Partner of:
As of recently, I’ve started to fumble my way around making a previously demolished house into something functional and livable. If you’ve done house work before, you probably understand there’s the way you do it, and then there’s the way your buddy or contractor does it that drops your jaw in a moment of “Why didn’t I think of that! I will never do it the old way ever again!”. When it comes to multifactor authentication (MFA), circles of the internet entrenched in cybersecurity are starting to have a similar realization in which methods we should use for MFA. Text codes have long been what have been used, but it’s starting to look more and more like the old way that probably shouldn’t be used anymore.
Before we can really understand the why, lets define out what multifactor authentication means in the first place. When you log in to anything – a phone, a computer, an online account – you are asked to authenticate to prove you are who you say you are. When we talk about how we can authenticate, we have 3 basic methods. These are all based on “something’s”, with the first being something you know. This would be your passwords and pins stored in your head. The second is something you have, which could be a keycard for your computer. The final option is something you are, such as your face or fingerprint. It is common to use the “something you know” and “something you have” to authenticate ourselves. When we only have to use one of these to gain access, we call this single-factor authentication.
Let’s take a break for a moment and think of this scenario. You come into the office and before you leave for lunch, you check your bank account. Unbeknownst to you, a coworker was watching you and took note of your password. They log into your account using your password, having stole the something you knew from you. For systems as highly private and secure as a bank account, we should mitigate this somehow. Enter multifactor authentication. Now, we define that 2 different types of verification must be used in order to grant access. Since it must be 2 different types, we can’t just have 2passwords. That’s something you know twice, and our coworker has a pretty good memory; they would easily thwart that. In this new scenario we have a second factor setup, which comes in the form of a notification that is approved from a phone. This time, even though your coworker knows the password, they are denied from logging in unless you approve the sign-in request on your phone. It’s easy to see why multifactor authentication is such as useful tool in protecting against password compromise, since it places that final barrier in place to be something you have or something you are.
In 99% of use cases, multifactor authentication prevents the bad guys and saves the day. But, within that 1% lies a little know weakness in MFA: using text messages for MFA codes. While at first glance this may not seem to pose an issue; your coworker didn’t have access to your phone. But, within your phone is a chip called a SIM card. If you have ever switched carriers you likely took out this small chip from the old phone and put it into the new phone. Better yet, if you have ever lost a phone you likely called the carrier to request a new sim card for that phone number. After answering a couple of questions, they send you a new sim card for that phone number. But wait; there’s a problem here. Remember how earlier we said our MFA needs to have 2 different types to be effective? The phone carriers often only verify using security questions such as “What is your mothers maiden name” or “Where did you graduate from?”. If your coworker is a good listener, or any of this information exists on Facebook or Instagram, then the sim card can be attained using only one type of authentication: something you know. From there, the coworker could put the sim card in a new phone, go back to the bank account, and pass both factors since they can receive your text messages now.
While this may seem like a farfetched attack, consider that Twitter CEO Jack Dorsey rather recently was victim to this attack. Even so, the same concept of one type of multifactor eventually failing will catch up with you. Luckily, the solution to this problem is very simple! When you set up MFA methods in the future, opt for using a mobile app instead of text if available. This app prevents the attack, as it brings the authentication back to requiring the phone and requires you to approve a request within the app. These apps also do not allow the transfer from phone-to-phone, so if you try to set it up on anew phone you have to completely re-register the account.
Multifactor authentication is a great way to keep accounts secure. We now know that multifactor is more than just authenticating twice, but really authenticating in two different ways. It is common to set up a password with a text message prompt, but to help us stay ahead of trends and look towards the future, we should prefer to setup a password and app notification whenever possible. Just like when I realized I could form a shepherd hook with wire strippers, the switch to app-based MFA is a no brainer and could end up saving you down the road.
Copyright © 2022 Security Connections. All rights reserved.
