September 30, 2020

The Dangers of SMS Multi-Factor Authentication

The Dangers of SMS Multi-Factor Authentication

Picture this: 

You get a call from a vendor that convinces you they are legit. They walk you through “helping you set up an account” and ask for your phone number so they can set up MFA.  they say it’s going to text you a confirmation code and need you to read it to them to complete the setup. You do it. The people on the other end of the phone have just accessed your account.

How? 

They tricked you into giving the Multi-Factor Authentication (MFA) code to a totally different account. When they said it was sending a confirmation code, they just tried to log into your legitimate account that was protected by SMS MFA and that account texted you the code they needed. You have been social engineered.

Scenario II:

A hacker has your cell number, does a look-up, and learns it’s a Verizon number.  He or she then looks you up online, say on Facebook, LinkedIn, or in a previously breached database and gets your name and email.  Or maybe they just got it from your email signature.

They call Verizon now in possession of your name address and number. They convince the rep at Verizon they are you. They get the number ported to a new phone.  Now they can log in and it texts the MFA key to their burner phone and they get into your bank account. The same bank account you thought was secured with text-based MFA

Scenario III:

You leave your phone somewhere. Some teenager gets ahold of it and uses it to log into one of your accounts. And since your texts show up in a banner, he doesn’t even need to unlock your phone to get the code.

Maybe he got your email because he figured out where you work and guessed your email address. Maybe he knows your bank because he saw the credit card you used when you paid for lunch. Whatever the case, they just do a password reset, and bam. They have access to your money.

Summary:

Basically, it’s super easy to learn a person’s address, phone number, or email address online if you have one or two pieces of information about them already. And from there it’s really not difficult for social engineers to take the steps needed to obtain access to private sensitive information like your bank account.

While we do strongly recommend using MFA, we also strongly recommend using your email or even better, an authentication app like Authy.

If you’re concerned about your business’s network security, well honestly, you should be. Call us at 423-534-3418 to learn how Holston & Garner IT can bolster your defenses.


Tags: