Ditch Texts/SMS as Second Factor Authentication When Possible
By now I hope you have at least some understanding of what Multi-factor Authentication (“MFA”) is, sometimes referred to as Second Factor Authentication (“2FA”) (https://www.nist.gov/itl/applied-cybersecurity/tig/back-basics-multi-factor-authentication). In brief, it is securing an account with a username and password and a “Timed One Time Passcode” or “TOTP” that is usually 6 digits long and is sent to the user during logon using another means of transmittal; more on that in a minute. Unfortunately, this area of security lacks some standardization in naming conventions and even in implementation. Every vendor chooses what to call it and how to implement the feature. That notwithstanding though, it is perhaps the most important security technology available to us and we should be using it without prejudice. We must protect every account with MFA and where it is unavailable from the vendor, we must press them on providing it. Our company uses a HR web portal and even as recently as January 2021, MFA was not available to our users to protect their accounts. Fortunately, they have since released the feature and we are now more secure for it.
Ok so typically there are four common choices we can use as a second factor of authentication and again, not every vendor provides them all or allows the user to choose which ones to configure EXCLUSIVELY. Therefore while there may be several options, the vendor may be exposing you to risk. First let’s review the four options:
- E-mailed Code: A code is sent to your e-mail on file or perhaps a secondary email you designate.
- SMS/Text: A code is sent to your phone number on file via text messaging or “SMS”.
- Phone Call Verification: Your phone will receive a call with an automated voice telling you the code.
- Authenticator App or Hardware Key: A code is automatically generated at a set interval, usually 30 seconds, and is only valid in that time. These can be smart phone apps or hardware keys the size of USB thumb drives with a LCD screen cycling the numbers.
Understand weakness in MFA options
Every option above for MFA have their inherent weaknesses, here’s a great article from Microsoft on that (https://techcommunity.microsoft.com/t5/azure-active-directory-identity/all-your-creds-are-belong-to-us/ba-p/855124). Your email address can be compromised and email is usually sent unencrypted. Phone numbers can be hijacked using the well known SIM Swap attacks (https://www.vice.com/en/article/a37epb/t-mobile-alert-victims-sim-card-hack). The latest is a shocking article posted from Vice (https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber) demonstrating how easy it is for scammers to hack and steal your text messages. According to the article, hackers don’t need to talk to you or your carrier or even have possession of your phone. With a minor service fee and a few forms, they’re able to take over your number and re-route your text messages within minutes.
This specific hacker used Sakari, a marketing tool used by businesses to engage customers via texts but apparently there are many providers of such service and due to the lack of standardization and security with the global text messaging protocol, the barriers are quite low allowing this attack. Read the article for more details, it’s quite unnerving.
How to Protect Yourself Using an Authenticator App
For some time now, we at EVERNET (www.evernetco.com) have been well aware of the risks associated with using email and phone calls and texts as a second factor of authentication so it has been our standard recommendation to our clients to use an Authenticator App or Key wherever possible EXCLUSIVELY. This latest report on the SMS/Text hack sent chills down my spine as I read it knowing that today most people are using texts as their go-to MFA choice. Let me double down here and say again, to plead with you all, that if you are not taking your account security seriously, do so right away. Use an authenticator app exclusively and not as a second option or an additional option but going so far as disabling the other 3 methods if the vendor allows it. Until there are stricter protocols or regulations protecting SMS, this is simply not ideal for protecting yourself, your business, or your clients.
If you have any questions or concerns about your business’s security or need assistance, we make ourselves available to our clients around the clock to provide training and implementation support. Please contact me directly if you are not yet a client.
Eric is a Business IT cybersecurity advisor, consultant, manager, integrator, and protector who founded EVERNET in 2007. Eric co-hosts a podcast called “Finance and Technology Insights by Brian & Eric” on YouTube. Eric is a regular contributor to the EVERNET blog, writing about the latest technology news and providing his expertise in cyber security prevention and management.