Several major apps and websites, such as Paypal and Venmo have a flaw that lets hackers easily take over users’ accounts once they have taken control of the victim’s phone number.
Earlier this year, researchers at Princeton University found 17 major companies, among them Amazon, Paypal, Venmo, Blizzard, Adobe, eBay, Snapchat, and Yahoo, allowed users to reset their passwords via text message sent to a phone number associated with their accounts. This means that if a hacker takes control of a victim’s cellphone number via a common and tragically easy to perform hack known as SIM swapping, they can then hack into the victim’s online accounts with these apps and websites.
“Going through the dataset I actually didn't expect to find much, and then I didn't expect to find these huge websites to have this sort of issue,” Kevin Lee, the lead researcher on the study, told Motherboard.
Last week, two months after their initial outreach to the companies to report this flaw in their authentication mechanisms, the Princeton researchers checked again to see if the companies had fixed the problem. Some, including Adobe, Blizzard, Ebay, Microsoft, and Snapchat, have plugged the hole.
Others have yet to do it.
“Many of them didn’t understand that this was an issue with their authentication policies,” Lee said. “Many of them were saying 'well this is an issue with the carriers and not us.’”
Do you know of a hack or a security issue we should know about? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Paypal and Venmo, given that they are apps that allow users to exchange money and are linked to bank accounts or credit cards, may be the most glaring examples. Motherboard verified this week that it’s possible to reset passwords on Paypal and Venmo via text message.
Venmo is owned by Paypal, neither of their spokespeople responded to multiple requests for comment for this story.
Of course, this kind of authentication policy exists because companies need to balance security with the need for users to reset their passwords in case they forget it. Allowing users to reset passwords using their phone number is, in theory, a great solution. But the rise of SIM swapping, which Motherboard has reported on for a couple of years now, makes this previously reasonable tradeoff a bit more risky.
If you don’t want to rely on companies to upgrade and improve their policies, there is a simple solution you can implement today to reduce the risk to your accounts. The easiest way to make it impossible for SIM swappers to take over your accounts after they hijack your number is to unlink your phone number with those accounts, and use a VoIP number—such as Google Voice, Skype, or another—instead. Google Voice numbers, given that they’re not actually linked to a real SIM card, are much harder to hijack.