On June 26th Wired shared:
Since two-factor authentication became the norm for web services that care about securing your accounts, it’s started to feel like a security blanket, an extra layer keeping your data safe no matter whether your password is as strong as 8$&]$@I)9[P&4^s or as dumb as dadada.
Two-factor authentication (2FA) works by generating a temporary code, which is sent to your phone number. This code needs to be inputted in addition to a password in order to access your account. However, these SMS messages are the weakest method by which to create another layer of security for your account.
The point of 2FA is to create another barrier to an unauthorized party accessing your account. It asks a user to input something they know (for example, a password) along with something they have (i.e., their phone). The purpose of this is to confirm the user’s identity.
When people set up their 2FA settings on an account, they feel that this is the magic solution to keep their account safe. Recent events have shown us that this could be a false sense of security. If you are using SMS messages as your means for 2FA, you could be leaving your accounts vulnerable to hackers.
Why the SMS to browser system is insecure
The problem with using SMS messages to verify your identity is that you can fall victim to social engineering that is out of your control. A criminal hacker can call up your service provider pretending to be you and ask them to redirect the verification messages to a different number. This method is called a SIM swap scam. There is no way for the website to verify if the person who received the code is the intended recipient.
Getting past this system of verification does not even require any massive changes to existing hacking techniques. For this reason, you should stop using your phone number for 2FA. In fact, the US National Institute of Standards and Technology (NIST) has released a new version of its Digital Authentication Guideline. It says that SMS-based two-factor authentication should be banned in future because it poses serious security concerns.
Some services (such as Twitter) still only offer 2FA via SMS. Even this is a recent development, and Twitter encourages users to set up their account in this way now that they have made the option available. This is dangerous. Earlier this month, Black Lives Matter activist, and politician DeRay Mckesson had his account hacked. Hackers posted from his account contrary to his political stances. They were able to do this by intercepting Twitter’s 2FA.
The moral of the story is that the SMS to browser system just does not provide enough of a barrier to hackers. If anything, it requires nothing more than a slight readjustment of tactics.
By calling @verizon and successfully changing my phone’s SIM, the hacker bypassed two-factor verification which I have on all accounts.
— deray mckesson (@deray) June 10, 2016
To clarify, you should be using two-factor authentication. It is one of the best ways we have to date to secure your accounts. However, there are better ways to do it than SMS. For example, a more secure way to utilize 2FA is to go through app services such as Google Authenticator. This method depends on the app, as opposed to your SIM card, even when you do not have mobile coverage.
Unfortunately, this approach is less convenient. Many people are reluctant to set up SMS 2FA because of the extra step it requires to login to their account. Using an app is an additional step, so even fewer people are willing to use it. However, taking that extra step to ensure your account’s security is worth it in the long run, and everyone should make the switch if they value their accounts, data, and privacy.