Not all 2FA is Created Equal
It seems like everything security-related begins with “Yes, but…” or “It depends” these days. (No wonder users are frustrated.) Because of security problems surrounding credentials (data breaches, phishing attacks, and just plain weak password choices), the additional login step or two factor authentication (2FA) is recommended to protect accounts. This is a code that is either generated by a token/app in your possession or sent to your phone. This code is then required after successfully submitting the right username password combination.
The key phrase in the above explanation of the SMS method is that the code is sent to your phone.
Something SENT TO YOU can be intercepted in transit. And of course, cyber criminals have exploited this.
An excellent explanation as to why phone texts for two factor authentication are no longer a good method of two factor can be found in this Wired article.
The additional login step is the best method to protect your online accounts, EXCEPT when that method relies on a text sent to your phone.
Here’s why: Redirected SIMs. A skilled cyber criminal can call your cell phone provider and socially engineer the support tech to redirect your messages to their phone instead. It’s known as SIM Swapping and is growing as a method to commit mobile bank fraud.
This may be why mobile companies are putting new security measures in place to help verify users’ identities. AT&T’s security passcode, when enabled, requires the code every time you contact customer support.
What to do if SMS two-factor authentication is the only option:
- Opt to receive suspicious login notifications if available (sent to your e-mail vs. mobile phone).
- Enroll in the additional security measures put in place by your mobile company to verify your identity. If they don’t exist, change secret questions and answers to those that can’t be researched.
- Immediately contact your mobile company if your cell phone stops working. Drive to the nearest store if needed! If someone has swapped your SIM, you’ll need to confirm ASAP.
This situation with SMS two-factor authentication is another reason why reviewing security options once a year (for any internet user) is a good idea. If 2FA using SMS was previously enabled, check with your service provider to determine potential alternative options and make the switch.