Why you shouldn’t use two-factor authentication with SMS

Two-factor authentication mechanism (2FA – Two-factor Authentication) has long been trusted by many people thanks to its high security. This mechanism adds a second authentication step in addition to using a password to log in, thereby reducing the possibility of hackers attacking the account, especially useful when used with social networking platforms. like Facebook, Instagram, Google…

One of the most popular two-factor authentication methods currently is using SMS to receive a verification code sent to the phone number of the user’s account registration. It sounds safe because no one but the user will have the phone number in his hand, but according to many security experts, SMS is not a safe method of security and it can be exploited and tampered with.

Despite the low security of the SMS mechanism, two-factor authentication by texting is still widely used due to its simplicity.

How hackers “hack” SMS messages

Essentially, SMS messages are based on the carriers’ telecommunications networks. Initially, hackers had many ways to infiltrate the carrier’s telecommunications network infrastructure, but this method was considered “outdated” and no longer suitable. Instead, the hackers turned to exploiting users.

Daniel Cid, founder of Sucuri Blog, said that not only carriers have poor security infrastructure but also phone manufacturers.

“Voiceboxes are only secured by a 4-digit PIN, and most carriers allow users to access voicemail remotely.

Easy attack: Just a few basic information about the victim can reset the PIN.

Easily spoofed: SMS spoofing is extremely easy. SMS messages do not have a security mechanism or any security certificate to verify that the sender is safe.”

Google is also now working hard to find a secure method as well as a way to verify SMS senders. If you are interested, you can refer to the detailed content posted by Google at this link.

Hackers can combine various phishing methods to extract information from victims, for example sending a fake message to the victim that looks like it was sent from a reputable sender. This method is currently extremely popular in Vietnam because the management of SMS Brandname (brand messages) is not really effective, allowing hackers to register any Brandname, most of which are bank names. for example “ACB”, “Vietcombank”, “VietinBanh”…

In many cases, hackers will trick unsuspecting users into filling out their personal information into a phishing website with a realistic look and feel, after which an SMS verification code is sent to the phone number. phone of the victim and ask the user to enter the authentication code on this website.

Those are just a few of the popular ways to hit victims’ ignorance. For some hackers, social engineering is used in many cases to obtain personal information. One of the easiest ways is to swap out the SIM card.

In this way, the hacker will collect as much information about the victim as possible, be it name, date of birth, address, identification number… Then pretend to be the victim, using a phone and The new SIM card then asks the carrier to activate the phone number on that SIM card. If “pass”, the phone number will be transferred to the hacker’s new SIM card, thereby giving the hacker full control over the accounts using the victim’s registered phone number. This method mainly takes advantage of the operator’s laxity in user verification.

This process may seem complicated, but it is highly effective once successful. In the past, Cloudflare has been “hacked” with this technique when AT&T (Cloudflare’s service provider) was fooled and redirected voicemail, after which hackers gained access to the account. email account via a 2FA verification code sent to voicemail.

In many cases, the two-factor authentication code can also be read by malicious applications installed on the user’s device, most of which are Android, if it accidentally grants access to messages for the application. This is also one of the common ways used by hackers, by tricking users into installing unauthorized apps, then asking for SMS access. If the user agrees, all message data on the device can be accessed by the application and sent to a certain server.

Use alternate 2FA authentication mechanisms

SMS messages have proven to be a less secure authentication method. To avoid end-user cyberattacks, here are alternative two-factor authentication methods to SMS that are recommended by security experts.

– Two-factor authentication device: This method relies on a physical hardware device that can allow access to the account. This device will generate an authentication code and the user needs to enter the password and authentication code to access the account. Of course, this method won’t work if the user loses the device.

– Two-factor authentication application: Currently, there are quite a few software that provide authentication code generation feature. Similar to hardware authentication, application authentication will also provide an authentication code for the user to log into the account. One of the most popular apps is Google Authenticator.

– Authentication based on IP address: This is a way used by many websites when only allowing users to access accounts with a trusted IP address. This method minimizes the possibility of account intrusion from strangers.