How Cybercriminals Are Breaking 2FA
It’s no surprise that many security breaches are due to weak passwords and poor team training. What may be a surprise is that when multi-factor authentication was implemented, cybersecurity breaches were blocked by more than 90%. However, bad actors are constantly evolving and have found a way to break through one of the most popular types of multi-factor authentication that uses text messaging. Here’s how.
What’s Wrong With SMS 2FA?
We’re all familiar with using our smartphones to verify our identities. We log into a website, we are asked to prove who we are, and we are then sent a code via an SMS text message that we then input into a dialog box to verify our identity. The problem is in some cases, SMS can have issues regarding security. It has gotten to the point that even Microsoft recommends that organizations begin moving away from SMS and voice Multi-factor Authentication.
SMS has Always Been Problematic
Before the current issues, there was SIM swapping, also known as mobile number transfer. SIM swapping occurs when a cyberattacker contacts a target’s cell phone carrier, convinces them he/she is the phone number owner, and requests that the phone number be switched to another SIM. Once done, the cybercriminal will receive any verification codes meant for the rightful owner of the device, allowing them to gain access to your network. Historically, carriers haven’t offered a lot of protection to prevent this. Sometimes, all the cybercriminal needs to know is your phone number and your date of birth to convince the carrier to give them control.
The latest hustle targeting smartphones via SMS is due to reversed proxy attacks. The source of this attack is achieved via phishing. These attacks look like legitimate websites that you would attempt to log into, but the data goes to a cybercriminal instead of, say, Google or Apple. Once there, the target is prompted for their 2FA the next time they visit a website that requires it. They collect these and, along with the passwords, can log into the target’s account and reset the credentials.
Once they have access to your Google account, they can gain access to your Google Play Store account. From there, they can upload a malware app to your phone without your knowledge. This allows them to mirror your message, using apps designed to synchronize notifications such as SMS prompts across different devices.
The next step is to log into your network, wait for the two-factor text message and log in. Chances are your team member wouldn’t even give it a second thought as long as they were able to gain access. This is different from smishing, which relies on sending a text message to the intended recipient and using phishing techniques to convince them to share sensitive information.
Some Steps You Can Take to Protect Your Mobile Identity
Cybercriminals rely on people not taking the time to protect themselves, which unfortunately is often the case. While most people recognize the risk that comes with reusing passwords, using unsecured Wi-Fi, and creating easy-to-guess passwords, there are still areas of exposure many people don’t consider. Here are some additional steps you can take to prevent your mobile identity from being compromised.
Check your carrier’s policy regarding changing or transferring numbers to ensure they have a robust identification protocol in place. Without one, a bad actor can transfer your number without providing substantial proof of Identity before the transfer is allowed to proceed. If you can set up multi-factor or two-factor authentication with your cellphone provider, do so, and check to see if you can put a pin or ID number on your account that you need to provide to get support. Don’t make that number your date of birth or something easily guessable!
Be cautious when contacted by people claiming to be figures of authority. Legitimate resources such as banks, the IRS, amongst others, or your cell phone carrier will not ask for your passwords over the phone or via SMS. Knowing this, take a moment to confirm if the request is indeed legitimate. A quick online search of the information of the person who contacted you can often tell you if the number is suspicious.
Be careful which apps you download. As we saw with the messaging mirroring, an app was the culprit which allowed the cybercriminal access to your mobile device.
Consider Using Alternatives To SMS
If you’re like most business owners, you have invested in Bring Your Own Device (BYOD), and seen the benefits of such. Your team members are using their devices to gain access to your network. If you’re following best practices, you should be using 2FA, and while it is certainly better than nothing at all, now is the time to consider other methods to protect your data.
There are authentication apps that we can recommend for your staff to use that are much more secure. These apps are much more secure because they don’t depend on a message coming in over the network that someone else could possibly intercept. We’d be happy to help you implement this across your user base.
Another alternative is having physical authentication keys. These are physical devices that connect to your computer via USB, significantly reducing the possibility of a bad actor accessing your device by using stolen credentials and pretending to be you. A security key is a powerful security feature because, unlike password-based authentication, unless the hacker has access to your security key, they won’t be able to progress into your system. That said, they only tend to work for specific situations, like logging into a Windows computer, and the keys themselves have a cost and like any physical object, could be lost or stolen.
Not Certain If Your Data is Secure?
If you’ve been relying on standard 2FA to keep your data secure, we recommend that you consider all your options for protecting your data. When it comes to cybersecurity, the more barriers you have around your data, the fewer chances a cybercriminal has to gain access to your data. As Oneonta, New York’s Cybersecurity Experts, we have the expertise to ensure your business is following best practices. Call us today at 607.433.2200 to learn more about protecting your data from bad actors, natural disasters, and human error.