How secure is your phones 2FA?
2nd October, 2023
So, you’ve become a cybersecurity pro, huh?
Your memory for passwords is as sharp, you never fall for phishing scams, and all your crucial accounts are fortified with two-factor authentication. But is your 2FA secure enough?
Hackers are sneaky little devils, so it’s always good to stay vigilant and keep up with the latest security measures. After all, you never know when they’ll come up with a new trick to try and catch you off guard…
Research suggests that a surprising number of people have engaged in unauthorised password guessing, with one out of every three people confessing to such attempts.
However, this task is often far from challenging, considering that “123456” continues to be the most frequently used password, which according to Cybernews, is in the top 10 most common passwords listed in 2023.
The Significance of Two-Factor Authentication (2FA)
So, let’s suppose you’ve taken on board a wealth of information – implemented a strong password, stayed on top of software updates for all your devices, and become adept at recognising phishing attempts without inadvertently clicking on them.
You might even have strengthened your social media and other critical accounts with SMS-based two-factor authentication. However, before you become overly confident, it’s important to recognise that there are still vulnerabilities that can allow hackers to bypass SIM-based 2FA.
It’s common knowledge that many individuals reuse the same password across multiple accounts. When a breach occurs on one of these accounts, hackers can effortlessly gain access to everything from your Amazon to your PayPal account.
We can all agree that traditional usernames and passwords are no longer sufficient to safeguard the ever-expanding assortment of online services we utilise.
The encouraging news, however, is that Two-Factor Authentication (2FA) provides a much-needed additional layer of security. Users who activate 2FA effectively block 99.9% of automated attacks.
The problem with SIM-based 2FA
As attack methods become more sophisticated, hackers have discovered multiple ways to bypass 2FA sent as an SMS message. There are many ways to easily trick users into unwittingly downloading malware onto their device or perform a socially engineered SIM swap fraud.
Some hackers use inexpensive mirroring apps to monitor SMS activity and grab SMS authentication codes without users knowing.
Moreover, if you synchronise SMS messages across additional devices like tablets and laptops, it heightens your vulnerability in case one of these devices falls into the hands of a hacker who can effortlessly gain access to your authentication codes. Hackers may also make deliberate efforts to trigger login requests on widely used services and redirect the 2FA verification codes to their own smartphones instead.
In the main, users communicate via encrypted messaging apps such as WhatsApp and iMessage. But SMS does not offer these same protections, and our phone number was never designed with security in mind or as a method to authenticate our identity.
What should you use to replace SMS for 2FA?
Having any type of two-factor authentication (2FA) in place is better than having none at all. It truly is the most straightforward means to safeguard your accounts and reinforce your cybersecurity.
Given the rising number of security breaches and the warning alerts regarding SMS-based 2FA, when feasible, it is advisable to start unlinking your mobile numbers from online accounts.
Additionally, it is wise to abstain from relying on SMS or phone calls for acquiring one-time codes. An excellent approach to enhance your cybersecurity practices involves substituting SMS 2FA with dedicated 2FA apps like Microsoft Authenticator or Google Authenticator.
If you’re seeking assistance in navigating this cybersecurity landscape, consider reaching out to Riven.
We prioritise understanding, planning, and adapting to any changes that may impact your environment.
Feel free to contact us at 01784 437 123 or via email at enqs@rivenassociates.co.uk.
Additionally, you can sign up for our monthly newsletter to stay updated on the latest cybersecurity insights and strategies.
