Simple login and strong passwords are not enough to securely access online services today. A recent study showed that more than 80% of all hacking attacks are due to compromised and weak credentials. Therefore, implementing two-factor authentication (2FA) has become a necessity. It provides an additional layer of security. According to data, users who enable 2FA block about 99.9% of automated attacks. But don’t let your guard down.
As with any good cybersecurity solution, attackers will sooner or later come up with ways to bypass it. 2FA is no exception! It can be bypassed with one-time codes sent in the form of SMS to the user’s smartphone. Nevertheless, knowing that hackers can use some applications to „mirror“ your messages to themselves, many important online services still send one-time codes via SMS.
So what’s the problem with SMS?
Do you think famous companies, such as Microsoft, encourage users to abandon 2FA solutions that use SMS and voice calls just for fun? SMS is known for its notoriously low security, which makes it open to many different attacks. For example, SIM cards can tamper.
One-time codes can also be hacked with readily available tools using the reverse proxy technique. The program intercepts communications between the actual service and the victim, monitoring and recording the victim’s interaction with the service, including any credentials they might use.
In addition, the hacker can install malicious apps through the Google Play Store on your Android device. How? If an attacker has access to your credentials and manages to log into your Google Play account on your laptop, he can automatically install any app on your smartphone. And then it’s just a matter of a few things. Once the app is installed, the attacker can use simple social engineering techniques to convince the user to enable the permissions supposedly necessary for the app to work properly.
Is there any alternative?
To feel secure on the Internet, you should first check whether your first line of defense is safe. Pay attention to your password to see if it has been compromised. Several security programs allow you to do this. For example, enter your number or mail at haveibeenpwned.com.
If at all possible, refrain from using SMS as a 2FA method. Instead, you can use application-based one-time codes, such as via Google Authenticator. In this case, the code is generated in the Google Authenticator app on your device. However, this approach can also be compromised by hackers using some sophisticated malware. A better alternative would be to use special hardware devices such as YubiKey.
These are small USB devices that provide a simplified way to enable 2FA in various services. These physical devices need to be plugged in or brought close to the gadget to log in to 2FA.
That reduces the risks associated with visible one-time codes, such as codes sent via SMS.
Service providers, developers, and researchers should also continue to work on creating more accessible and secure authentication methods. For example, implement multi-factor authentication, where multiple authentication methods are used simultaneously and combined as needed.
Source: The conversation