1 Why I Do the Two-Step | The Billfold

Why I Do the Two-Step

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.

And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.

If you haven’t already taken the time to read Mat Honan’s mind-blowing story in Wired about how easy it was for a 19-year-old hacker to infiltrate his Amazon, Apple, Gmail and Twitter accounts, and then wipe out everything on his computer, including photos of his daughter’s first year, please take the time. Apple and Amazon’s security policies are pretty appalling.

Two years ago, a hacker got into my Gmail account, and for whatever reason, started deleting my messages. I quickly reset my password, and now have the two-step authentication process for my Gmail account. If I want to change my password or get into my account, Google has to send a pin number to my cell phone, which then has to be inputted into my account. It doesn’t make me feel 100 percent secure, but it does make me feel safer. Honan admits that he has been lucky: “They could have used my e-mail accounts to gain access to my online banking, or financial services,” he notes, but the hackers ultimately wanted access to his Twitter account.


15 Comments / Post A Comment

Megano! (#124)


I don’t understand the purpose of hacking someone’s twitter account though.

Wait, so you’re telling me that every single time you want to sign into Gmail you have to get a text message sent to you by google and then put that text’s number into Gmail?

Mike Dang (#2)

@Reginal T. Squirge You have to do it every 30 days on a “trusted” computer. If you’re trying to log in from a new computer, yes, you have to get the text authentication.

Ok, that’s not as much of a hassle as it originally sounded.

ThatJenn (#916)

@Reginal T. Squirge There are also other methods to get the code: you can install a small app on your phone that will generate the codes for you (so you don’t have to get a text for it) and also print a few back-up codes to keep in your wallet or somewhere safe in case you don’t have access to your phone. (These facts won me over.)

triplea (#1,234)

I must be some kind of an idiot because this was easy enough in gmail on a computer but I’ve totally fucked myself on my iphone and now I can’t access my app at all. WTF computerz :(

OllyOlly (#669)

@triplea @triplea If by this you mean you set up your two step log-in, but now when opening mobile apps it is asking for a password and not working – I can help! Google produces a code/password accessed through your gmail that you must put in as your password on the mobile apps.

Account -> Security -> Authorizing Applications and Sites

You ‘name’ your device (the produced code is not device specific – just a code to grant access to the next new device you connect to) and then it gives you a code. Put this thing in as your PW when prompted to log in and everything should work.

I had to do this to access gmail on my iPad, hope that made sense! It was pretty confusing the first time I set it up.

ThatJenn (#916)

@triplea It’s a little complicated the first time you set up your phone email client or other apps that use your Google password: http://support.google.com/accounts/bin/answer.py?hl=en&answer=185834&topic=1099588&ctx=topic#ASPs

Edit: OllyOlly beat me to it, but that link may help if you find yourself stuck following the instructions above (which are very good).

triplea (#1,234)

@ThatJenn @OllyOlly Thanks very much!

Slutface (#53)

Gmail keeps asking for my phone number, but I won’t give it to them. It’s a trap!
I do the secondary email address for my password resets.

alpacasloth (#108)

This was a good reminder for me to set up 2-step verification and go home and do my semi-monthly external HD backup.

I didn’t know about the two-step thing, but after reading this I did it RIGHT NOW. Scared straight. I also need to overhaul my password system, but this at least made me feel I was doing something responsible. And it was easy!

Fig. 1 (#632)

Eh, I thought that the 2-step verification was easily bypassed – there are a number of instructions on how to do it (and a friend’s gmail with 2-step was hacked recently). Basically if you are not fully resetting your browser and cookies every 2 min, it’s not as safe as you think. I thought the more effective option, as per XKCD, was to make your password as long as possible.

His subject is good, long while I find this topic and I think it is here, world population day

Comments are closed!