SMS two-factor authentication is still better than nothing.
SMS messaging has some serious security vulnerabilities, but does that mean you should always avoid it? No.
I keep hearing from people telling me that using SMS text messaging for two-factor authentication is broken, risky, not secure, and so on.
They’re not wrong.
But here’s the thing: as broken as it may be, if it’s the only two-factor option available, you’re safer using it anyway.
Recently publicized exploits in SMS messaging do cause concern, and if you have the ability to use alternative forms of two-factor authentication, you should. Regardless, even with known exploits, using SMS for two-factor authentication remains more secure than not using two-factor authentication at all.
The latest break
A recent story at Vice.com — ”A Hacker Got All My Texts for $16“ — points out several flaws in the text-messaging ecosystem.
The most well-known issue, “SIM swapping”, is nothing new. It’s a kind of social engineering where a hacker impersonates you and has your mobile number moved to their device. Then they get all your calls and texts.
It’s unclear how successful the technique is. Given that it’s based on a hacker’s ability to fool a customer service representative, I imagine the success rate varies widely.
Apparently, there’s an easier hack only recently making the news.
There are legitimate services used by various businesses to redirect text messages from one number to another. In theory, they confirm it’s legitimate and gain the permission of the owner of the number being redirected.
In practice, it looks like they don’t.
It seems anyone can sign up and get your text messages to be redirected to their device. Unlike SIM swapping, where suddenly your mobile stops working, there is no indication to you that anything is wrong.
Hopefully, the recent publicity will cause these services to become a little stricter. Unfortunately, I expect there’ll always be one or more services that don’t. The door on this vulnerability may be closing, but it’ll never shut completely without either legislation or major changes to the underlying SMS technology.
And yet, I still recommend using SMS in some circumstances.
Some is better than none
Let’s say you’re at your local bank and a robber enters, wielding a gun and shooting.
Do you hide behind a nearby desk, or do you freeze and remain an obvious target for the gunman to shoot? You dive behind that desk, of course.
Now, what if I told you the desk will stop only 50% of the bullets commonly used by bank robbers? Depending on the ammunition the bad guy happened to bring that day, the desk you’re hiding behind may or may not protect you if he targets you.
Do you still hide behind that desk, or do you now decide to remain standing, since the desk is less than 100% effective? Of course you hide! Hiding gives you a 50/50 chance of being protected from the gunman’s bullet. Standing up? Zero percent. If he targets you, you’re hit.
SMS two-factor is like that desk, except that it protects you much better than a 50/50 coin flip.
What it takes to get
If you have SMS two-factor authentication enabled on your account, here’s what a hacker needs to do to be successful:
- Know your username/login ID.
- Know your password.
- Know your mobile number.
- Intercept the SMS messages sent to your number.
If any one of those is false, the hacker can’t hack. All four must be true for a hacker to be successful.
If you don’t have two-factor enabled, the hacker needs to:
- Know your username/login ID.
- Know your password.
That’s it. Simply knowing those two things is enough to sign in as you and gain access to your account.
As broken as it might be, SMS two-factor is still better than that.
Use better alternatives, when you can
One of my financial institutions offers to send me a confirmation code by SMS to my cell phone or via email. Email is a more secure choice. It’s slower, but the security of financial accounts is worth the wait.
Another institution offers only text-messaging for that code. I still use it, because requiring that code is still safer than not needing it at all. Besides, it’s extremely unlikely that someone would target me or my phone. Possible, yes, but very unlikely.
Nonetheless, if your provider offers other alternatives to two-factor authentication besides SMS text messaging, then I recommend you strongly consider using one of those instead.
Better alternatives include:
- Google Authenticator-compatible smartphone apps.
- Email notification.
- Account-specific key fobs that display a changing number.
- Hardware devices like YubiKey.
But, perhaps to belabor the point, if all they offer is SMS two-factor authentication, then use SMS two-factor authentication.
It’s still better than no two-factor authentication at all.
Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.
NOW: name your own price! You decide how much to pay — and yes, that means you can get this report completely free if you so choose. Get your copy now!
This post was written by Leo Notenboom and was first posted to AskLeo.com
Do you find this article helpful? Your Friend might too. So, please Share it with them using the Share button above.
Will you like to get notified when I post new updates? Then Follow me on any of my social media handles: Google News, Telegram, WhatsApp, Twitter, Facebook, Pinterest.
You can also drop your email address below if you wish to be notified by mail.