Alternative Ways to Protect Yourself from Being Spearfished

I ran into the issue of not being able to receive text messages due to temporarily disabling my usual cellphone SIM during a trip to the UK last month. The credit card account that I used for many of my transactions was protected by SMS-based 2FA. However, I had also provided the alternate option of a phone call to my Ooma VOIP home phone. So, while connected to my hotel’s WiFi, I temporarily enabled the associated app on my iPhone to ring when the Ooma number was called. I was then able to get the 2FA code from the call.

Of course, if the OTP authenticator is an app on your phone, then whatever locks you configured to authorize access to the phone is itself that second factor.

Even though Google Authenticator doesn’t ask for a PIN, someone needs to have my passcode or fingerprint to unlock the phone it’s running on. Depending on how secure the device’s file system is (and current versions of iOS seem to be very secure), that may be sufficient.

I haven’t used the Google Voice approach but I like the idea for certain accounts. I’m deeply wedded to OTP applications (mostly Authy and Duo) since those are used for work. Overall the advice here is solid and I look forward to things getting better over time, as they have within the Apple ecosystem at least.

Professionally I advice large enterprises to use both the “save the seed token” method (good if you don’t actively need the MFA), and the “save it all onto the latest iPhone you can get” option… but in enterprise environments it’s a phone with all wireless turned off, stored in a safe, ideally in a Faraday bag (for real).

Those aren’t practical for the average person protecting a bank account where you actually need the extra MFA on a regular basis, so that’s why I like the Google Voice idea.

The main thing, though, is to be aware and train your family members… especially older family. Bad guys are getting good even at tricking people out of their MFA codes.

1 Like

You trust Google?

I tried Google voice many years ago and hated it. I found it not intuitive at all.

So far the only issue I have is with an old Yahoo mail account. I do barely use it, but there are times when messages come there that I want to see. But Yahoo wants me to provide an SMS number for account verification purposes, but it will not accept a Google Voice number. (I use TOTP whenever I can, and have about 15 accounts set up that way, but some accounts do not support it.)

For this purpose, yes. I trust that my account will be secure. I trust Google more for this than I trust Verizon Wireless to keep my number secure (though really I think I have little to worry about, I still think using a GV number when I must use SMS for 2FA as better than my Verizon number.)

In a battle between a scorpion and a snake, I’ll pick the one I can protect again the venom more readily.

International users are typically SOL on using GV at all, and even then the few that can use it cannot use it for SMS at all.

Also, IMDb is another site with zero 2FA enabled. I literally contacted them earlier today about it, but got the usual nondescript reply.
(yes not critical, but nonetheless important if you don’t want your info on there played around with or deleted maliciously).

The biggest problem that I can see is using anything from Google and expecting it to remain private

Leaving every other privacy argument aside, for the purposes of getting one time expiring two factor codes that you enter in order to complete the log in on a web site, I can’t see a privacy risk. You can create a gmail account with a random user name that you use for nothing else other than creating a Google Voice account and using it to get messages for this purpose.

1 Like

allow me to ask stoopit questions.
How does something like Authy work? It seems it is cloud based, which, for some reason, makes me nervous; though I will admit to using one for some back-up.
I use Enpass for password, though it is a foreign owned company, which also makes me nervous.
But I found it easy to use. I haven’t engaged the sync part of it with my Android.

I don’t use Authy, but looking over their web site, it appears that 2FA codes are generated locally from an app, much like Google Authenticator does.

It appears that they use a cloud service to sync the keys across multiple devices and to implement remote-disable. This (I think) has the potential for a security problem, should an attacker find a way to sync one of his devices to your account, but I don’t know enough information to be sure about that.

Adam, I hope you realize that tapping Authy’s copy icon on the iPhone will also place the token on the Mac’s clipboard—just paste, no typing!

However, some site operators ask you to choose your cellular carrier, and in such cases, I’ve never seen Google Voice as an option. I’ve tried to work around this step, but it has never succeeded.

Your email address can be used to track you across the internet and is typically 50% of your login credentials. If it’s insecure to re-use a password, why are we re-using our email addresses?!

Abine’s Blur service proposes a different email address for each account, and those addresses forward to any of your real addresses; you can also read them on Blur and change the address to which they forward. Better yet, if the site spams you or sells your address, you can switch off the forwarding, either temporarily or permanently.

Doh! Of course, although I’ll have to see if it works in real-world usage. My experience with Universal Clipboard is that it’s pretty hit-or-miss.