“Hacker” by the Preiser Project via Flickr. (CC BY 2.0)

Independent researchers in Egypt have identified what appears to be a new technical avenue for state surveillance: manipulation of the two-step verification process.

Many activists, journalists and regular citizens throughout the world use two-step verification (see below) on social media and email services in order to bring a new layer of security to their communications. But now, it appears that state actors may be exploiting this feature for their own gain.

In Egypt, as in many countries around the world, the state controls the telecom infrastructure and the private telecommunications companies run the services and the networks. During the uprisings on 25 January 2011, the state famously coordinated a sequence of shutdowns on different communications systems. But censorship is only part of this dynamic of control.

In December 2015, Egypt blocked Facebook’s “Free Basics” mobile app. While many were quick to focus on the blocking as an act of censorship, multiple outlets reported that the blocking was due to Facebook’s refusal to let the Egyptian government spy on users of the app.

For Internet users, these and other similar incidents prove that mass surveillance and targeted surveillance can happen easily. In Egypt, leaked documents and technical research also have proven that  government agencies are purchasing malicious hacking technologies and coordinating with private telecom companies as part of their ongoing interest in eavesdropping on the communications of their citizens.

Now, by using more sophisticated tools and resources (as documented here for example in using Blue Coat and RCS products in Egypt), the state no longer depends on the telecom companies to get access to citizens’ data and communications information.

This means that phone calls, text messages and geographical location (gps) are easily logged and accessible for Egyptian authorities to see, without any due process or appropriate legal protections. If an officer “wants to” have this information, he can have it. And this gives the state easy access to the information of activists.

So who can target high profile activists? Theoretically, non-state actors could target activists using tools obtained on the black market. But practically speaking, and since Egypt's ecosystem is very closed and state-controlled, the state and state-associated groups are the main perpetrators of this type of surveillance.

Two-step verification is regularly recommended as a simple way to mitigate this type of surveillance. But it becomes a weak point when the state gains access to a person's accounts by intercepting the incoming messages to their mobile.

How are state actors exploiting this feature?

As a user, if you forget your password for a particular platform, you can often recover your password by asking the platform to send a unique code to your mobile. When you receive the code, you enter it in the platform as away of verifying your identity. In Egypt, however, thanks to strong state control over telecommunications infrastructure, it appears that state actors have been using this feature to their gain. They attempt to access activists’ accounts by selecting the “forgot password” option, and then intercept (or block) the code sent to the activist’s mobile phone. This allows them to rest the activist's password and effectively take over his or her their account.

Although you can later on have a code-generator app on your mobile for the codes instead of getting an SMS, this happens only after activating two-step verification and providing your mobile number — and that’s the situation with most services.

Independent researchers in Egypt have evidence that the security and intelligence sector in Egypt now has the ability to target activists and Internet users by sending them phishing links to gain access to their accounts and remotely control their computers. But these news findings suggest that they are coordinating with the private telecom sector in new ways as well.

Multiple high-profile activists have been targeted in this way over the past in the past few years. Most recently, on 26 March 2016, this model was used to target prominent award-winning journalist and blogger Wael Abbas, as part of a bigger hacking campaign. His Gmail account was also targeted: He received an email notification from Google that read: “state-sponsored attackers may be attempting to compromise your account” in the inbox. On his mobile, Wael received a fake pop-message telling him to update the software. The message seemed strange to him, and it was different from the usual updates and upgrade notifications that are sent to Android devices. The message even had a typo.

On 30 March 2016, Mohamed Gaber, a well-known graphic designer and activist (aka Gue3bara), reported getting a password-reset SMS without requesting one. On 1 April 2016, award-winning human rights advocate and journalist Nora Younis reported getting two such notifications. With her password in hand, a person could make multiple attempts to log in to her account.

These and other experiences show the vulnerability of two-step verification in cases where an adversary is capable of SMS interception.

How do I know if I’m being targeted this way? If I’m worried, what should I do?

The only way to avoid such targeting is by removing any and all mobile numbers from all your email and social media accounts. An alternative solution is to use secondary email accounts as your the recovery options.

And as always, it is important to use a unique, strong passphrase instead of a password and avoid using the same phrase or variations on that phrase on any two of your accounts.

Ramy Raoof is a technologist, privacy and digital security consultant in Egypt. Find him on Twitter at @RamyRaoof.

Mohamed Najem contributed research for this post.