Please Stop Using Text Messages to Get Login Codes
Vice talked about how easy it is for an attacker to intercept your text messages this week. They don’t need access to your phone; they don’t even need your SIM card. They just need to pay a small amount, convince the VoIP wholesaler that they are a reseller (which is also trivial), and sign a form that swears that they are allowed to redirect messages from your number to another.
As author Lucky225 writes on Medium :
“Until Thursday, March 11, 2021, NetNumber allowed NNIDs to be reassigned or intercepted for all wireless phone numbers without any authorization or verification. Presumably, while this author and other journalists were looking for comments after the concept was demonstrated, it looks like they have invented a scheme to pretend this is no longer a problem by temporarily disallowing the hijacking of wireless numbers. “
[…]
In addition, people are using VoIP numbers instead of their real wireless numbers for various services, and these people are still vulnerable to this attack, while only those who do not care about their privacy and use their real mobile numbers are protected. “
I won’t go into the details of the method that can be used to route your text messages from your phone, but the fact that it was (and is?) So easy to do, and that you don’t get an approval request or even a notification that that this is going on is annoying.
While I’m sure some of these business-grade text messaging services are tightening their security, all it takes is to find an attacker who doesn’t verify this kind of change with the actual owner of the number, and goodbye. , incoming text messages. And that includes the authentication codes you use to verify that you are logging into your account on an unknown device.
We’ve talked about this before and will repeat it until all sites and services finally hear: it’s not safe enough to just use a text message or 2-Step Verification to protect your account from unauthorized access. Whenever possible, you should use a dedicated two-factor authentication application that requires physical access to your hardware – usually your phone – to complete the login process for your account. Text messaging is not as secure as you might think. While you may never fall victim to text eavesdropping, this week’s news shows that it is far from impossible.
It is much less likely that someone will get their hands on your real smartphone, find a way to bypass the security mechanisms you have (touch or face recognition) to unlock it, go through whatever secondary protection you have installed on your particular 2FA. app (like a PIN) and then use it to hack your accounts. By then they will probably either give up or you reset your 2FA and set it up on a new device for your critical accounts, completely losing your old codes.
You do not need to subscribe to a monitoring tool to alert you if or when the texts of your phone number are being redirected to another location. (Full Disclosure: The aforementioned Medium author is the Chief Information Officer for one such company , Okey.) However, you may just want to anyway, because there are many services that still use text messages and only text messages to send you login codes.
There is little you can do if your healthcare provider, gaming website, or other site doesn’t allow you to use two-factor authentication, but only two -factor authentication. Pick a strong unique password, lock it with a great password management app and hope for the best. Also, don’t use the obvious answers to security questions; these should also be “passwords ” and you should keep track of them just like any other password.
Finally, don’t use 2-Step Verification if that’s all you have. While it’s not 100% secure, it’s much better to turn it on and have someone jump over additional hoops to hack into your account. Don’t just rely on a username / password combination if you can add a little extra security.
There are also more radical approaches, such as using a special number for login codes that is not associated with your actual phone number at all. (Google Voice comes to mind; you can just email it and you can block your Google account with two-factor authentication.) While it might not stop someone from accidentally grabbing even that number, at least it helps. protect you from targeted attacks. Well, safer. Isn’t security entertaining?