Why you should stop using SMS for two-factor authentication


In the run-up to Halloween, many will be enjoying their annual pumpkin-spiced lattes. But as we approach the scariest day of the year, it's also time to think about improving your cyber hygiene. It's no accident that October is also widely known as cybersecurity month. Unfortunately, despite many people believing they have all the bases covered, there are still many myths and misconceptions around how secure our online accounts really are.

The holiday season is a busy time for hackers who continue to exploit the inconvenient truth that users remain the weakest link in cybersecurity. Studies suggest that we are all hackers, with one in three people admitting to attempting to guess someone else's password. Unfortunately, that shouldn't be too tricky, with "123456" still being the most commonly used password. Even more worrying is that even cybersecurity experts are failing to lead by example and admit to using the same password for work and personal use.

The Importance of 2FA

However, let's assume you have read enough articles to have implemented a strong password manager, perform regular software updates on all of your devices, and can recognize a phishing attempt without clicking on anything. Maybe you have even protected all your social media and other essential accounts with SMS two-factor authentication. But before you smile too smugly, many flaws enable hackers to get around sim-based 2FA.

Everybody knows somebody that reuses the same password across multiple accounts. Hackers could easily access everything from your Amazon to your Pay Pal account when a breach impacts that account. If you dare to enter your email address at Have I Been Pwned, you will quickly discover how this problem has already affected your accounts.

We can all agree that usernames and passwords are no longer enough to secure access to our continuously growing list of online services. The good news is that 2FA provides a much-needed additional layer of security, and users who enable 2FA are blocking 99.9% of automated attacks.

The problem with SIM-based 2FA

As attack methods become more sophisticated, hackers have discovered multiple ways to bypass 2FA when the authentication method consists of one-time codes sent as an SMS message. There are many terrifying ways to easily trick users into unwittingly downloading malware onto their device or perform a socially engineered SIM swap fraud.

Welcome to the new world of SMS hijacking and SS7 attacks. One such attack at Coinbase involved several techniques to overcome SIM 2FA and drain accounts of 6,000 consumers. T-Mobile's recent data breach should also be a warning to customers who are using SMS for two-factor authentication. The attack reportedly leaked IMEI and IMSI information which compromises the security of SMS-based two-factor authentication.

Bad actors use inexpensive mirroring apps to monitor SMS activity and grab SMS authentication codes without users knowing. Those that sync SMS messages with other devices such as tablets and laptops also increase their risks if a device is stolen by a hacker who can easily access codes. Hackers will also attempt to force login requests to popular services and reroute the 2FA verification codes to their smartphones instead.

For the most part, users communicate via encrypted messaging apps such as WhatsApp and iMessage. But SMS does not offer these same protections, and our phone number was never designed with security in mind or as a method to authenticate our identity.

What should I use to replace SMS for 2FA?

Having any form of two-factor authentication in place is better than having nothing at all. It genuinely is the easiest way to protect your accounts and bolster your cyber defenses. But cyber security month represents an opportunity to explore how you can improve your protection.

With the increasing breaches and warnings around SMS, where possible, it would be advisable to begin removing your mobile numbers from online accounts. In addition, it would help if you also steered clear of using SMS or telephone calls to obtain a one-time code. A great way to improve your cyber hygiene would be to replace SMS 2FA with 2FA apps such as Authy, Microsoft Authenticator, or Google Authenticator.

For example, Authy automatically syncs across all devices, works without an internet connection, and can even provide the security number from an Apple Watch. By making this small change in how you manage your online accounts, you can prepare for the deluge of Black Friday and Cyber Monday deals on the horizon with a little more confidence. But 2FA is just one of many best practices that you should be following.

As we approach the scariest day of the year, have you replaced SMS-based 2FA with a specialist authenticator app and stopped reusing passwords? How you answer that question will determine if you can avoid the Halloween hackers and avoid spine-chilling cyber threats at your door. So, what's it going to be, trick or treat?