12.5 C
New York
Wednesday, August 12, 2020
Home News Researching whether SMS 2FA is secure, researchers find a deeper problem

Researching whether SMS 2FA is secure, researchers find a deeper problem

Also maybe don’t use text messages to verify your identity.


What you need to know

  • Princeton researchers wanted to know if 2FA is secure using SMS as a factor.
  • Researchers called carriers trying to transfer (steal) accounts to new SIM cards.
  • Major carriers made it easy to steal prepaid accounts, confirming that SMS is not a secure 2FA method.

Researchers at Princeton University were questioning whether SMS text messaging is a secure authentication method to use as one factor in a two-factor authentication (2FA) setup. The answer turned out to be a resounding no, especially as the team started to attack prepaid plans on the largest mobile carriers.

If an attacker can gain control of a phone number by switching a victim’s account to the attacker’s SIM card, the attacker can then hijack the verification process that uses SMS by receiving the authenticating text messages instead of the victim. In ten out of ten attempts to steal numbers from prepaid customers on AT&T, Verizon, and T-Mobile, researchers were able to transfer the account to their own SIM card. Attempts on Tracfone and US Mobile were less successful, but those carriers were not completely secure.

In some instances, researchers called trying to steal a user’s identity and the customer service representative guided them to the correct identity verification answers, or simply gave the attacker access even after they had guessed incorrectly. The researchers found vast inconsistency, occasional failures to verify identity altogether, and generally enough weakness in the security policies to recommend avoiding SMS as a password authentication method altogether. Since the study was revealed to carriers last year, T-Mobile has said it has updated its verification methods to be avoid less secure checks.

The report suggests carriers abandon all of the lousy, insecure methods currently in use and switch to secure methods like an account password/PIN, or at least a one-time code sent directly to the user via SMS or email. Many of the current forms of identification like street address, date of birth, and some credit card information can be found through public record searches. Identifying info, such as the date of the victim’s last payment or the phone numbers of recent callers, can be manipulated or spoofed to fool representatives. Websites are also recommended to cease using SMS as part of a multi-factor authentication scheme.

Two-factor authentication: Everything you need to know


The Surface Duo has arrived, and it’s a preview of a new era for Microsoft

Microsoft is releasing a phone, and it isn't running Windows

Galaxy Buds Live or Galaxy Buds Plus? You can’t go wrong either way

Best in classSamsung Galaxy Buds Live$170 at AmazonProsExtremely comfortableGreat audio with punchy bassANC!Reliable battery lifeCompact charging caseConsANC performance is just

Are you a fan of the Note 20’s Mystic Bronze color?

Let's chat with the AC forums.As we've hinted at before, Samsung regularly does a good job of concocting gorgeous colors

Google Lens is getting a ‘homework’ filter to help kids solve math problems

The feature will be available on both Android and iOS later this year.What you need to knowGoogle is rolling out