Two-Factor Authentication isn’t Safe Anymore, find out why
We explain why you should not trust the codes sent by SMS to protect your online banking account and other digital services and explain to you why two-factor authentication is bad.
Table of Contents
What is two-factor authentication?
Two-factor authentication is a method of giving a user access to a system, requiring two different proofs that they are who they say they are.
Traditionally, users authenticate to a website using only something they know, a password (one-factor authentication). To improve security, a second factor or proof of identity can be added: frequently, something the user owns and has on hand.
For example, a second factor is used through an application installed on the user’s mobile phone. Customers who activate the second authentication factor, to access the client area, in addition to their password, have to provide a code that varies over time and that they can consult in the application they have installed on their mobile device.
How to stop text messages from being intercepted
Imagine this. It’s friday morning. You wake up thinking that there is only one day left for the weekend, but suddenly you see a text message from your bank telling you that your balance is less than € 100. You are shocked, but knowing that you have thousands of euros in your account, you think it is a scam or a bank error.
Anyway, you open the bank’s app on your mobile, you log in and you realize that it was not an error: your money has disappeared.
But how can it be? You had no idea and had been careful enough when setting up two-factor authentication to prevent anyone from accessing your account.
The answer is in the SMS. Mobile verification is popularly used today by banks, Microsoft 365, and many other popular services. When you log into your account with your username, password, and other credentials, a six-digit code is sent to you via SMS, and you can only access your account once you’ve entered it.
In theory, only you can access your mobile, so no one can get hold of the code and impersonate you.
Unfortunately, that’s not the case: it’s worrying how easy it is for criminals to interpret these messages without you knowing. Without trying or spending too much effort, they can access a system where they can enter your phone number in a box, hit ‘Enter’, and redirect your text messages.
Once they have emptied your account, they deactivate that redirection and you do not find out until you receive a low balance alert from your bank.
Once they have your login credentials and your phone number, all they have to do is use a method to redirect those SMS codes to a mobile they control and they will be able to enter your account.
It is not very relevant to know how the “bad guys” manage to intercept messages, but if you are particularly interested, you can read KrebsonSecurity blog.
What is important to know is that, although it is a good idea to use two-factor authentication, SMS codes are the worst way because they are very insecure. the ecosystem of companies that anyone can use to silently intercept text messages from other mobile users is something that has only been discovered recently.
Related: How to detect malicious apps on Android
How To Use a two-factor authentication app
If your bank, email or any other app or service that offers two-factor authentication, check if there is the option to choose where to receive it.
Ideally, you should be able to use a two-factor authentication app. It is an individual app that works on your mobile and generates codes. Google and Microsoft have applications of this type, but it is up to the bank or service in question to decide which methods they offer.
Simply put, if your bank only offers SMS verification, something is something, but you may want to switch to a bank that uses an authentication app, generates codes within the online banking app itself, or uses biometric authentication such as fingerprint or recognition. facial.
What to do if your bank account is hacked
Unfortunately, the example with which we started this article really happened, it was not just a hypothesis. Luckily, the bank reimbursed the stolen money at the end of the day.
What you should do is immediately call the bank and explain that it was not you who spent the money: it is a fraud. In fact, it is a bank robbery, although in this case digital and not physical.
You should also change the security credentials associated with your account and, if possible, switch to a different 2-step verification method.
Knowing how hackers got hold of your login details and other personal information is much more difficult, but while it is true that you cannot change your name or address (so easily), you can make sure that no other account uses the same one. password.
You will want to change your phone number if other services you use use SMS two-factor authentication, and Brian Krebs recommends that your phone number is no longer associated with your email and any other online service.
Unfortunately, many email providers continue to let their users reset their account passwords via a link sent by SMS to the number associated with the account. So remove the phone number to protect your email, and be sure to select a second, stronger factor for all your account recovery options.
Similarly, treating your email with much more respect. “Your email is one of the most important things you should protect. Protect it with a strong password and enable two-factor authentication if available. Obviously, do not choose to receive the codes by SMS unless it is the only option, because something is something.
Another option that you may find in your online banking app , or through your bank’s website, is that they send you a notification when a payment is made above a certain amount. At the very least, this will alert you that unknown transfers or purchases are being made.
For more protection, you may be interested in our selection of the best password managers.
