Getting a second opinion is a great idea in both medicine and end-user cybersecurity. Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) are powerful tools in the fight against all kinds of cyber attacks involving end user devices and internet services.
There’s just one big problem: It’s all too common for people to use text messaging as a second factor. This turns phone numbers into digital identity devices – a role for which they are ill-conceived. If someone loses a smartphone or is stolen or taken from them, they also lose their access to authentication. Worse, the attacker can transfer the phone number to another person, who will now receive authentication requests. Here is what to do to fix 2FA and MFA phone problem.
How Two-Factor and Multi-Factor Authentication Works
Both of these precautions work by using more than one “authentication factor”. This factor can be something that the user knows, owns, or is part of (like a fingerprint).
One of the most common combinations is a username and password (something the user knows), plus a message, link, or code to the user’s smartphone (something the user knows). ‘user owns) via text messaging.
But there are others. Authentication factors can be a PIN code, a piece of personal information (mother’s maiden name, for example), a key fob, your face, or many others.
Multi-factor authentication in real life
It is played a million times a day. A user forgets a password or chooses to change it. Or they are visiting a website from a different location than normal, or with a different device or at a site that checks users on a set schedule. Thus, the site sends a code, a link or a password to the user’s phone by SMS.
The problem is, this assumes that only the original, honest user could possibly have access to the phone number associated with the text. And that’s a bad guess.
In the past, people believed that only the original signer could write their signature the way they do. It was a pretty good guess. When we assume that only a real user can have their face or fingerprint registered, that’s a pretty good guess as well. But having a phone number? Not really.
It turns out that malicious actors can determine which phone numbers on wireless service provider websites are ârecycledâ numbers – once used but now abandoned. They can then match the leaked login details to the sale on the dark web. By gaining access to phone numbers, they can hack into accounts by resetting passwords (confirmed with their new phone numbers).
The problem of recycled phone numbers
Researchers at Princeton University sampled 259 phone numbers offered by two US wireless operators. They found that 171 of them matched checking accounts on various websites and 100 matched credentials leaked across the web.
Interestingly, the researchers noticed that the telephone companies came up with new numbers in blocks of consecutive numbers. But they display recycled numbers in non-consecutive blocks, revealing the fact that they have already been used. Attackers can automate the discovery of such numbers, researchers say.
The researchers also monitored 200 recycled issues. Within a week, about 10% of them received privacy or security related messages to previous owners.
Princeton’s research points directly to the gaping hole in 2FA and MFA cybersecurity that relies on a phone number. But common sense too.
Additionally, a crowdsourcing project called TwoFactorAuth.org found that almost a third (30%) were using 2FA via SMS. (About 40% support authenticator apps.)
Beyond text messaging codes
Text authentication doesn’t just fail when someone’s number changes. Cybercriminals can intercept texts using a number of specialized wireless systems. Attackers can trick, blackmail, or bribe phone company employees into transferring phone numbers to a cybercriminal’s SIM card (called a SIM swap). Text codes are also available through phishing tools.
The bottom line is that phone numbers can be assigned to more than one person. Attackers (or crashes) can separate phones from their owners. They can intercept text messages or break into messages. And so, for many reasons, 2FA or MFA which includes sending SMS is much less secure than many other methods.
What about the MFA password item?
In other words, of all the factors that could be used for MFA, by far the most common are 1) username / password; and 2) texts.
It’s bad enough that texting and smartphones are insecure methods, but so are usernames and passwords. Far too many users are using weak passwords which they reuse for multiple sites, and malicious actors are stealing far too many and making them available on the dark web to other cybercriminals.
The double blow that will improve 2FA and MFA security is to enforce strong passwords and the use of password managers. Next, ban text-based authentication in favor of something more secure, like authenticator apps. With these, you will have a first line of defense in place.