Pages

Text Based MFA Shown to Have Numerous Security Issues

Password protection used to be the gold standard for keeping yourself safe and secure online, but it has recently fallen out of favor due to brute force attacks making passwords difficult to protect. Multi factor authentication creates a new layer of security which is useful because of the fact that this is the sort of thing that could potentially end up complicating matters for potential malicious actors. In spite of the fact that this is the case, the use of SMS based MFA codes might not be as secure as many assumed.

Researchers at Black Hat recently revealed that there is a technique known as “smishsmash” that can make it very easy for hackers to access MFA codes sent via text message. Smishing is a form of phishing that uses text messaging to send you a link that would give all of your login details to a malicious actor, and with all of that having been said and now out of the way it is important to note that it makes MFA considerably less secure.

Spoofing a text message is remarkably easy with all things having been considered and taken into account. Additionally, people tend to trust texts that they receive a lot more than emails, so they would be more likely to enter the requested details without realizing the risk that this can pose to them.

A far more secure method for MFA involves using texts sent through an authenticator app, and the main advantage of this method is that it is quite difficult for malicious actors to spoof notifications if you use one. Companies that require their customers to use 2FA or MFA should be encouraged to eschew SMS based codes in favor of the much more secure authenticator app method.

This just goes to show that security improvements will be moot if they don’t consider all of the various factors. MFA is important, but it will fail to provide the security that is required if malicious actors can use phishing techniques to get their hands on the log in code so it’s essential to make the switch sooner rather than later.


H/T: PCMag

Read next: New ‘Invisible Finger’ Could Soon Attack Your Touch Screen Devices Without Even Touching It

No comments: