How insecure is actually SMS based 2-factor authentication?

Spoiler alert: it’s just as (in)secure as the next form of second-step authentication.

And we’ll showcase why.

Two-factor authentication (2FA) is mostly a medium for extra security to the simple login procedure of username and password.

Looking back at 2018 and the countless articles and blog posts published on the topic of A2P SMS – where it’s been, where it’s headed, is it dying?? (of course not!) – there was one recurring theme; the inherent security (or lack thereof) when it comes to second-step authentication measures. Many had questioned whether 2FA really works, and if hackers could access it or not.

One Cyberspace security and privacy firm recently published a blog post highlighting how attackers working for a certain government used spear-phishing email attacks to collect their targets’ personal information, namely their various online credentials.

They included a hidden tracking image in the email body that alerted the attackers when the target opened the message.

  • Fear not, it’s not that easy (or simple)! The attackers could only monitor when the targets viewed the image, and not much more. That is until the unsuspecting target actually clicked on the phishing link (user error number 1).
  • The targets were then directed to the fake login page of their Yahoo or Gmail where they were asked to (re)enter their credentials (user error number 2) which then triggered (if previously set) a 2FA process via SMS or a dedicated app.
  • The users would then receive a one-time-password on their non-hijacked phones and enter them on the fake login page (user error number 3). This then allowed the attackers full access to their targets’ accounts.

Was 2FA to blame here?

The targeted users made three consecutive lapses in judgement in order for the attackers to get them! Attacks like these are (or at least should be) easily preventable by applying a healthy dose of common sense.

Even though there are ways to get around 2FA, it is still safer than relying solely on the old-fashioned username and password. To bypass 2FA, the attacker would still have to break two authentication cycles vs. just a single one.

Now, not to be too critical, the fake websites can indeed rather closely resemble the real thing.

Anyone would consider Google’s main domain (google.com) to be safe and secure. This is why the attackers make very good (mis)use of the fact. They’re creating websites on the sites.google.com domain which allows them to show various content on it and any number of domain extensions such as “management”, “service”, “identification”… which adds to the sites’ false credibility.

Bottom line is, SMS-based 2FA is surely safe and other alternatives provide similar levels of security, as long as you’re wary and vigilant on the web to begin with.

And remember, if you ever find yourself a target of an attack, put your sceptics’ spectacles on before doing anything you might regret later. In cases like this the power is still in your hands!

Monty Mobile SMS Gateway Management is one of those solutions that will help keep everyone at ease and secure. A properly managed next-generation gateway is an imperative for MNOs! Indeed, SMS Gateway Management gives Operators the right tools to block security threats and identify legitimate traffic.

Contact us today to find out more.

Leave a Reply

avatar
  Subscribe  
Notify of