Why You Shouldn’t Use SMS For Two-factor Authentication Codes
Picture the scene. It’s early on a Friday morning. You wake up, looking forward to working just one more day before the weekend but discover a text message from your bank that reads “Your balance is below £100”. It’s a shock but since you have thousands in the account you assume it’s a scam or just a mistake by the bank.
Regardless, you open the bank’s app on your phone, log in and discover that there’s no mistake: your money is gone.
But how? This is the first you’re hearing of it and you’re savvy enough to have set up two-factor authentication to prevent anyone from accessing your account.
The answer is SMS. Text verification, as it’s also known, is widely used these days by banks, Microsoft 365 and many other well-known services. When you log into your account with your username, password and other credentials, a six-digit code is sent via SMS and you can only access your account once this has been entered.
The theory is that only you have access to your phone, so no-one else could get hold of the code and pretend to be you.
Unfortunately, that’s not the case: it’s worryingly easy for criminals to intercept those messages without you ever knowing. For little effort and cost they can access a system where they can type your phone number into a box, hit enter and get your text messages redirected to them. Once they’ve emptied your account, they switch off the redirect and you’re none the wiser – until you get a low balance alert from your bank.
Once they’ve got your login details and your phone number, all they need to do is use one of several methods to redirect those SMS codes to a phone they control and they can get into your account.
The details of how the bad guys intercept the messages isn’t particularly relevant here, though if you’re interested you can read all about them in this KrebsonSecruity blog post.
What’s important to know is that, while it’s a very good idea to use two-factor authentication, SMS is the worst kind because it’s so insecure. As Krebs explains in the blog post, the ecosystem of companies that anyone can use to silently intercept text messages intended for other mobile users is something that’s only recently been discovered.
Use an authenticator app for 2FA
If your bank, email provider or any other app or service offers two-factor authentication, check if there’s a choice on how to receive it.
The ideal option is to use an authenticator app. This is a separate app that runs on your phone and generates codes. Google and Microsoft have Authenticator apps, but it’s down to the bank or service in question which methods they offer.
Put simply, if your bank only offers SMS, that’s better than nothing, but you may well want to switch banks to one that works with an authenticator app, generates codes within the banking app itself or uses biometric authentication such as a fingerprint or your face.
What to do if your bank account gets hacked
Unfortunately, the example this article opened with actually took place – it wasn’t hypothetical. Fortunately, the bank refunded the stolen money by the end of the day.
But what you should do is to immediately phone the bank and explain that it wasn’t you who spent the money: it’s fraud. Effectively it’s a bank robbery, albeit digital rather than physical.
You should also change your security details associated with the account and, if possible, switch to a different form of two-step verification.
Figuring out how the hackers got your login and other personal details in the first place is much more difficult, but while you can’t change your name or address (easily) you can make sure that no other accounts use the same passwords.
You might want to change your phone number if other services you rely on use SMS for 2FA, and Brian Krebs recommends removing your phone number from your email account, as well as other online services.
“Unfortunately, many email providers still let users reset their account passwords by having a link sent via text to the phone number on file for the account. So remove the phone number as a backup for your email account, and ensure a more robust second factor is selected for all available account recovery options.”
SE Labs’ Simon Edwards similarly advises treating your email account with a lot more respect. “Your email account is one of the most important things to protect. Secure it with a strong password and enable two-factor authentication if it’s available. Obviously don’t choose SMS to receive codes unless it’s the only option, which is better than nothing,” he told Tech Advisor.
One other option you may find in your banking app, or via the bank’s web portal, is to send a notification when a payment over a certain threshold is made. This will at least give you early warning that transfers or purchases are happening.