SMS vs. 2FA

SMS vs. 2FA

- 2 mins
security hacking

As hacks and exploits are becoming more common and mainstream, lay people need to be aware of the risks that they put themselves in when companies propose “two-factor” authentication as a means of security. Most people don’t understand the idea behind two factor authentication and may not even activate it. Two-Factor Authentication is another step in the process of accessing a user’s account. Most people re-use usernames and passwords, which make them highly vulnerable when a service that they also use gets hacked and their credentials are stolen. So first, please do not re-use credentials on multiple sites. Secondly, by activating 2FA, you create another step that an attacker would have to go through to gain access. Most services give you the option with sending an SMS message or using some sort of authenticator app, such as Google Authenticator, Authy, etc.. By using 2FA, your account can only be accessed via devices that you trust. When you sign into a service on your laptop, then on your phone, how does the service know that it is still you if it has never heard of your phone before? By utilizing this second factor of authentication, the service can pretty much guarantee that whoever is signing in is who they say they are.

The Attack

Attackers can use SMS phishing to gain access to someone’s accounts through social engineering. You may receive a text message from your phone provider saying that your account has changed or something that prompts you to dial a number or go to a link. From here, the user can change the number to a new phone number or turn account access over to them and now they control your life. They can access your other accounts and start stealing money, running spam efforts and more. So now security researchers are starting to encourage people to utilize 2FA instead of SMS. If an attacker can change your number or impersonate you and use another number. They will easily get your second factor access codes via SMS and be in. Nobody knows that it’s not you. So, go ahead and use Google Authenticator. And if you are using GMail, don’t have a backup phone set. An attacker can also gain access to that without a password. When an attacker does SIM swapping or cuts the ties of your phone to the network, they can hijack your 2FA codes as the codes depend on the SIM card.

Using App instead of SMS

By utilizing 2FA via Google Authenticator, SIM swapping won’t hijack your 2FA codes as it now depends on the app itself, not the SIM card. The application will still work even when you don’t have mobile coverage. Google Authenticator uses OATH TOTP and HOTP 2FA, which is secure, can be run in multiple applications, and doesn’t need the trust from the cell provider.

As everything becomes more evolved and attackers become better and cracking through these means be aware of how you protect your credentials, devices, and access to services. Whether it is two factor authentication or two step verification, protect yourself before you get attacked.

Related Posts

Jake Tarnow

Jake Tarnow

Not Your Average Engineer

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora