More reasons to avoid SMS based two factor authentication

Two factor authentication (2FA), a combination of two of something you know (a PIN), something you have (a token) and/or something you are (biometrics), has long been held up as best practice for login security.  And in fairness, more and more devices (Apple for example) and some websites, are making it mandatory. However, as was highlighted recently by the Reddit security breach, it may not be quite as fool proof as people might have hoped.  Read the details here:

https://www.theregister.co.uk/2018/08/01/reddit_hacked_sms_2fa/

https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/

The incident in question shows that employee accounts were hacked despite using SMS-based 2FA.

Although the exact nature of the hack has not been disclosed, the ability to intercept SMS messages via vulnerabilities in SS7 has been around for years but other mechanisms include getting control of someone’s phone account via SIM-swapping and is a topic that we have written about at length.

Using SMS as the second factor in 2FA is, strictly speaking, not a second factor at all because it is using the same delivery method as the first factor, i.e. in addition to typing your password into a login page, you also type the SMS code into the same web page.  It should really be called Two Step Authentication, and unfortunately can still be subverted by phishing, man-in-the-middle and credential replay attacks.

Using a third party security app like Armour Mobile protects against this type of attack, as not only is the message data encrypted but also the meta data and therefore, it is far harder for criminals to compromise the integrity of a mobile account to intercept messages.  So if you have employees that handle potentially sensitive information, whether that is customer information, or company intellectual property, or commercial secrets, and that could be all of your staff, you need to think about how well their mobile devices are really secured.

Could be time to take a look at Armour Mobile!

Contact us today – sales@armourcomms.com