By Sherri Davidoff   /   Dec 12th, 2019

Not all Two-Factor Authentication is Created Equal

You did it: you set up two-factor authentication, so that a text message is sent to your phone when anyone tries to login to your accounts. The text message contains a PIN, which you need to enter in addition to your password, in order to login. That means criminals can’t get into your accounts, right?

Wrong. Cybersecurity professionals have long known that there are security holes in two-factor authentication that relies on text messages (SMS). The U.S. federal government dropped SMS-based authentication like a hot potato back in 2016, urging users to switch to more secure options. Recently, criminals have ramped up their attacks, demonstrating repeatedly that SMS-based authentication is easily bypassed.

Hackers broke into Reddit employee accounts and stole customer data last year, despite the fact that the company had deployed two-factor authentication. “[W]e learned that SMS-based authentication is not nearly as secure as we would hope,” wrote CEO Christopher Slowe, in the high-profile Reddit breach announcement.

How do criminals bypass SMS-based two-factor authentication?

SIM-swapping attacks

It’s easier than you might think for criminals to take over your phone number. In “SIM-swapping” attacks, also known as “SIM hijacking,” criminals convince an employee of your telecommunications company that they are you, often using stolen personal information, such as your Social Security Number. Then, they convince the provider to port your number to a different phone, claiming that either the old phone was lost or that you want to “upgrade” to a new phone.

In August, Twitter CEO Jack Dorsey was famously hit with a “SIM swapping” attack, when criminals took over his phone number and used it to send out Tweets to his 4.2 million followers. Criminals use the same technique to break into high-profile social media accounts and steal money from your bank accounts.

Social Engineering

It’s not high-tech, but criminals can simply steal SMS-based PINs by tricking users into giving them the codes, either using phone scams or fake web sites that look just like the real ones. Then, the criminals use the PINS immediately to login to the targeted accounts.

Infected Cell Phones

Your cell phone can get infected with malware, too. In fact, malware for cell phones has been prevalent for many years, and is often designed specifically to intercept PINs that are sent to you via SMS by your bank or credit union when you login to your accounts. Common banking Trojans that infect PCs often include mechanisms to subsequently steal your phone number and model, so that the criminals can then target your cell phone with a “security update” that includes malware. From there, they can capture all text messages sent to your phone, including PINs needed to break into your accounts.

Vulnerable Telecommunications Carriers

Criminals emptied bank accounts across Germany in 2017, after exploiting a well-known flaw in the global SS7 protocol. Although researchers had issued warnings for years, telecommunications companies remained vulnerable, and ultimately criminals took advantage. More recently, Chinese state-sponsored hackers have been infecting telecommunication servers in order to monitor SMS messages. Since SMS messages are not encrypted in transit, they can easily be monitored and stolen as they are sent across telecommunications networks.

Strong Two-Factor Authentication Options

The good news is that there are strong and convenient two-factor authentication options available, such as:

Smartphone apps

Over three-quarters of Americans now own smartphones, opening up a world of options for strong two-factor authentication. Smartphone apps such as Google Authenticator, Authy or Duo offer stronger security, such as codes that are generated on the device itself (meaning they do not need to be sent across the phone network, and therefore can’t be intercepted in transit). As an added benefit, these apps work even if the device is not connected to any network at all.

Authenticator apps are designed to resist SIM swapping attacks. Criminals cannot steal the secret key needed to generate your unique codes without access to the phone itself—simply stealing your phone number won’t cut it.

Certain smartphone apps can even be configured to support “push” notifications, which are simply pop-ups that prompt the user to confirm or deny authentication attempts. Whereas codes can be stolen by a criminal through social engineering tactics, “push” notifications require users to respond using the actual device itself.

Hardware tokens

Modern hardware tokens have come a long way since the early days, and now offer convenient two-factor authentication in a tiny package that you can attach to your keyring. Products such as the Yubikey support a myriad of two-factor authentication options, including USB and NFC (for mobile devices), which seamlessly integrate with popular services such as Microsoft Office 365 and Google. Users can use “one-touch” biometric authentication to login, and ditch passwords entirely.

4 Tips to Protect Your Organization

Here are tips to protect your organization:

  • Implement a strong two-factor authentication solution, such as a smartphone app or hardware dongle. For step-by-step instructions, see LMG Security’s how-to videos for setting up two-factor authentication for Microsoft Office 365 and Google.
  • Turn off SMS-based authentication. It’s important to disable SMS-based two-factor authentication after you’ve set up a stronger option. Otherwise, criminals can just force services to use SMS anyway, if it’s your fallback method. For example, in November 2019, Twitter rolled out a new feature which allows users to disable SMS-based authentication.
  • Check that your cloud providers support strong authentication (not just SMS) before you sign up. If you’re already using a platform that does not support strong authentication, urge your vendor to roll out support, and carefully evaluate whether the risk is worth the benefit of that service.
  • Add PIN or passphrase to your cellular accounts, in order to prevent criminals from swapping your SIM card using stolen personal information. All major U.S. carriers support this option.

Criminals are constantly working to break into social media, banking, email accounts and more. In recent years, they’ve rolled out very effective techniques for bypassing SMS-based two-factor authentication. While SMS-based authentication is better than nothing, it’s far less secure than many popular alternatives. Whenever possible, use strong two-factor authentication, such as authenticator apps or hardware dongles like the Yubikey.

Contact LMG if you have any questions or need help rolling out a strong authentication solution.

About the Author

Sherri Davidoff

Sherri Davidoff is the CEO of LMG Security and the author of three books, including “Ransomware and Cyber Extortion” and “Data Breaches: Crisis and Opportunity. As a recognized expert in cybersecurity, she has been called a “security badass” by the New York Times. Sherri is a regular instructor at the renowned Black Hat trainings and a faculty member at the Pacific Coast Banking School. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), and has been featured as the protagonist in the book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien.” Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN) and received her degree in Computer Science and Electrical Engineering from MIT.