As cyber-attacks continue to become more prolific, more companies are turning to two-factor authentication (2FA) to keep data safe, as it adds another dimension to information security. Several account-based services have utilized 2FA, with Facebook, Apple’s iCloud and PayPal being just a few taking this process on board. With 2FA you are twice asked to prove your identity, and although this may sound the safest way to stop hackers, you would be surprised to learn that it isn’t as safe as you would think.
How Does Two-Factor Authentication Work?
Security experts have warned for a considerable amount of time now that text messages are extremely vulnerable hacking material. So, 2FA was added as an extra security layer so that hackers would be unable to intercept any data you sent if they discovered your password. 2FA protects by asking for two different authentication elements: password and smartphone, for example. When accessing your account, you are then asked for your password and a one-time code gets sent to your phone via a text. So, to hack your data, a person would have to steal your mobile phone while knowing your password.
How The 2FA Hack Works
The whole issue with 2FA is its reliability on text messages, which can be hijacked quite easily it seems, according to security experts. Recently a security team from Positive Technologies showed how easy it was to intercept text messages, then use 2FA to gain access to a Gmail account. They then managed to reset the Coinbase password and gain access to the user’s bitcoin wallet.
Where Is The Weakness?
It’s easy to blame Coinbase in this hacking example, but the issue actually stands with the phone system itself. Signaling System No.7 (SS7) is literally used by every major telecom globally for the distribution of text messages and phone calls. It has an Achilles heel, however, which hackers have been able to exploit. It’s just a matter of exploiting the flaws within SS7, then creating the SMS message that they want to send to your phone. And as it is a known weakness within SS7, then telecoms worldwide are vulnerable to this style of hacking, especially those that are sending security codes via mobile networks.
Even though 2FA seems to have its flaws, it is better than no protection, digitally, at all. If you care about protecting your personal information and data security, then you should consider alternative methods, to authenticate who you are. Many customers are looking at proxy companies to protect them, while security experts have suggested considering a separate mobile number for any digital services. Google Prompt does not rely on two-factor authentication, while security keys are another safer option to keep your digital footprint safe. One further step is the importance of demanding that any or all account services have the capacity to provide options that are non-SMS based so that customers can continue to use their services without the fear of being cyber-hacked by criminal elements. A proxy service is one way to ensure that you are not vulnerable to attack.