Two factor authentication is a mechanism that protects your account by adding an extra layer of security. You can protect your accounts by requesting additional information that is only owned by you. This typically takes the form a random sequence which can be generated by a secure hardware token owned by you, an authenticator app installed on your smart phone or by requesting a key sequence to be sent to the mobile phone through SMS.
This random sequence of numbers can only be used by the user owning the account as he is either in physical possession of the hardware token, the authenticator app or the mobile phone (assuming only the user has access to the mobile phone) and the sms is delivered to the user’s phone.
This random sequence numbers typically expires over a short time period so even if they get compromised they cannot be used by the attacker.
Why is two factor authentication based on sms is not secure ?
The answer is SIM swapping. SIM swapping is a type of fraud were the attacker gains access to the SIM of the user he wants to exploit. Easiest way to accomplish this is through hack called social engineering.
The attacker gains access to the SIM by impersonating someone else to the cellular company’s representative. The attacker would ask the representative to issue a new SIM card. Once the user has gained access to the SIM card he can know impersonate the user and gain access to user account.
Now you would argue that the account is still protected by the password. Yes that is right however recently it has become a trend that the second auth mechanism is used as a way to recover the password.
Social engineering is the most powerful hacking tool at the disposal of a hacker. It has been from the start of Information Technology. One of the best hacker known to man kind is Kevin Mitnick. His autobiography The art of deception is a real I opener.
An attacker can easily collect personal information about a person by using phishing mail or collect information from social media. Many people use their personal cell phone number on facebook as the business contact number.
In June 11 2017 and Jan 7 2018 at attacker performed a SIM swap on American investor Micheal Terpin claims that he lost $24 million worth of cryptocurrencies
On 30 July 2018 a group of criminals who hacked dozens of cellphone numbers to steal more than $5 million in cryptocurrency.
I myself did a small experiment and went to the booth of my telephone operator to request a new SIM.
To my horror the person at the desk asked for my phone number and the id card. The person at the desk checked quickly the address of my card and gave me SIM shortly after. The representative did have a device to check the validity of the card through its the chip n pin or a perform a visual inspection of the front and back of the card.
How do you protect against SIM swapping
- Don’t use SIM as a form of Second Level Authentication. Use Authenticator apps when possible. Like the Google Authenticator or the Microsoft Authenticator. Also very critical put a password lock on your mobile.
- Don’t divulge the phone number that you use to access sensitive accounts. Ideally use a dedicated SIM for such accounts and request to the phone operator that the phone number is not published in online or printed directories.
- Choose a Telephone operator that does proper KYC to perform actions on your SIM. Many operators are now requesting the users to provide a passcode which must be used to request changes.
- If you want to be extra safe its best is to check monthly with your phone operator to see if any SIM cards have been issued without your knowledge.
In case you find yourself victim of SIM SWAP scam contact immediately your phone operator and disable all accounts that are secured with two factor authentication that is based on SMS messaging,