Two-factor authentication is awesome, and I highly recommend it for everything. The most common way to implement it is through codes you get over SMS or text messages. This is not the best way to do it.
It could have been prevented. Here’s what happened. A bad guy with a cell phone and a new SIM card pretended to be my pastor and called up my pastor’s cell phone provider’s customer service. The bad guy convinced them to change my pastor’s phone number over to the bad guy’s SIM card. Then the hackers began to get all of my pastor’s phone calls and text messages.
My pastor is relatively tech-savvy, so he had a two-factor authentication setup on many accounts, mostly through SMS. So after the attackers took over his text messages, they got the two-factor authentication codes. Of course, this doesn’t explain how they got his passwords. This part is simpler. They probably just bought them on the Darkweb, where most of our passwords are available.
The attack is not particularly sophisticated. With minimal training, I could teach you how to replicate it. If you don’t want to learn, you can pay about $10 on the Internet for somebody else to do it for you. Fun times.
How could he have avoided this attack?
If he used app-based two-factor authentication, like Google Authenticator or Authy (my favorite, shown at left), it would have been much more difficult – maybe impossible- for the attackers to get into his accounts. Even if they had gotten control of his cell phone number, they would not have been able to get any codes because the multifactor would have been set up through his application on his physical phone and not through text messages.
Want To Know If A Website Supports Two Factor Authentication (2fa)? Check out https://2fa.directory/, where you can search across hundreds of websites.