[ALERT] A Gaping Hole in Your Online Security

Category: Security

For several years, I’ve been writing about and recommending two-factor authentication, also known as “2FA” or "two-step verification", to secure your online accounts. (It can protect you even if your password is guessed or stolen.) You may have already started using this technique. But you may be blissfully unaware of a gaping hole that could still leave you exposed to account takeover and identify theft. Read on to learn about the dangerous flaw in two-factor authentication, and of course, the solution!

Are You Doing Two-Factor Authentication Wrong?

In recent years, stories have appeared in the technology news about people or organizations that had been dutifully using two-factor authentication (2FA), but they still got hacked. The problem is the use of SMS (text messaging) to implement 2FA.

You’ve probably experienced this scenario when attempting to log in to your bank or other online accounts. You enter your username and password, then the website says “Check your phone for a text message with a six-digit code, and enter it below.” In theory, it’s an effective way of ensuring that it’s you, and not a hacker who successfully guessed your password or got it in a data breach.

Text messaging, though, is an inherently insecure means of communication. Poorly trained (or unscrupulous) customer service agents at your mobile phone company can also be the reason that 2FA breaks down. (More details on that later.)

Reddit, the popular social media site, learned in 2018 that “SMS-based authentication is not nearly as secure as we would hope,” and suffered a breach when hackers tricked a cloud service provider into sending them the 2FA login code. Likewise, bitcoin investor Michael Terpin lost $24 million in a “SIM swap” attack when a hacker persuaded an AT&T customer service rep into changing the account password, redirecting Terpin’s incoming texts and calls to a phone the hacker owned. These and other hacks spotlight a dangerously flawed two-factor authentication (2FA) technique that is all too commonly deployed by firms that store consumers’ financial, medical, and other sensitive data.

A SIM swap attack can happen if someone knows your phone number, the last four digits of your Social Security number, or other “personally identifying information” readily available in a data breach. All they have to do is call your mobile provider’s customer service line, pretend to be you, and provide the necessary information to confirm your identity. From there, they can redirect your phone number to another device.

If that line of attack is not effective, hackers can exploit decades-old weaknesses in the telecommunications system. In my article, Is Someone Listening To Your Calls? I explain how holes in SS7, the protocol that controls how traffic flows over mobile networks, can enable hackers to implement “man in the middle” traps. Text messages are not encrypted during transit. So it's possible to intercept an SMS code sent by your bank, use it to hack your account, and pass the code on to you so that you never suspect anything is wrong... until you try to get into your supposedly double-locked account, where the hacker has already changed the password. Bottom line, SMS messaging is about as secure as the old fashioned “party lines” that let you listen in on your neighbor’s conversations.

Don't Get Me Wrong, 2FA is Good

Two-factor authentication (when done right) is a very good thing. Google, Microsoft, and other online services offer 2FA without the insecure SMS requirement. If you turn on this option you’ll need to enter your username/password as usual. You’ll then be prompted for an authentication code before the login can be completed. The code comes from an authenticator app on your Android or iOS device. This time-sensitive code can be generated even if you’re not online, and you can also print a list of codes for use when you don’t have your phone handy.

The U.S. National Institute of Standards and Technology (NIST) has been saying since 2016 that sending an authentication code via text message (SMS) is not secure, and has been advocating for the banning of SMS being used for login verification. A recent article published by Alex Weinert, the Director of Identity Security at Microsoft, warns that “It’s time to start your move away from SMS and voice... authentication mechanisms.”

Weinert recommends an authenticator app, or preferably a hardware security key instead, to implement two-factor authentication. See my articles [DIGITAL LOCKDOWN] Authenticator Apps Protect Your Accounts and Are You Ready for Hardware Security Keys? for help getting started with those techniques.

Nonetheless, SMS messaging is still widespread either as a primary 2FA method or as a backup method should a user be unable to complete authentication via the primary method. Medical practices and other small professional businesses are often not very security-savvy. Some banks, credit unions, and investment managers are also still using SMS-based 2FA. They are either unaware of its hazards, or they feel their customers are not savvy enough to use one of the alternatives mentioned above.

If your banking, medical records, or other sensitive online service offers only SMS-based 2FA, it's still better than nothing. But definitely add a lock screen password to your phone, and change your settings so text messages are not displayed when your phone is locked. Contacting the company to let them know you want a more secure method of login verification would also be a good idea.

Do you use two-factor authentication? Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 16 Nov 2020

For Fun: Buy Bob a Snickers.

Prev Article:
The Windows RESET Button: A Good Idea?

The Top Twenty
Next Article:
I’m Tired of Windows, So What Next?

Most recent comments on "[ALERT] A Gaping Hole in Your Online Security"

Posted by:

16 Nov 2020

Both options {sms and app on phone} are poor choices.
a. SMS you described here. Country and network dependant, most network operators simply do not offer an option for you "lock" the account so no new sims can be issued.

b. 2FA on the phone is not much better. We turn our mobile phones into gold bars.
What are we most likely to lose by accident and theft? The mobile phone, with all these super safe keys on the device.

c. Using USB keys. Most do not use these exclusively. Take Google as an example, they will still use your phone even if you registered the dongle.

Been trying to find an android capable raspberry pi with gsm. This so I can lock this in a safe with a sim I do not use or carry on my person. This is still not available at a reasonable cost.

For now all sing get 2FA on your phone. It is in some ways worst than where we started.

Years later, this is till not resolved.

Posted by:

Nigel A
16 Nov 2020

The usual 2FA requires a mobile/cell phone. That's fine provided there is a reliable cell phone service. We have unreliable service at home due to the terrain. If 2FA could be modified so that it happened when the user was away from their usual computer or location, then I would be more enthusiastic about using it.

Posted by:

16 Nov 2020

SS7, the protocol used by the phone companies is inherently insecure.It was developed for use over internal telephones trunks,mainly landlines.It was carried over to the cellular networks without much thought to security.Text messages,though simple,eventually are somewhat insecure as well.

No one ever thought that hackers would have a field day with it,but here we are.In my opinion,anything send over the air is subject to interception.I don't care about laws or cellular security, it will happen.

I would recommend that if you are using 2FA,try using a regular landline where interception of your call is harder to get.

Posted by:

16 Nov 2020

Bob - This seems like sowing FUD - fear, uncertainty, and doubt. For the vast majority of people username/password entry into a website works just fine. Using 2FA for financial information (banks or investment sites) is an added bonus. If you dive into the details of intercepting SMS messages it takes considerable time and resources. I appreciate all the great info, but I think it needs to said this is not a problem for most of your readers.

Posted by:

Wayne Hathaway
16 Nov 2020

This has been going on for a LONG time! Decades ago an unscrupulous AT&T employee enabled "Remote Call Forwarding" on my landline, unbeknownst to me. Then they used Western Union to send a large amount of cash to their account. When Western Union called my phone to verify, they had remotely forwarded it to their phone and pretended to be me! The on;y reason I found out was the FBI had been following the crooks and called me. I was all set to fly to LA to testify against them, but they agreed to a plea deal. Anyway, that ploy of secretly redirecting your phone has probably been around as long as there have been phones!

Posted by:

16 Nov 2020

I reckon that it's an equal risk if "you can also print a list of codes for use when you don’t have your phone handy". A printed list doesn't sound all that secure.

Posted by:

James A Anderson
16 Nov 2020

I have encountered 2FA with very discouraging resuts. Having to purchase texting from your phone provider and then having to wait for receiving the text (or e-mail) is stupid. I'm considering returning to snail mail, it is more reliable and safer. One should consider effects on the senior citizens that find some of these changes difficult to follow.

Posted by:

Mac Eld
16 Nov 2020

What leaves me wondering about security are credit card company practices. What do they know about user security that other companies don't? I seldom have to go through a 2FA process to access my CC account. And I am almost never asked to change my password. Why not? I've had the same PW for a major CC account for maybe ten years. I don't think my online access to my CC account has ever been compromised. The card number, yes. The online account, no. What do they know that other companies don't?

Posted by:

Daniel Wiener
16 Nov 2020

I depend mostly on "security by obscurity". I take reasonable precautions, and depend on the computers at the credit card companies I use to spot any unusual activity (which has happened). They then contact me in those cases, so I can indicate whether the activity is valid. And most companies are very good about reversing any fraudulent or scam charges.

Text or email 2FA is just another layer of protection to further minimize risks. But 2FA doesn't have to be foolproof, and it's not worth the hassle of trying to make it so.

I like to use the analogy of locking my car. I live in a fairly safe city, so the odds of my car being stolen are low but not non-existent. If the car is locked, that further reduces the odds, perhaps by a factor of 10. But what if I forget one night to lock the car? It's more at risk for that one night, but if that happens at most a handful of times per year then my car is still safer by a factor of 9.9 instead of 10. That's good enough. There's no absolute certainty against car theft, but it isn't worth going to the hassle and expense of further reducing that already-small risk.

Off-topic, but I use that same analogy for COVID: I take reasonable precautions, but occasional breaches (e.g., sometimes forgetting to wear a mask or not always social distancing) are similar to not locking my car 100% of the time. The added percentage risk is miniscule. And the consequences are tolerable: The risk of death from contracting COVID is typically less than 1%. In the same way, the impact of having your car stolen is not enormous, if you have insurance (or prefer to self-insure) or the police recover it. The same argument applies to most data breaches.

People need to learn to realistically estimate risks of all kinds, and make sensible trade-off decisions.

Posted by:

16 Nov 2020

To: Daniel Wiener - Not wearing a mask puts others at risk too so that's a huge difference. That's all I'm going to say.

Posted by:

16 Nov 2020

I use an authenticator app (Authy) when I can. However, my problem is that SMS is still allowed as a backup 2FA method. A hacker or bad actor would just bypass the authenticator app.

Posted by:

Daniel Wiener
16 Nov 2020

To: Doug - The act of driving a car also puts others at risk, so that's not a huge difference. Unfortunately, most people's perceptions of various risky activities fail to accurately correspond to the actual danger levels shown by the statistical data.

Posted by:

17 Nov 2020

My view is really very simple - if the hackers have managed to subvert my phone provider for the irregular eTAC I receive - then no other additional security measures will help - they will have taken your money and the fight with your bank begins QED

Posted by:

Peter Oh
17 Nov 2020

You have yet again presented a number of alternative solutions to problem that should not exist (but it does).
Frankly posting a series of links that might upon careful & time consuming examination, point to safer options, well that's just not good enough!
Not many of us have the capability to implement successfully anyway.
Why not present a simple list of best actions to achieve better security with no impact on usability?

Posted by:

17 Nov 2020

ZDNET subject line reads: "Microsoft urges users to stop using phone-based multi-factor authentication" on November 12, 2020. MFA/2FA kinda puts the kibosh on the whole concept of convenience in your [whichever]-pocket. And the most recommendations for less complicated passwords by NIST adds a whole new 'chkink' in our security knight's armor.

Posted by:

Ernest N. Wilcox Jr.
17 Nov 2020

I use a strong password (in LastPass), and my (encrypted) Desktop PC as my 2fa with my bank. If I use either of my Lap Tops to access my bank, when I log in, I am presented with a screen that requires me to have the bank call me. When I receive the call (immediately), I enter a unique code posted on the banks web page into my phone. After entering the code, the robotic phone call directs me to "click the Continue key" on the web page. The next page requests a few personal bits of information, then I am allowed to access my online banking web page. I believe that this is fairly secure since I am sending a code back to the bank (not the other way around). Most of my other online services are protected with 2fa using the Last Pass authenticator which I can securely access from my Desktop or phone.

This is my 2fa experience,


Posted by:

17 Nov 2020

Risk cannot be eliminated, but the potential for loss must be part of the calculation. Few of us have large Bitcoin accounts that would make a determined and sustained attack worthwhile...
My accounts all have long random passwords that are unique to each account stored in KeePass. Having passed the username/password stage, a text to my phone is more than sufficient given the relatively small loss potential.
Everything being on our phones is problematic, but I don't do smartphones.

Posted by:

17 Nov 2020

I don't have a cell phone. A few of the banks and investment companies call me on my land line for 2FA. It works for me.

A few years ago, the Social Security Administration REQUIRED a cell phone for 2FA. That requirement didn't last long.

Posted by:

17 Nov 2020

I sometimes feel like I'm one of the few people that doesn't bank or make purchases with a cell phone. I have never felt that cell phones are secure. I use my desktop computer for banking and purchases, and get emails for 2FA.

Posted by:

20 Jul 2021

Bob the post by Peter Oh
17 Nov 2020 seems like a reasonable suggestion on
this nasty matter.. most people as you kNow are not
too versed in security tech so consider
the "KISS" formula my wife reading you e-mail too.
This way I don't have answer so many questions
You doing a great job keep it coming...RML

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- [ALERT] A Gaping Hole in Your Online Security (Posted: 16 Nov 2020)
Source: https://askbobrankin.com/alert_a_gaping_hole_in_your_online_security.html
Copyright © 2005 - Bob Rankin - All Rights Reserved