August 25, 2016

Share Everywhere

Should You Use SMS Two Factor Authentication?

Some of you read “People” because it’s fun. I read publications like “TechWorld” because well, it’s fun! And, so you don’t have to! In a recent report from the National Institute of Standards and Technology, the public has been advised to consider the abandonment of the SMS two factor authentication. Others, however, aren’t so sure this is the right step to prevent identity theft. Perhaps they were a little harsh in their report given all the benefits of what SMS has provided in terms of security? Let’s examine.

When you answer a message from someone, there is no doubt you want to be sure that this person is who they claim to be. In fact, most of us look at the phone number and rarely question what caller ID says, but even caller ID can be spoofed. And, as hackers become more prominent, they are finding more ways to spoof SMS two factor authorization, therefore it is crucial that we remain vigilant about protecting our information, and in many ways SMS two factor authorization continues to do so.

The Importance of Authorization

When it comes to authorization, you want to feel confident that only you have the ability to access your information. We know a simple username/password combo isn’t enough to keep criminals out of your accounts and help prevent identity theft.

How SMS Two Factor Authentication Works

With SMS two factor authentication, a secondary one time password is sent via text. In order for SMS two factor authentication to work, the following elements are required:

  • Possession of a device or mobile phone
  • A PIN and/or passcode or a retina or fingerprint to get into the device
  • A username and password to access an online account
  • A onetime SMS password sent via the website

All of this needs to be provided in order to gain access to a critical account, which has proven to be sufficient for most users.

This means that a hacker would require access the device, the PIN and/or password, username/password and onetime password in order to retrieve the information they are looking for. This would be considerably more difficult than only needing just the online account password. In essence, this reduces the probability that someone will be able to not only hack your password, but then hack your device to retrieve the PIN.

How Are Hackers Circumventing SMS Two Factor Authentication?

Man in the middle attacks:

  • Hacker gets ahold of your username and password.
  • Hacker tries to login and gets denied because of SMS two factor authentication.
  • Hacker contacts you via phone, email or social media with a ruse requesting your onetime password.

Phone cloning:

  • Hacker actually poses as you at a cell phone carrier’s brick and mortar store and gets a phone with your phone number.

Changing preregistered phone number:

  • Hacker contacts/socially engineers a website that you have set up with SMS two factor authentication and they allow the hacker to make a change in the registered mobile number.

Increase in Confidence Among Users

When using the SMS two factor authentication, you do not have to be concerned if your password falls into the wrong hands because the criminal still needs your onetime password to get in. Companies who advertise this benefit have more chances of boosting their customer’s confidence and acquiring more interest in their products and services with this added security.

So, should you abandon two factor authentication for SMS? Not if you want to have an extra layer of protection. But as you can see, SMS two factor authentication is not fool proof. Over time, we will see more vulnerabilities and we will also see banks and others use additional measures of protection meant to protect us.

I’m confident in two things:

  1. Banks will figure out consumer friendly ways to keep us safe with an alternative to SMS two factor authentication.
  2. As an avid reader of the IdentityForce blog, you’ll be one step ahead of hackers as long as you continue to share and read these posts to maintain a level of cyber security smarts.

Robert Siciliano

Community Educator at IdentityForce
ROBERT SICILIANO, CSP, the #1 bestselling author, is serious about teaching you about fraud prevention and personal security. Robert is a private investigator fiercely committed to informing, educating and empowering people so they can protect themselves and their loved ones from violence and crime in their everyday lives, both in their physical and virtual interactions. Robert, a Certified Speaking Professional with an engaging “tell it like it is” style, is a favorite source for dozens of major media outlets, leading corporations and organizations looking for the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Robert is accessible, professional, and ready to weigh in and comment with down-to-earth insights at a moment’s notice on breaking news that affects us all.

Join The Discussion

Your email address will never be published.