Not All Two Factor Authentication Solutions Are the Same

Not All Two Factor Authentication Solutions Are the Same

There has been a disturbing cyber-crime attack that been increasing in frequency over the last few years, this class of attack is called SIM Card Swapping. This type of attack essentially takes over your cell phone service and moves your phone number to a phone in physical possession of the attacker. The most devastating of these attacks are conducted to bypass SMS (Text Message) Based Two Factor Authentication (2FA).

SMS 2FA technology is pretty simple. When you log into a website – like your bank, Instagram, or Crypto Currency accounts – with a valid username and password but then you’re still required to enter a unique six-digit number to complete your login. This code is then sent to your cell phone number as a text message. Other uses of this SMS 2FA technology is to provide “extra security” during Password Reset requests. By having access to your Cell Phone Text Messages an attacker can gain access to your EMail account, and subsequently, other accounts.

This is exactly what happened to a San Franciscan man who lost $1,000,000. What could he have done to prevent the theft of his life savings? Well, there are many best practices that would have made it harder for the attacker including not reusing passwords, having your Mobile Phone Carrier require a unique Pin code, and using a more secure Two-Factor Authentication technology.

Alternative 2FA technologies include Google Authenticator, Authy, Duo Security, and others. What makes these solutions more secure than Text Message-based solutions is that they are locked to your phone and not your phone number. A SIM Swapping Attack wouldn’t result in the attacker getting your Two Factor Codes.

There are even options that include bypassing a mobile phone entirely. These include the classic RSA Security Tokens, the Google Yubikey, and others.

We hope that this information helps you become more aware of the risks and how to better protect yourself.

If you’re interested in a security consultation for your business then we hope that you contact us to help set up a time to speak with our team.