubikey to sync it with your twitter account.
7. Your security key is now set! Now you will also have a single-use backup code, which you should keep in a safe place. It is useful when you don’t have access to your 2FA methods.
Now open private tab in your browser and try to reset your password using this link, ensure that phone number is NOT an option for password reset. https://twitter.com/i/flow/password_reset
Think of using a security key-based 2FA as adding a stronger lock to your online door. Worried about losing your key? It's wise to have backup keys or consider using an authenticator app as a safety net.
As we delve further into the digital world and with web3 platforms becoming more common, good online security is more than just a benefit—it's essential. It's time to move beyond SMS 2FA and adopt stronger security measures.
On another note, the SafeSoul browser extension can further enhance your online safety. It actively alerts you to online risks whenever you visit a compromised X account, a malicious website or airdrop. Take a moment to check it out at safesoul.club.
Article by Security Researcher Ashutosh Barot