If you or your employees access protected information with authentication codes sent to a cell phone, you might want to rethink your plan. Two-factor authentication (2FA) using text messages can fall prey to phone authentication scams.
That’s not to say 2FA itself is a problem. You should keep using it, and many groups have turned to it to prevent threat actors from using stolen account credentials. Malicious actors may still try to grab authorized users’ credentials for their own purposes. In fact, the unauthorized use of credentials accounted for 29% of all attacks in 2019, X-Force IRIS observed.
So why is short-message service (SMS) 2FA not as secure as it looks? What other kinds of mobile-based multifactor authentication (MFA) can you use instead?
SIM Jacking: The Problem With SMS-Based MFA
SMS-based MFA is particularly vulnerable to a SIM swap-phone authentication scam, says Alex Weinert, group program manager for identity security and protection at Microsoft. This is one of several types of social engineering attacks. In this case, a threat actor contacts a mobile service provider and pretends they are one of their customers.
First, the attacker claims to have lost their device. They ask the cell phone carrier to transfer the targeted customer’s SIM card to a device under their control. Many mobile service providers require customers to set up PINs to protect their accounts against a SIM swap attempt. But that doesn’t prevent customer service workers from feeling the tug of compassion a ..
Support the originator by clicking the read the rest link below.
