Twitter CEO Jack Dorsey’s twitter account was hacked on Friday, Aug 30, using a technique known as “SIM Swapping” or “SIM Hacking” to get around 2-factor authentication (2FA), essentially convincing a phone carrier to assign the victim’s number to a new phone that they control. The hacker then receives the authentication code and uses it to gain access to the account. Fortunately, this account was quickly locked down, but if it was your account instead of the CEO’s, do you think it would have been caught as quickly? I doubt it.
Security expert Brian Krebs suggests “If you care about your account, get a Google Voice # to replace your mobile # in Twitter settings. Uncheck SMS. Then use only either mobile app or even better a security key for 2-factor authentication. Do this for every other account you care about that you can.”
His twitter posts (https://twitter.com/briankrebs/status/1167581370048307206) give more detail, including the inconvenient fact that Google Voice numbers don’t work in many countries outside of the US. He clarifies later in the thread that “Basically you want to avoid any service that you can reach over the phone. Oddly enough, the lack of customer service people staffing Google Voice is a plus in this regard. If that describes another service that provides the same, then that’s probably fine, too.”
It’s those helpful customer service people who help you do the SIM swap.