The Chaos Computer Club (CCC) computer security association warns against using two-factor authentication (2FA) via SMS. In addition to the known attacks to intercept messages with one-time passwords, they now show another attack scenario.
advertisement
In order to effectively secure online accounts, you should enable two-factor authentication wherever possible. Due to this extra layer of protection, in addition to the password, you also need a login code, which is sent to the account holder via SMS or an authentication app. Accordingly, a leaked password is not enough for attackers to hack into an online account.
But by swapping the SIM card or attacking the SS7 communications standard, attackers can intercept SMS messages and view the codes. By swapping the SIM card, attackers attempt to take over the SIM card and thus the victim’s phone number and identity. Now in a report, the CCC outlines another way SMS messages for one-time two-factor authentication (2FA) passwords are insecure.
2FA codes are available online.
Many companies that offer two-factor authentication to their customers rely on the service provider to send SMS messages. According to their own information, security researchers have now been able to view nearly 200 million 2FA codes from SMS service provider IDIDMobile. According to their statements, they were “in the right place at the right time.”
Since the SMS sender shares 2FA codes in real time on the Internet, they were able to see one-time passwords and even phone numbers and senders’ names by guessing a subdomain (“idmdatastore”). In this case, it is clear that the service provider acted with gross negligence and did not provide adequate protection for sensitive customer data.
The CCC says that over 200 companies including Amazon, DHL and Facebook work with DefateMobile. It is currently unclear whether criminals can also view the data.
Conclusion
Two-factor authentication certainly provides more security, but account holders should disable sending two-factor authentication codes via SMS and instead use an app like Google Authenticator, which generates codes locally on the device. Alternatively, you can also use a passkey for added account security.
(to)
