[ALERT] A Gaping Hole in Your Online Security
For several years, I’ve been writing about and recommending two-factor authentication, also known as “2FA” or "two-step verification", to secure your online accounts. (It can protect you even if your password is guessed or stolen.) You may have already started using this technique. But you may be blissfully unaware of a gaping hole that could still leave you exposed to account takeover and identify theft. Read on to learn about the dangerous flaw in two-factor authentication, and of course, the solution!
Are You Doing Two-Factor Authentication Wrong?
In recent years, stories have appeared in the technology news about people or organizations that had been dutifully using two-factor authentication (2FA), but they still got hacked. The problem is the use of SMS (text messaging) to implement 2FA.
You’ve probably experienced this scenario when attempting to log in to your bank or other online accounts. You enter your username and password, then the website says “Check your phone for a text message with a six-digit code, and enter it below.” In theory, it’s an effective way of ensuring that it’s you, and not a hacker who successfully guessed your password or got it in a data breach.
Text messaging, though, is an inherently insecure means of communication. Poorly trained (or unscrupulous) customer service agents at your mobile phone company can also be the reason that 2FA breaks down. (More details on that later.)
Reddit, the popular social media site, learned in 2018 that “SMS-based authentication is not nearly as secure as we would hope,” and suffered a breach when hackers tricked a cloud service provider into sending them the 2FA login code. Likewise, bitcoin investor Michael Terpin lost $24 million in a “SIM swap” attack when a hacker persuaded an AT&T customer service rep into changing the account password, redirecting Terpin’s incoming texts and calls to a phone the hacker owned. These and other hacks spotlight a dangerously flawed two-factor authentication (2FA) technique that is all too commonly deployed by firms that store consumers’ financial, medical, and other sensitive data.
A SIM swap attack can happen if someone knows your phone number, the last four digits of your Social Security number, or other “personally identifying information” readily available in a data breach. All they have to do is call your mobile provider’s customer service line, pretend to be you, and provide the necessary information to confirm your identity. From there, they can redirect your phone number to another device.
If that line of attack is not effective, hackers can exploit decades-old weaknesses in the telecommunications system. In my article, Is Someone Listening To Your Calls? I explain how holes in SS7, the protocol that controls how traffic flows over mobile networks, can enable hackers to implement “man in the middle” traps. Text messages are not encrypted during transit. So it's possible to intercept an SMS code sent by your bank, use it to hack your account, and pass the code on to you so that you never suspect anything is wrong... until you try to get into your supposedly double-locked account, where the hacker has already changed the password. Bottom line, SMS messaging is about as secure as the old fashioned “party lines” that let you listen in on your neighbor’s conversations.
Don't Get Me Wrong, 2FA is Good
Two-factor authentication (when done right) is a very good thing. Google, Microsoft, and other online services offer 2FA without the insecure SMS requirement. If you turn on this option you’ll need to enter your username/password as usual. You’ll then be prompted for an authentication code before the login can be completed. The code comes from an authenticator app on your Android or iOS device. This time-sensitive code can be generated even if you’re not online, and you can also print a list of codes for use when you don’t have your phone handy.
The U.S. National Institute of Standards and Technology (NIST) has been saying since 2016 that sending an authentication code via text message (SMS) is not secure, and has been advocating for the banning of SMS being used for login verification. A recent article published by Alex Weinert, the Director of Identity Security at Microsoft, warns that “It’s time to start your move away from SMS and voice... authentication mechanisms.”
Weinert recommends an authenticator app, or preferably a hardware security key instead, to implement two-factor authentication. See my articles [DIGITAL LOCKDOWN] Authenticator Apps Protect Your Accounts and Are You Ready for Hardware Security Keys? for help getting started with those techniques.
Nonetheless, SMS messaging is still widespread either as a primary 2FA method or as a backup method should a user be unable to complete authentication via the primary method. Medical practices and other small professional businesses are often not very security-savvy. Some banks, credit unions, and investment managers are also still using SMS-based 2FA. They are either unaware of its hazards, or they feel their customers are not savvy enough to use one of the alternatives mentioned above.
If your banking, medical records, or other sensitive online service offers only SMS-based 2FA, it's still better than nothing. But definitely add a lock screen password to your phone, and change your settings so text messages are not displayed when your phone is locked. Contacting the company to let them know you want a more secure method of login verification would also be a good idea.
Do you use two-factor authentication? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 16 Nov 2020
|For Fun: Buy Bob a Snickers.|
The Windows RESET Button: A Good Idea?
The Top Twenty
I’m Tired of Windows, So What Next?
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [ALERT] A Gaping Hole in Your Online Security (Posted: 16 Nov 2020)
Copyright © 2005 - Bob Rankin - All Rights Reserved