All companies should be using two-factor authentication at least to secure their systems, but relying on text messages alone is foolish, cybersecurity experts say.
The process, known as 2FA, adds another level of protection to systems by requiring users to verify their identity through more than just a password. Often, this takes the form of a verification code sent by text message—or SMS—or voice calls, but experts warn that these systems are becoming increasingly out of date.
“SMS was never designed to be a 2FA method,” said Jamie Boote, associate principal consultant at cybersecurity company Synopsys Software Integrity Group. “Originally, it was a maintenance communication channel between cell towers and phones. It only became a consumer-centric communications channel after users discovered they could send text messages to one another.”
The widespread use of SMS as a security mechanism has also increased hackers’ focus on compromising the technology, Mr. Boote said. Hackers also use SMS as an avenue to launch other attacks, he said. Common methods include phishing attacks by text message, known as smishing, and SIM-swapping, in which a cellphone is cloned, meaning attackers can read messages sent to a device.
In June, email security company Proofpoint Inc. published data drawn from its own customer deployments showing that smishing attempts in the U.S. had more than doubled in the past year.
On Monday, encrypted messaging provider Signal warned 1,900 users that their accounts had potentially been compromised and their phone numbers revealed. The attack occurred due to a breach earlier in the month at Twilio Inc., which Signal uses for phone number verification services, the nonprofit said.
Twilio said a number of its employees had been breached due to smishing, in which users were sent to fake websites to update their passwords. Hackers targeted specific users by matching their phone numbers and names, Twilio said in a statement.
Mobile security specialists say the best forms of protection for 2FA are security tokens such as those developed by the Fast Identity Online Alliance, or FIDO, a consortium including Apple Inc., Microsoft Corp. and Alphabet Inc.’s Google that is creating open security standards. The general lack of security in mobile phones means they are often easy targets for hackers without the added protection that more advanced security technologies such as those developed by FIDO provide, said Hank Schless, senior manager of security solutions at cyber company Lookout Inc.
“While using text message authentication is better than nothing, it could give attackers access to the multifactor authentication code that is sent to the victim’s device,” he said. Hackers can access phones through malware or techniques such as SIM-swapping and wait for sensitive information such as MFA codes to be sent to a number.
Federal officials have stressed the implementation of multifactor authentication as a basic means of preventing opportunistic cyberattacks in recent months, despite acknowledging that users are often resistant to adding new steps to everyday tasks. Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, said that while efforts are under way to make authentication measures more seamless for the user, security efforts must take priority.
“You’ve got people who may complain because it adds friction to the user experience, but what we really need to be thinking about is adding friction to the adversary experience,” she said.
This article was originally published in The Wall Street Journal on August 17, 2022, and written by James Rundle.
- Image courtesy of iStock
Spectrum Wealth Management, LLC is an investment adviser registered with the U.S. Securities and Exchange Commission. Registration does not imply a certain level of skill or training. Additional information about Spectrum’s investment advisory services is found in Form ADV Part 2, which is available upon request. The information presented is for educational and illustrative purposes only and does not constitute tax, legal, or investment advice. Tax and legal counsel should be engaged before taking any action. The opinions expressed and material provided are for general information and should not be considered a solicitation for purchasing or selling any security.