SMS 2FA – Know its flaws

Businessman pressing modern technology panel sms message mail smartphone

SMS Based 2 Factor Authentication. You have likely used it. You try and log in to an online service and get sent a code in a text message to your device. which needs entering into that online service.

It is an extra layer of security, its better than just a password of course. It does, however, have very real limits, and you need to know what they are.

You may or may not have heard of SIM card hijacking. It is when someone calls up your mobile phone operator and pretends to be you using social engineering techniques.

With the right information, someone can transfer your number onto their SIM card and then receive that SMS code directly themselves.

Let’s think about this for a moment. If someone calls up your mobile operator and gets your SIM swapped, then clearly this is a very targeted attack. Not a good place to be.

This is why it’s important to have several layers of defences (defence in depth). If they get past one layer, there is another to stop them. Unfortunately, it is possible to get past the SMS 2 factor authentication layer fairly easily.

So what should you do?

  1. Do not use SMS based authentication if you can. If you have choices, use an authenticator app at the minimum. Remove your phone number as a recovery option. But be sure you can get into the account if you lose your primary 2fa method (if you lose your phone for example).

  2. Call up your mobile operator and evaluate what information someone would need to know to register your number to another SIM card. Do they just need your name, DOB, address and a password? Is that password easy to guess if they have done research on you?
    What info do you need to give if you say you can’t remember it? Is THAT information something someone else can get their hands on?.
    You need to know the answers to these questions add address them accordingly.
Share on facebook
Share on twitter
Share on linkedin

Contact us at:
info@sgurity.co.uk