[Don't use Google Voice for two-factor authentication]

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

[Don't use Google Voice for two-factor authentication]

Post by RationalWalk »

Since there are many recommendations on BH to use Google Voice for 2FA verification, and I'm a user myself, I was dismayed to find the following information about how to hack GV online from Authy:
First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the cookie using a malicious browser extension. Because Google uses the same cookie/account for all of their products the attacker can also access voice.google.com. Here, the attacker can see any SMS messages sent to you in real-time. This means that the attacker can now easily reset your password on any website since he has access to your e-mail and then use voice.google.com to retrieve the Two-Factor Authentication code.

So please, if you are using Google Voice as your Two-Factor Authentication number, don’t! And if you know someone who does, please explain this to him or her.
https://authy.com/blog/do-not-use-your- ... ntication/
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
bob60014
Posts: 3683
Joined: Mon Jul 31, 2017 8:59 pm
Location: The Land Beyond ORD

Re: Google Voice for 2FA verification can be easily hacked

Post by bob60014 »

Sounds like the info is a sales pitch from Authy (I never heard of them) to use their services. Are they a authenticator provider?
Last edited by bob60014 on Fri Feb 09, 2024 10:58 am, edited 2 times in total.
Living Free
Posts: 813
Joined: Thu Jul 19, 2018 7:31 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by Living Free »

So they'd need to compromise the email first it seems? How would the hackers get around an app based 2 factor auth for the gmail account?
alexbogle
Posts: 281
Joined: Thu Sep 22, 2022 8:01 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by alexbogle »

Living Free wrote: Fri Feb 09, 2024 10:56 am So they'd need to compromise the email first it seems? How would the hackers get around an app based 2 factor auth for the gmail account?
They're assuming the attacker can steal your cookie for your current gmail session. That cookie gives access to your account without need for a password or 2fa. If your system is that compromised, authy doesn't help you.
"Learn every day, but especially from the experiences of others. It’s cheaper!” -- Jack Bogle
increment
Posts: 1683
Joined: Tue May 15, 2018 2:20 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by increment »

bob60014 wrote: Fri Feb 09, 2024 10:46 am Sounds like the info is a sales pitch from Authy (I never heard of them) to use their services. Are they a authenticator provider?
Authy is an app that produces TOTP 2FA codes. It's well regarded by Wirecutter.
SpaethCo
Posts: 369
Joined: Wed Jan 13, 2016 11:58 pm
Location: Minneapolis

Re: Google Voice for 2FA verification can be easily hacked

Post by SpaethCo »

RationalWalk wrote: Fri Feb 09, 2024 10:42 am
First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the cookie using a malicious browser extension.
That first sentence is doing a LOT of heavy lifting. If I can convince you to install a malicious browser extension that you’ve given enough permissions to read session cookies I don’t need your email. I can just steal your passwords and the session cookies for the sites I want access to directly.

You’ve already lost the game, getting access to Google Voice at that point is just kicking a dead horse.
gavinsiu
Posts: 4351
Joined: Sun Nov 14, 2021 11:42 am

Re: Google Voice for 2FA verification can be easily hacked

Post by gavinsiu »

Security of Google voice is dependent on how well you secure your google account. If you have a crappy password and no 2FA, you will be hacked. Google accounts support both passkey and hardware 2FA. If you implement it properly, it makes the google account difficult to hack. Majority of people who got their google voice account got hack because they have crappy security.

Another item to address is compromised devices. No security will help you if your device is compromised. It would be like barricading the door against the wolf when it's already inside the house. Many of the android devices have terrible update policies, some not getting security update period. While hacks of this kind are rare, I would stick to manufacturers who regularly update their security like Samsung, google, Apple, or Microsoft.
armeliusc
Posts: 537
Joined: Wed Dec 21, 2011 8:40 am

Re: Google Voice for 2FA verification can be easily hacked

Post by armeliusc »

SpaethCo wrote: Fri Feb 09, 2024 11:32 am
RationalWalk wrote: Fri Feb 09, 2024 10:42 am
First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the cookie using a malicious browser extension.
That first sentence is doing a LOT of heavy lifting. If I can convince you to install a malicious browser extension that you’ve given enough permissions to read session cookies I don’t need your email. I can just steal your passwords and the session cookies for the sites I want access to directly.

You’ve already lost the game, getting access to Google Voice at that point is just kicking a dead horse.
This. That is a long stretch. Might as well change those two first sentence with: "First, the attacker get access to your Google Account."
Come on .. ! The Google voice thing is a strawman.
retiringwhen
Posts: 4672
Joined: Sat Jul 08, 2017 10:09 am
Location: New Jersey, USA

Re: Google Voice for 2FA verification can be easily hacked

Post by retiringwhen »

SpaethCo wrote: Fri Feb 09, 2024 11:32 am
RationalWalk wrote: Fri Feb 09, 2024 10:42 am
First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the cookie using a malicious browser extension.
That first sentence is doing a LOT of heavy lifting. If I can convince you to install a malicious browser extension that you’ve given enough permissions to read session cookies I don’t need your email. I can just steal your passwords and the session cookies for the sites I want access to directly.

You’ve already lost the game, getting access to Google Voice at that point is just kicking a dead horse.
BTW, the attack vector works for non-Google Voice phone lines on Android systems. I have my Verizon cellphone # configured to use the Google Messages App on my Samsung Phone. The cookie steal would also compromise this path as well since the messages app can be access via a browser as well off the phone. At least this access is protected by specific phone-based validations (using a 2FA authentication of choosing an image on the phone and the browser) as well as the 2FA of the housing Google Account also normally validated by either Google Authenticator or a phone based validation.

The Google Voice number is only protected by the level of authentication of the Google Account.
Valdeselad
Posts: 248
Joined: Mon Apr 26, 2010 1:42 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by Valdeselad »

The lack of apparent security for the Google Voice app is eye opening and concerning. As an example, there doesn’t appear to be a way to enable app level biometric authentication (I.e. Touch ID) when opening the google voice app on an iPhone.

Initially I thought this had to be a simple oversight on my part, and still hope that it is. But there is nowhere in settings to enable this functionality.
Blue456
Posts: 2147
Joined: Tue Jun 04, 2019 5:46 am

Re: Google Voice for 2FA verification can be easily hacked

Post by Blue456 »

Valdeselad wrote: Fri Feb 09, 2024 11:55 am The lack of apparent security for the Google Voice app is eye opening and concerning.
I wouldn't describe Yubico key as an eye opening and concerning lack of security.
User avatar
warner25
Posts: 878
Joined: Wed Oct 29, 2014 4:38 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by warner25 »

I'm just piling on to what everyone else already said, but... given full access to one's email, I'm wondering what the attacker could also do to / with one's Authy account.

The biggest risk of using Google services remains the possibility of Google just locking you out of your account with no recourse. Despite that lingering concern, I'm still using Gmail and Voice for my primary email address and phone number (going on 15 years with Gmail, and 10 years with Voice).
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by RationalWalk »

Blue456 wrote: Fri Feb 09, 2024 12:16 pm
Valdeselad wrote: Fri Feb 09, 2024 11:55 am The lack of apparent security for the Google Voice app is eye opening and concerning.
I wouldn't describe Yubico key as an eye opening and concerning lack of security.
Maybe I misunderstand, but my impression from the linked article is that a hacker who can steal your Gmail cookie can bypass your Google account security and get in. That gives them access to your Google Voice.
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
User avatar
Ketawa
Posts: 2521
Joined: Mon Aug 22, 2011 1:11 am
Location: DC

Re: Google Voice for 2FA verification can be easily hacked

Post by Ketawa »

People are mostly missing the point in their replies on this thread. In my mind, there are two main issues with using Google Voice for 2FA.

1. Compromise of an email account also results in compromise of both factors for authentication, password and SMS-based codes, if the same email account is used for account login. Password is compromised by the ability to conduct a password reset, and the second factor (codes sent to Google Voice) is also compromised.
2. An attacker can access new SMS codes without access to a physical device.

Security professionals caution against using SMS-based 2FA/MFA anyway due to the ease of attackers using techniques like SIM swapping. If possible, TOTP codes (which Authy is used to store) or a security token like a YubiKey are preferred.
warner25 wrote: Fri Feb 09, 2024 12:27 pm I'm just piling on to what everyone else already said, but... given full access to one's email, I'm wondering what the attacker could also do to / with one's Authy account.
Authy does not use email, at all. It is impossible for someone to gain access to my TOTP codes stored using Authy by compromising my Gmail account.
torso2500
Posts: 118
Joined: Wed Sep 14, 2022 11:35 am

Re: Google Voice for 2FA verification can be easily hacked

Post by torso2500 »

Well, yes, any service connected to the same online account provider is as secure as your account with the providing institution.

The access necessary to steal your session token (the cookie) means anything you view or log into with that browser or possibly the entire machine is exposed to the bad actor.

Thoughts on GV to circumvent traditional SIM-tied mobile # vs mobile # through a wireless carrier utilizing SIM PIN and MFA on the online account through the wireless company?
retiringwhen
Posts: 4672
Joined: Sat Jul 08, 2017 10:09 am
Location: New Jersey, USA

Re: Google Voice for 2FA verification can be easily hacked

Post by retiringwhen »

Ketawa wrote: Fri Feb 09, 2024 1:18 pm Compromise of an email account also results in compromise of both factors for authentication, password and SMS-based codes, if the same email
I generally agree with your comment but want to clarify something. Compromising the user's system identity is the problem. email is only one vector. There are lots of ways a Google identity could be compromised that would in turn compromise the Google Voice SMS vector. OTOH, Google provides a pretty strong set of options for locking down that identity including a TOTP-based authentication model.

In other words, Google is not a basis for locking down your identity, but it does require its own layer of focus.
gavinsiu
Posts: 4351
Joined: Sun Nov 14, 2021 11:42 am

Re: Google Voice for 2FA verification can be easily hacked

Post by gavinsiu »

I think part of the problem may be that too many things are tied to the same account. There seems to be a trend of using google or some other provider to log into the website. The downside if someone compromises your google account, they have access to all of your other accounts, too. As another poster pointed out, if Google or whatever provider you are using decided to lock out your account, you, too will be locked out. Don't expect a good resolution, since the vendors aren't great with account recovery. You can apply this weakness to any of the vendors like Google, Apple, Microsoft, facebook, etc.

Google voice is a crappy compromise. Basically, no one wants to use Google voice because Google may axe the service. People use it so they don't end up getting SIM swapped because cell phone vendors are so terrible at security. I would actually prefer TOTP, but most bank don't support TOTP.
User avatar
Vulcan
Posts: 2959
Joined: Sat Apr 05, 2014 11:43 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by Vulcan »

RationalWalk wrote: Fri Feb 09, 2024 10:42 am
First the attacker compromises the user e-mail.
That's game over no matter what.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
User avatar
beyou
Posts: 6805
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: Google Voice for 2FA verification can be easily hacked

Post by beyou »

I use google voice but I do NOT use gmail.

I secure my google login using physical device 2FA.

I have a long non-trivial password for google services.

if someone steals a device (phone), I would immediately change my key passwords including google and others.
You can force sign out of any device accessing your google account, which is something to check and act upon if you think your google acct is compromised.
User avatar
warner25
Posts: 878
Joined: Wed Oct 29, 2014 4:38 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by warner25 »

Ketawa wrote: Fri Feb 09, 2024 1:18 pm
warner25 wrote: Fri Feb 09, 2024 12:27 pm I'm just piling on to what everyone else already said, but... given full access to one's email, I'm wondering what the attacker could also do to / with one's Authy account.
Authy does not use email, at all. It is impossible for someone to gain access to my TOTP codes stored using Authy by compromising my Gmail account.
I understand that email access wouldn't directly yield the TOTP codes, but could the attacker not use email access as a starting point to get there with several intermediate steps? Like reset the Authy account password, setup Authy on a new device, etc.?

I appreciate the alternative perspective in the first part of your post. You are right that using Gmail and Voice as one's primary email and phone number for SMS codes effectively turns two-factor authentication / two-step verification into something weaker. However, I think that the Gmail-and-Voice combination is a special (albeit common) case. If one doesn't use Gmail as a primary email, like beyou said, then password reset emails will presumably go elsewhere, and getting access to the Google account only gets the attacker halfway to where he wants to be. If the attacker gets into a non-Gmail email account, then he doesn't (necessarily) get into Google Voice. So this is more of a criticism of consolidating accounts, like gavinsiu said.

And to go back to the beginning, I think it's still the case that if one is going to be a victim of phishing, or install malicious software, then nothing is safe.
User avatar
Ketawa
Posts: 2521
Joined: Mon Aug 22, 2011 1:11 am
Location: DC

Re: Google Voice for 2FA verification can be easily hacked

Post by Ketawa »

warner25 wrote: Fri Feb 09, 2024 4:31 pm I understand that email access wouldn't directly yield the TOTP codes, but could the attacker not use email access as a starting point to get there with several intermediate steps? Like reset the Authy account password, setup Authy on a new device, etc.?
Authy doesn't have username/password log in; it's tied to your phone number. You can turn on or off the ability to add new devices. If it's off, the only way to turn it on is using a previously authenticated device.
User avatar
Rowan Oak
Posts: 847
Joined: Mon May 09, 2016 2:11 pm
Location: Yoknapatawpha

Re: Google Voice for 2FA verification can be easily hacked

Post by Rowan Oak »

https://landing.google.com/advancedprotection/
Google's strongest security helps keep your private information safe.
The Advanced Protection Program safeguards users with high visibility and sensitive information from targeted online attacks.
New protections are automatically added to defend against today’s wide range of threats.

Using your account with Advanced Protection

What can I expect once I’m enrolled? What will be different?

Most of your day-to-day account activity will not feel different.

The biggest change will be that one of your security keys will be required when you sign in to your account on a new device (or sign in on your phone after signing out).

You may find you receive more alerts or warnings before downloading a file or installing an app. Strong protections against malware are built into all Google products, such as Google Play Store and Google Chrome, but Advanced Protection performs even more stringent checks.

A number of account security features that were optional will be automatically turned on and kept on for your account.
“If you can get good at destroying your own wrong ideas, that is a great gift.” – Charlie Munger
beardsicles
Posts: 397
Joined: Fri Nov 19, 2021 12:38 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by beardsicles »

The simple fact is Google Voice is the safest way to use sms two factor if your account is secured with a security key and your account is enrolled in advanced protection. SMS two factor still sucks, but that’s the least bad way from a security perspective.
gavinsiu
Posts: 4351
Joined: Sun Nov 14, 2021 11:42 am

Re: Google Voice for 2FA verification can be easily hacked

Post by gavinsiu »

beardsicles wrote: Fri Feb 09, 2024 7:08 pm The simple fact is Google Voice is the safest way to use sms two factor if your account is secured with a security key and your account is enrolled in advanced protection. SMS two factor still sucks, but that’s the least bad way from a security perspective.
I agree, personally, I used Google voice whenever some service require the use of SMS and allow voip (some service don't even allow google voice). I would prefer to use anything other than SMS, like TOTP for example. Even SMS only 2FA is better than no 2FA at least for passwords.
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by RationalWalk »

It appears my notion was correct. I asked if the exploit could bypass your login security on Google, and yes it does. The technique is called "cookie hijacking". It's all over the web. You should try googling (whoops).

From Malwarebytes:
Posted: January 11, 2024 by Pieter Arntz
Hackers have found a way to gain unauthorized access to Google accounts, bypassing any multi-factor authentication (MFA) the user may have set up. To do this they steal authentication cookies and then extend their lifespan. It doesn’t even help if the owner of the account changes their password.

Persistent cookies enable a continuous access to Google services, even after the user resets their password. This exploit allows the generation of persistent Google cookies by using a Google Application Programming Interface (API) designed for synchronizing accounts across different Google services to bring back to life expired authentication cookies.

...some info stealers have reportedly already been updated to counter Google’s fraud detection measures.
https://www.malwarebytes.com/blog/news/ ... le-account

From Forbes:
In an adversary intelligence analysis published December 29, CloudSEK researcher Pavan Karthick M detailed how Google accounts could be compromised by exploiting an undocumented authentication endpoint that is used for cross-services synchronization. Attackers were found to be using this to critically exploit session cookies used to log into Google users’ accounts without needing to enter credentials. This could then enable access to the security Holy Grail that is the Gmail inbox.
https://www.forbes.com/sites/daveywinde ... 0105722b98
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
beardsicles
Posts: 397
Joined: Fri Nov 19, 2021 12:38 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by beardsicles »

RationalWalk wrote: Sat Feb 10, 2024 9:59 am It appears my notion was correct. I asked if the exploit could bypass your login security on Google, and yes it does. The technique is called "cookie hijacking". It's all over the web. You should try googling (whoops).

From Malwarebytes:
Posted: January 11, 2024 by Pieter Arntz
Hackers have found a way to gain unauthorized access to Google accounts, bypassing any multi-factor authentication (MFA) the user may have set up. To do this they steal authentication cookies and then extend their lifespan. It doesn’t even help if the owner of the account changes their password.

Persistent cookies enable a continuous access to Google services, even after the user resets their password. This exploit allows the generation of persistent Google cookies by using a Google Application Programming Interface (API) designed for synchronizing accounts across different Google services to bring back to life expired authentication cookies.

...some info stealers have reportedly already been updated to counter Google’s fraud detection measures.
https://www.malwarebytes.com/blog/news/ ... le-account

From Forbes:
In an adversary intelligence analysis published December 29, CloudSEK researcher Pavan Karthick M detailed how Google accounts could be compromised by exploiting an undocumented authentication endpoint that is used for cross-services synchronization. Attackers were found to be using this to critically exploit session cookies used to log into Google users’ accounts without needing to enter credentials. This could then enable access to the security Holy Grail that is the Gmail inbox.
https://www.forbes.com/sites/daveywinde ... 0105722b98
Every security feature is going to have flaws. You need to decide which you can live with.
torso2500
Posts: 118
Joined: Wed Sep 14, 2022 11:35 am

Re: Google Voice for 2FA verification can be easily hacked

Post by torso2500 »

Again, the access necessary to steal an auth cookie is full browser or machine compromise. It can't be randomly stolen, you have to install a browser extension or other software that grants access to browser data. Almost any service that keeps you logged in between visits uses authentication cookies.

This isn't a GV specific risk, this is more general security regarding letting outside actors get your browser data, mainly that you should vet your browser extensions before installing. Google comes up a lot because it is a high value target from such exploits.
02nz
Posts: 10415
Joined: Wed Feb 21, 2018 2:17 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by 02nz »

"First the attacker compromises the user e-mail"

Well if your email is compromised, then pretty much everything you have is compromised. Gmail is extremely secure on a non-infected machine.
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by RationalWalk »

Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VBS script that replaces the system preference files. Once that's done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system.
https://www.forbes.com/sites/daveywinde ... e404f24128
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
torso2500
Posts: 118
Joined: Wed Sep 14, 2022 11:35 am

Re: Google Voice for 2FA verification can be easily hacked

Post by torso2500 »

total compromise of your system =/= Google Voice is easily hacked. It's as hackable as your browser as a whole. "Once a machine has been compromised.." is more important than the getting into GV part. Once the machine is compromised they can get into everything
gavinsiu
Posts: 4351
Joined: Sun Nov 14, 2021 11:42 am

Re: Google Voice for 2FA verification can be easily hacked

Post by gavinsiu »

The article states that it’s an extension you have to install as an extension delivered via phishing. It’s like other malware delivered in the same manner but targets Gmail specifically. It’s not something that attacks you from remote.
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by RationalWalk »

The OP says if you are using Google Voice for 2FA, don't. It can be compromised via cookie hijacking. We can debate if this is something to worry about or not. Or, we can investigate other ways of securing logins, such as authenticators. The problem with authenticators is that not all the sites we want to login support them. So, what other choices do we have to avoid using Google Voice 2FA?
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
HawkeyePierce
Posts: 2344
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Google Voice for 2FA verification can be easily hacked

Post by HawkeyePierce »

RationalWalk wrote: Sat Feb 10, 2024 12:11 pm The OP says if you are using Google Voice for 2FA, don't. It can be compromised via cookie hijacking. We can debate if this is something to worry about or not. Or, we can investigate other ways of securing logins, such as authenticators. The problem with authenticators is that not all the sites we want to login support them. So, what other choices do we have to avoid using Google Voice 2FA?
That article is pure FUD. Can a Google account be compromised via cookie hijacking? Yes. Is this a threat you need to worry about? No, not really.

If a site only supports SMS 2FA, Google Voice is strictly superior to a regular cell phone. End of story.

Also, Forbes will let anyone write under their brand. Seeing something on Forbes.com does not mean it's an authority worth listening to.
torso2500
Posts: 118
Joined: Wed Sep 14, 2022 11:35 am

Re: Google Voice for 2FA verification can be easily hacked

Post by torso2500 »

Many of the sites you login to, even some with MFA for login attempts, can still be compromised using cookie hijacking. If the login persists then the account cab be at risk. I just don't think that alone is why you shouldn't use GV as an alternative to a SIM based # for SMS 2FA. Cookie hijacking really comes down to protecting your browser's data and not allowing malicious actors access to your machine in general.

Ultimately if SMS 2FA is unacceptable you'll just have to use only services that support non-sms MFA. Those who use GV for 2FA codes are making a choice that their Google account is more secure than their SIM. Alternatively, you can get a wireless number from a carrier that allows for a SIM PIN and decide that is secure enough.
gavinsiu
Posts: 4351
Joined: Sun Nov 14, 2021 11:42 am

Re: Google Voice for 2FA verification can be easily hacked

Post by gavinsiu »

RationalWalk wrote: Sat Feb 10, 2024 12:11 pm The OP says if you are using Google Voice for 2FA, don't. It can be compromised via cookie hijacking. We can debate if this is something to worry about or not. Or, we can investigate other ways of securing logins, such as authenticators. The problem with authenticators is that not all the sites we want to login support them. So, what other choices do we have to avoid using Google Voice 2FA?
Well, if you have a choice of which 2FA to use, then pick something other than SMS. It's essentially the worse 2FA.

If your choice is only SMS, then google voice providing the account is secure properly is the best option. Google voice is more secure than plain SMS.

If your service blocks google voice, having SMS as a 2FA is better than no 2FA, though I would prefer having email 2FA as an option.

No matter what 2fa or security measure you use, you have to avoid installing malware on your device. Most of these so call vulnerability are essentially malware attack that often use either some sort of security vulnerability that are often quickly patched, or through human which cannot be patched. A lot of the malware basically trick people into installing rogue extensions or software through phishing or some other forum of social engineering. No security device will protect you from that.
ScubaHogg
Posts: 3388
Joined: Sun Nov 06, 2011 2:02 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by ScubaHogg »

This is like saying if your computer is hacked it would then be easy for your computer to be hacked. It’s circular.

Not getting your email hacked via phishing or whatever is definitely a crucial part of online security. It’s the linchpin to basically everything.
There are more things in Heaven and Earth, Horatio, than are dreamt of in your Expected Returns
torso2500
Posts: 118
Joined: Wed Sep 14, 2022 11:35 am

Re: Google Voice for 2FA verification can be easily hacked

Post by torso2500 »

I guess you could combat this by tying the GV number to a separate account from the one used for the logins. Then you have to never log into the GV-linked account anywhere that would cause both auth tokens to be saved in the same place.
stocknoob4111
Posts: 3458
Joined: Sun Jan 07, 2018 11:52 am

Re: Google Voice for 2FA verification can be easily hacked

Post by stocknoob4111 »

How exactly would this cookie hijacking work? It makes no sense. You would have to install a malicious browser extension, which is equivalent to downloading and installing a virus. That is a matter of personal responsibility not a shortcoming of Google products. I use a few extremely vetted extensions that I have been using for 10+ years, I don't install any new extensions.

Also note that the chances of downloading a malicious extension from the Chrome Web Store is extremely small because products on the store are vetted not only by the Google site admins but also the community.
Last edited by stocknoob4111 on Sat Feb 10, 2024 1:18 pm, edited 2 times in total.
User avatar
LadyGeek
Site Admin
Posts: 95114
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: [Don't use Google Voice for two-factor authentication]

Post by LadyGeek »

I revised the thread title for clarity.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
nps
Posts: 1618
Joined: Thu Dec 04, 2014 9:18 am

Re: [Don't use Google Voice for two-factor authentication]

Post by nps »

RationalWalk wrote: Fri Feb 09, 2024 10:42 am Since there are many recommendations on BH to use Google Voice for 2FA verification
Is there a better SMS option?

If not, I still think the post title is misleading. "Don't use SMS for 2FA" would be more accurate
cacophony
Posts: 1342
Joined: Tue Oct 16, 2007 9:12 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by cacophony »

LadyGeek wrote: Sat Feb 10, 2024 1:16 pm I revised the thread title for clarity.
It's still misleading given that Google Voice is more secure than the majority of other SMS options.

There's a good summary in this post: viewtopic.php?p=7706201#p7706201

I would personally change this thread's title to a question because that's what it is.
Last edited by cacophony on Sat Feb 10, 2024 2:19 pm, edited 1 time in total.
gavinsiu
Posts: 4351
Joined: Sun Nov 14, 2021 11:42 am

Re: [Don't use Google Voice for two-factor authentication]

Post by gavinsiu »

nps wrote: Sat Feb 10, 2024 1:51 pm Is there a better SMS option?

If not, I still think the post title is misleading. "Don't use SMS for 2FA" would be more accurate
Not that I know of. Technically you can add a pin to your account prevent porting. In practice there are a lot of documents case of the pin being bypassed. Perhaps one of the carrier is actually secure.
User avatar
beyou
Posts: 6805
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: Google Voice for 2FA verification can be easily hacked

Post by beyou »

RationalWalk wrote: Sat Feb 10, 2024 12:11 pm The OP says if you are using Google Voice for 2FA, don't. It can be compromised via cookie hijacking. We can debate if this is something to worry about or not. Or, we can investigate other ways of securing logins, such as authenticators. The problem with authenticators is that not all the sites we want to login support them. So, what other choices do we have to avoid using Google Voice 2FA?
Or ask “what better ways can we secure our google accounts ?”.
michaeljc70
Posts: 10802
Joined: Thu Oct 15, 2015 3:53 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by michaeljc70 »

I use passkeys. I agree with the assessments above that if you don't secure your Google account a lot of things can go wrong. They would have access to Photos, Drive, Voice, Keep (notes), etc. I thought based on the title it was because some companies don't support voice (WF is one).
User avatar
Kagord
Posts: 1643
Joined: Fri Nov 23, 2018 12:28 pm
Location: Peaksville, Ohio

Re: [Don't use Google Voice for two-factor authentication]

Post by Kagord »

RationalWalk wrote: Fri Feb 09, 2024 10:42 am Since there are many recommendations on BH to use Google Voice for 2FA verification, and I'm a user myself, I was dismayed to find the following information about how to hack GV online from Authy:
First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the cookie using a malicious browser extension. Because Google uses the same cookie/account for all of their products the attacker can also access voice.google.com. Here, the attacker can see any SMS messages sent to you in real-time. This means that the attacker can now easily reset your password on any website since he has access to your e-mail and then use voice.google.com to retrieve the Two-Factor Authentication code.

So please, if you are using Google Voice as your Two-Factor Authentication number, don’t! And if you know someone who does, please explain this to him or her.
https://authy.com/blog/do-not-use-your- ... ntication/
That authy.com blog entry is over 10 years old, I don't think Google had APP back then, I would question if it is still relevant.
michaeljc70
Posts: 10802
Joined: Thu Oct 15, 2015 3:53 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by michaeljc70 »

Kagord wrote: Sun Feb 11, 2024 8:52 am
RationalWalk wrote: Fri Feb 09, 2024 10:42 am Since there are many recommendations on BH to use Google Voice for 2FA verification, and I'm a user myself, I was dismayed to find the following information about how to hack GV online from Authy:
First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the cookie using a malicious browser extension. Because Google uses the same cookie/account for all of their products the attacker can also access voice.google.com. Here, the attacker can see any SMS messages sent to you in real-time. This means that the attacker can now easily reset your password on any website since he has access to your e-mail and then use voice.google.com to retrieve the Two-Factor Authentication code.

So please, if you are using Google Voice as your Two-Factor Authentication number, don’t! And if you know someone who does, please explain this to him or her.
https://authy.com/blog/do-not-use-your- ... ntication/
That authy.com blog entry is over 10 years old, I don't think Google had APP back then, I would question if it is still relevant.
Ha.. Good catch!
02nz
Posts: 10415
Joined: Wed Feb 21, 2018 2:17 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by 02nz »

nps wrote: Sat Feb 10, 2024 1:51 pm
RationalWalk wrote: Fri Feb 09, 2024 10:42 am Since there are many recommendations on BH to use Google Voice for 2FA verification
Is there a better SMS option?

If not, I still think the post title is misleading. "Don't use SMS for 2FA" would be more accurate
Misleading and based on a blog entry from a decade ago.
User avatar
beyou
Posts: 6805
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: [Don't use Google Voice for two-factor authentication]

Post by beyou »

gavinsiu wrote: Sat Feb 10, 2024 2:16 pm
nps wrote: Sat Feb 10, 2024 1:51 pm Is there a better SMS option?

If not, I still think the post title is misleading. "Don't use SMS for 2FA" would be more accurate
Not that I know of. Technically you can add a pin to your account prevent porting. In practice there are a lot of documents case of the pin being bypassed. Perhaps one of the carrier is actually secure.
Just logged onto my carrier website. They do have a way to "lock" each line, but they note it only stops someone from porting to another carrier.
They note it does NOT stop swapping SIM cards or devices. So I suppose if someone tried to just move the number to a new device, but convinced the carrier that they are you, they can take over your number, just not with a different carrier. Of course the moment they do so, your phone stops working, and you can do something about it. And then there is the entire issue that its 2FA, they would need to have your passwords to various sites to do anything with your phone number.

I don't understand why the carrier would let us lock against ports but not hardware upgrades.
We could login and unlock when we buy a new phone, then lock again, what is the purpose of not allowing such a lock ?

Do sim's really make things any more secure ? Someone could still claim they lost their phone and need to move the number to a new phone, calling your carrier and convincing they are you. In the end we have to rely on the customer service reps following protocols which of course they may not.
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by RationalWalk »

I called my carrier and said I had a new phone and needed to move my number to that phone. The only security check was to send a code to my email that I had to repeat back. Not much deterrence.
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
michaeljc70
Posts: 10802
Joined: Thu Oct 15, 2015 3:53 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by michaeljc70 »

RationalWalk wrote: Sun Feb 11, 2024 11:55 am I called my carrier and said I had a new phone and needed to move my number to that phone. The only security check was to send a code to my email that I had to repeat back. Not much deterrence.
I moved to a new carrier last month. My old carrier required me to verify a bunch of items including the IMEI of my phone. I have no idea how a scammer would be able to get that easily. I didn't have any special lock on transfers.
Post Reply