Some of you read “People” because it’s fun. I read publications like “TechWorld” because well, it’s fun! And, so you don’t have to! In a recent report from the National Institute of Standards and Technology, the public has been advised to consider the abandonment of the SMS two factor authentication. Others, however, aren’t so sure this is the right step to prevent identity theft. Perhaps they were a little harsh in their report given all the benefits of what SMS has provided in terms of security? Let’s examine.
When you answer a message from someone, there is no doubt you want to be sure that this person is who they claim to be. In fact, most of us look at the phone number and rarely question what caller ID says, but even caller ID can be spoofed. And, as hackers become more prominent, they are finding more ways to spoof SMS two factor authorization, therefore it is crucial that we remain vigilant about protecting our information, and in many ways SMS two factor authorization continues to do so.
The Importance of Authorization
When it comes to authorization, you want to feel confident that only you have the ability to access your information. We know a simple username/password combo isn’t enough to keep criminals out of your accounts and help prevent identity theft.
How SMS Two Factor Authentication Works
With SMS two factor authentication, a secondary one time password is sent via text. In order for SMS two factor authentication to work, the following elements are required:
- Possession of a device or mobile phone
- A PIN and/or passcode or a retina or fingerprint to get into the device
- A username and password to access an online account
- A onetime SMS password sent via the website
All of this needs to be provided in order to gain access to a critical account, which has proven to be sufficient for most users.
This means that a hacker would require access the device, the PIN and/or password, username/password and onetime password in order to retrieve the information they are looking for. This would be considerably more difficult than only needing just the online account password. In essence, this reduces the probability that someone will be able to not only hack your password, but then hack your device to retrieve the PIN.
How Are Hackers Circumventing SMS Two Factor Authentication?
Man in the middle attacks:
- Hacker gets ahold of your username and password.
- Hacker tries to login and gets denied because of SMS two factor authentication.
- Hacker contacts you via phone, email or social media with a ruse requesting your onetime password.
- Hacker actually poses as you at a cell phone carrier’s brick and mortar store and gets a phone with your phone number.
Changing preregistered phone number:
- Hacker contacts/socially engineers a website that you have set up with SMS two factor authentication and they allow the hacker to make a change in the registered mobile number.
Increase in Confidence Among Users
When using the SMS two factor authentication, you do not have to be concerned if your password falls into the wrong hands because the criminal still needs your onetime password to get in. Companies who advertise this benefit have more chances of boosting their customer’s confidence and acquiring more interest in their products and services with this added security.
So, should you abandon two factor authentication for SMS? Not if you want to have an extra layer of protection. But as you can see, SMS two factor authentication is not fool proof. Over time, we will see more vulnerabilities and we will also see banks and others use additional measures of protection meant to protect us.
[tweetthis display_mode=”box”]Should you abandon two factor authentication? Not if you want extra protection – @RobertSiciliano[/tweetthis]
I’m confident in two things:
- Banks will figure out consumer friendly ways to keep us safe with an alternative to SMS two factor authentication.
- As an avid reader of the IdentityForce blog, you’ll be one step ahead of hackers as long as you continue to share and read these posts to maintain a level of cyber security smarts.