Why You Shouldn’t Use SMS as your 2FA

2FA / MFA Issues

Every time you’re online and a site sends a separate code to check your identity, you’re using two-factor authentication. It has become the norm and if you are not doing this for all your online accounts then you should start straight away (check out our article on Why 2FA is Important). As with most things security wise, hackers have figured out how to get around the SMS code, too. This article shows you how they do it and how to stay safe.

Billions of usernames and passwords have been leaked, which means that access credentials everywhere are at risk – especially if you are reusing your password on more than one site (don’t do this!).

Business websites want to offer a secure user experience, so two-factor authentication (2FA) or multi-factor authentication (MFA) has become the norm. It is meant to help stop automated attacks in which bad actors use the leaked usernames and passwords.

But, if you are using SMS messages to send you the one-time code to your phone, you may still be at risk. But how can hackers get around this? You have your phone in your hands and the hackers may be on the other side of the world.

Hackers, can call your telephone company and impersonate you by using using information they have from a data leak. Your name, date of birth and other identifiers may be available on the Dark Web! They can then say you have lost your phone and can then transfer your phone number to a device with a different SIM card.

This means that when the one-time SMS code gets sent your phone number, the message will instead go to their device.

Android Users Be-aware

Hackers have an easier time getting access to text messages on Android devices due to SMS mirroring apps.  If hackers have access to your Google credentials, they can log into your Google Play account and install a message-mirroring app on your smartphone.

The app synchronizes notifications across your different devices and enables the viewing of messages on a separate computer or tablet! So when the one-time SMS code gets sent to your phone, because of the message-mirroring app, the hacker’s device will also receive the code.

What Can You Do to Protect Yourself?

You must start with using unique passwords for all sites you visit. If you are worried that you will forget them, use a password manager to keep all your access credentials in one secure place for you.

It is also a must to check to see if your credentials haven’t been compromised. If you use Google’s password service, you can head to the password manager site and tap “check passwords” to see if there are any issues. On Firefox, head to the Firefox Monitor page and “Check for Breaches.” On Safari, click on Preferences, and then on Passwords to see what recommendations they have for your security.

Immediately change any passwords that have been involved in a leak!

To avoid the SMS concern specifically, avoid using one-time SMS codes to verify your identity. Instead, you can use a non-SMS authentication tool such as Google authenticator or MS Authenticator. Both provide a two-step verification services within the app itself.

Do you need help learning if your credentials have been leaked or would like assistance setting up more security for your online activity? We can help. Contact our IT experts today.

Leave a Reply

Your email address will not be published.