• 0115 824 8244
Logo Logo
  • Home
  • About us
  • Services
    • IT Support
    • IT Security
    • Teams Voice
  • Case Studies
  • News
  • Contact us

Why text may not be the best choice for two-factor authentication

  • Home
  • Blog Details
April 26 2019
  • Cloud News
  • Security

Many cyberattacks are carried out using stolen or weak credentials. Which is why the security industry is encouraging us to take more care of our logins by adding two-factor authentication (2FA). This means that after entering your password, you have to enter a verification code that’s sent to you via another device.

There are a number of choices for this; you can use an app such as Google Authenticator, or you can have an SMS text message sent to your phone. SMS is the most widely used form of 2FA because it’s easy, convenient and works for people who don’t have smartphones.

However, there are increasing worries about whether SMS is really a secure way of getting your 2FA codes. As far back as 2016, the National Institute of Standards and Technology (NIST) in the United States was warning that SMS may not be secure. [1]

SMS vulnerabilities

There are a number of techniques that cybercriminals can use to bypass 2FA if SMS is the method being used. Early attacks focussed on switching the user’s mobile number to a different provider. In some countries, notably Australia, this was relatively easy to do with minimal checks. A call to a service provider could get the number reassigned to a phone that the hacker controlled. It could take weeks for the legitimate owner to get the number back, by which time the attacker could have accesses bank accounts and transferred funds.

If someone has been lazy enough to use the same password for their mobile operator’s online portal as they have for other accounts, then in many cases all an attacker has to do is log in online to access stored text messages.

Malware is another means of getting hold of 2FA codes. Installed on the mobile phone, whether as part of a banking trojan or on its own, this allows the attacker to intercept 2FA codes or simply have them forwarded as they arrive.

Because people regularly lose or damage mobile phones, 2FA systems require a reset mechanism that allows people to recover their account. If an attacker has already compromised the user’s email, they may be able to simply bypass or reset the requirement for 2FA on banking or other systems.

Our old friend the social engineering attack can be a way around 2FA as well. The attacker calls, claiming to be from the user’s bank and says that as part of a fraud check they will be sent a code to verify their identity which they need to read back over the phone. The attacker then logs into the victim’s account with stolen credentials – thus generating a 2FA request – and the user reads the code back to the hacker, unwittingly compromising the account.

The latest technique involves a variation on man-in-the-middle attacks [2] initiated via phishing emails to create a fake session in order to intercept a user’s entry of their 2FA credentials.

Staying safe

Clearly, having 2FA on your account is better than simply relying on a password alone. But if you are using SMS as a means of receiving the code, then you need to recognise that there are risks. If you can, it’s better to use a more secure method such as an authentication app which is harder for attackers to circumvent.

Of course, you should use strong passwords too and have different ones for each account. Use a password manager if you have trouble remembering them all. If SMS-based 2FA is the only method available, then it’s better than nothing, but be aware that it’s not perfect.

[1] https://www.securityweek.com/nist-denounces-sms-2fa-what-are-alternatives
[2] https://vimeo.com/308709275

Previous Post Next Post

Recent Posts

  • Protecting your central networks and data as everyone goes mobile
  • Mobile devices still crucial to businesses despite the known security risks
  • Millions of LinkedIn accounts leaked
  • Most employees do not consider security issues when WFH
  • Credential theft attacks are soaring

Archives

  • July 2021
  • June 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • November 2020
  • October 2020
  • September 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • November 2017

Categories

  • Cloud News
  • E-Mail Protection
  • IT Support News
  • Security
  • SharePoint Development
Logo

Microsoft Partner Nottingam

Services

  • IT Support
  • Phone Systems
  • IT Security

Contact Info

We're available via email or on the number below.

  • Email: hello@cloudworks.co.uk
  • Contact: 0115 824 8244

© Copyright 2021. Cloudworks

  • Privacy Policy
  • Terms and Conditions
Go to mobile version