The Flaw in Secure Logins
You've probably experienced two-factor authentication (also known as "two-step verification") when logging into certain websites. In addition to your username and password, many banks and other online services now send you a text message with a code that you must enter to verify your identity. But there's a gaping hole in that extra layer of security. Here's what you need to know... |
The Secure Way to do Two-Factor Authentication
I've discussed two-factor authentication previously in my article IMPORTANT: An Extra Layer of Security. If the topic is new to you, I suggest you read that article first.
Sending a second authentication code via text message (SMS) is frowned upon in the latest edition of the Digital Authentication Guideline published annually by the National Institute of Standards and Technology (NIST). While the guideline is not legally binding, all U.S. government agencies follow it, and eventually most private developers and users of authentication technology fall in line. NIST warns agencies that SMS will be banned outright in the near future, so the days of SMS being used for login verification are numbered.
The problem is that the SMS protocol utterly lacks security. Most phones display text messages even when the phone is locked. So if a hacker has your phone, he doesn’t even need to unlock it to get that second key to your bank account. (Presumably, the hacker already has your password and username; hundreds of millions of such credentials are on sale all over the Web.)
To make matters worse, the SS7 protocol that enables phone traffic to pass between carriers is fatally flawed. See my article, Is Someone Listening To Your Calls? for details on that. The holes in SS7 enable hackers to implement “man in the middle” traps. Text messages are not encrypted during transit. So it's possible to intercept an SMS code sent by your bank, use it to hack your account, and pass the code on to you so that you never suspect anything is wrong… until you try to get into your supposedly double-locked account, where the hacker has already changed the password.
Two-factor authentication (2FA) via SMS is pretty common because it is so easily implemented, and because most people carry a phone that can receive text messages. But its security flaws have been known for years, and some online services are already moving to more secure 2FA methods.
A Better Way to Implement 2FA
I also strongly recommend that you see my articles on How To Get Your Free Credit Report and 10 Tips for Identity Theft Protection.
Facebook’s mobile app uses something called Code Generator when its members turn on “login approval,” the social network’s term for 2FA. Code Generator creates 6-8 digit codes that can be used as second authentication factors to log into the Facebook app, even when cellular or Internet connectivity is unavailable.
Google Authenticator is an app for Android, iPhone, and Blackberry devices that does much the same things as Code Generator; its code is changed every 30 seconds, making last minute’s code useless to hackers. And it's not just for Google services. Authenticator can provide verification codes for Wordpress, Dropbox, and many other logins. It should go without saying that if you're going to use an app like this on your phone, a lock screen password is a must.
Authy and Duo provide non-SMS apps for consumers and organizations who want to use two-factor authentication.
Other 2FA methods, such as biometrics (thumbprint and other physical characteristics), are not as easily implemented as SMS. They also have their own flaws; one team of security researchers successfully replicated a politician’s thumbprint from an enhanced video of his appearance on a news program, and used it to hack his phone. Two-factor authentication schemes, using SMS and other methods, have been hacked at Paypal, Wordpress, Google, and Instagram.
For now, at least, specialized 2FA apps like Authenticator and Code Generator are on the rise. If you have a smartphone, you can download an app that is much more secure than an SMS-based scheme. Apps are more convenient and cheaper (usually free) than separate dongles or eyeball scanners.
If your banking, medical records, or other sensitive online service offers only SMS-based 2FA, it's still better than nothing. But definitely add a lock screen password, and change your settings so text messages are not displayed when your phone is locked. And ask when a more secure method of login verification will become available.
Do you use two-factor authentication? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 13 Sep 2016
For Fun: Buy Bob a Snickers. |
Prev Article: Best Chromebooks for Back-to-School |
The Top Twenty |
Next Article: Geekly Update - 15 September 2016 |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- The Flaw in Secure Logins (Posted: 13 Sep 2016)
Source: https://askbobrankin.com/the_flaw_in_secure_logins.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "The Flaw in Secure Logins"
Posted by:
Mark H.
13 Sep 2016
Yes, I use two factor authentication using SMS for some web sites. As soon as I log in, the message gets deleted. And, I'm a Luddite when it comes to phones, still using old fashioned "flip" phone. No issues so far.
Posted by:
JIMeans
13 Sep 2016
The Social Security Admin emailed all folks who had online accounts a couple of months ago and warned anyone visiting their account would then be subject to the two-step authentication. About a month later, they wrote to say they were tossing out that step. My bank uses an off-shoot of the rolling authentication code. It works okay, but it still can be hacked. Ah well. On to the next new thing.
Posted by:
Ed
13 Sep 2016
I'm a little hesitant to give my cell phone number to all these people. I get enough spam calls as it is. I don't need my cell number being passed around (sold) any more than it already is.
Posted by:
Hira
13 Sep 2016
Thanks for the article Bob. Always glad to see your wise explanations and suggestions. I do use 2FA on US Govt websites. But the phone number I get the message is a Google voice number. I get an email message on my GMail and I copy and paste the code on the website I am working. Never get authentication on my cell phone.I felt this is a safer way as I have to login to my email (or to Google voice) code. Yes, it is a bit extra work but I think it is worth it. I do this on a desktop or a laptop connected by ethernet, to make it safe.Hopefully I am doing the right thing!
Posted by:
Stuart Berg
13 Sep 2016
Thank you for covering alternatives to SMS. To make matters even worse, for me SMS is practically useless since I have no cell service at my home where I am located most of the time. (What am I supposed to do, drive 3 miles to get my authentication code and drive back home to use it on my desktop PC?) I was furious when the Social Security Administration required SMS. It essentially locked me out of my account.
Posted by:
Paulus
13 Sep 2016
"… if a hacker has your phone …"
What? I must be missing something.
A hacker could be on the other side of the world: I wouldn't expect him to have my phone.
EDITOR'S NOTE: Or it could be the guy sitting next to you. If you've never accidentally left your phone in a taxi, at a restaurant, or some other public place, your track record is better than mine!
Posted by:
Bob Price
13 Sep 2016
I use two step but not to a phone. The second layer sends a code to my email.
Posted by:
Paul
13 Sep 2016
I use 2FA using the Google Authenticator app which I currently have setup to provide codes for Google (multiple accounts), Microsoft, Teamviewer, Facebook and Dropbox. Nice to have one app that can provide 2FA codes for many services.
Posted by:
Bruce
13 Sep 2016
Fact of life: Every time someone invents a new lock, 14 people find ways to pick that lock.
Posted by:
Joe M
14 Sep 2016
So, in the grand scheme of things... this, IMO, rates a 0.5.
I have 3 different authenticator apps on my phone as I type this, so I'm sensitive/aware to the issues.
But phishing, social engineering, and even people stealing from your mailbox is more of a concern.
As you stated, if your service doesn't support authenticator apps, you're outta luck.
So worry about what you can fix.
Posted by:
Richard
14 Sep 2016
I have a problem with SMS or similar in that I do not have a mobile phone (nor do I want one).
For banking my bank issues a chip card reader. You insert your card into the device and enter your pin. For certain types of transaction (withdrawing money) the bank generates a code, you enter this into the reader which responds with a reply code to verify transaction. Thus to get money out via the web you need all my login credentials, my card, my PIN and a reader.
Posted by:
Sally
14 Sep 2016
Oh, my, and this is all supposed to be so much more convenient and safer than the old fashioned CHECK written and signed by the account holder and then READ by a person at the bank?? Hmmm, something is not computing well here.
Posted by:
Robert
15 Sep 2016
Swiss banks provide their customers with a hand held encoding device (free) into which your bank card is inserted. What follows has variations but is more or less correct.
First, you log into your online account. One then inserts bank card into encoding device and enter's pin code. Enter numbers provided on screen into encoding device. This will generate a new set of numbers. These numbers are entered on the PC and voila you are logged into your account.
Reasonably secure I would guess using a one time pass code. Not sure how they handle cell phones.
And yes I know American Banks hardly make any money at all, certainly not enough to provide this service for their customers.
Posted by:
Karena
15 Sep 2016
Sally - A friend of mine closed a checking account at a credit union: six months later, someone stole her old checkbook and wrote a bunch of checks out of it. When the bank got the checks, they re-opened her account, cleared the checks, then tried to charge her for the value of the checks plus overdraft fees!