SIM-swapping scams and other techniques pose risk to those that depend on phone-based authentication
But don’t make the error of disabling MFA entirely – even vulnerable SMS-based MFA is best than no MFA in the least
Regular readers of Hot for Security know that we’re big fans of multi-factor authentication (MFA, sometimes called two-factor authentication or 2FA).
Multi-factor authentication makes it much harder for hackers to interrupt their way into your online accounts, albeit they already know your password.
An online account protected by MFA will prompt you to enter a separate one-time code – often constructed out of six random digits that expire after a brief period of your time – after you’ve entered your password.
The thinking is that a malicious hacker may have managed to properly guess your password, or cracked it, or phished it, or maybe exploited the very fact that you simply used an equivalent password elsewhere on the web that later got breached, but they won’t – presumably – have access to your MFA authentication code.
So, my advice is to show up on multi-factor authentication where it’s supported on as many of your accounts as possible, whether it’s called MFA, 2FA, or maybe 2SV (two-step verification). It’s a superb step to require which can harden the safety of your online accounts.
But having MFA enabled isn’t a guarantee that your account will never get hacked, and that’s very true if you’re using phone-based MFA – which is usually delivered via an SMS message.
As we’ve described before on a variety of occasions, hackers have successfully achieved a SIM-swapping scam.
If successful, a SIM swap (also referred to as a “Port out” scam) can mean that a criminal now has control over your telephone number , and can receive any calls made to you and receive any SMS text messages.
In short, if you’re relying upon an SMS or voice message to deliver your MFA code to you it’s now been handed straight to a possible hacker instead.
And it’s for that reason that Alex Weinert, Microsoft’s director of identity security, has in the week urged users to prevent using telephone voice messages and SMS text messages for MFA.
“These mechanisms are supported by publicly switched telephone networks (PSTN), and that i believe they’re the smallest amount secure of the MFA methods available today,” wrote Weinert.
“That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usefulness advantages.”
So what do you have to do?
Weinert argues that you simply would be more happy employing a smartphone authentication app to get your one-time-password.
Perhaps the simplest known authentication app, available for iOS and Android, is Google Authenticator, but others include Microsoft Authenticator, Duo, and Authy.
So what shouldn’t you do?
Please don’t disable SMS-based multi-factor authentication on your accounts if you don’t have another sort of authentication to which to maneuver . albeit SMS and voice calls are probably the smallest amount secure method of MFA, it’s still better than nothing. So take steps to harden your security, but don’t throw the baby out with the bathwater.