Several of the world’s top professional poker players revealed last week that they have been victims of a hacker or group of hackers who took over some of their non-poker online accounts. The security weakness that allowed this to happen was one most people wouldn’t expect: two-factor authentication (2FA).
Most of us, when logging into an account online, simply use a password. Two-factor authentication takes security a step further, protecting our accounts in the event someone is able to get a hold of our password. 2FA requires a user to also have something on them as a second key of sorts. Some online poker rooms use a special fob that rotates a code every few minutes; should a hacker get a player’s password, it is highly unlikely that they would also be holding that fob and therefore wouldn’t be able to enter the second code.
The most common form of 2FA is SMS text messaging using a person’s cell phone. It makes sense. Almost everybody has a cell phone – smart or otherwise – and can easily retrieve a code sent via text. For most people, this works fine, but in the case of Vanessa Selbst, Dan Smith, Cate Hall, and Vanessa Rousso, SMS 2FA was what allowed someone to take over their accounts.
The weak link was the cell phone company and specifically certain customer service representatives. You may know (assuming you have a cell phone), that when you call up to make changes to your mobile phone account, you need to provide the customer service rep a PIN or a password. If you can’t remember them, you will need to provide some sort of proof of identity (which means you won’t be making any account changes over the phone any time soon). Unfortunately, what can happen is that customer service reps are sometimes lax in their enforcement of this rule and just allow a caller to bypass the PIN/password security step.
Usually, a representative would do this because they are trying to be nice, trying to help somebody out who needs a hand. But that person who sounds like they legitimately can’t remember their password and are having just the worst day can turn out to be faking it. When the crook finds the right customer service rep, the one who lets them bypass the security measures, that person can access the target’s cell phone account, change the PIN/password, transfer the phone number to their own phone, and there, they now control the victim’s cell phone account.
From there, it’s just a matter of trying different online services: Gmail, Dropbox, bank accounts, etc., to see with which ones their victim had SMS 2FA. If an account allows password changes via text message, the hacker can then use the “Forgot Password” option, have a text sent to their phone (with the victim’s phone number), change the password via, and gain access to sensitive account info.
Selbst was especially livid, posting on Twitter that a Verizon rep offered to let her change her PIN back, which is basically what it let the hacker do in the first place.
The four players mentioned in this article are the ones who have come out publicly to say they have been hacked. There could be any number more victims who have not made it known.