If you suddenly lose control of a host of Web services at once, there could be a simple root cause: hackers have taken control of your phone number. The New York Times reports that hackers have been increasingly able to convince carriers to transfer customer phone numbers to devices in their control. That allows them to reset passwords for sites secured using two-factor authentication, a feature that is now used widely by sites like Twitter and Facebook.
You might be particularly concerned if you’re an early adopter of cryptocurrencies, as attackers appear to be focusing attentions on commandeering logins for currency lockers and then draining them. The Times points to the particularly troubling experience of Joby Weeks, a Bitcoin entrepreneur who lost “about a million dollars’ worth of virtual currency” last year via this kind of scam, even though he had alerted his cell carrier that he might have been targeted.
Earlier this month, Wired published an interesting piece highlighting the newfound status of the phone number as “the only username that matters.” From the article:
WhatsApp was among the first apps to equate your account with your phone number. Now apps like Snapchat, Twitter, and Facebook Messenger do it too. Starting this fall, setting up your iPhone will be as easy as punching in your number. The supposedly super-secure way of logging into apps involves texting you a secret code to verify your identity. Phone numbers are killing the username, killing the password, and making it easier than ever to go wild online.
That sounds awfully convenient. But held up alongside the findings of the Times, it also seems rather terrifying.