Você está aqui: Página Inicial / Blog / Understand the risks of using SMS for two-factor authentication

Understand the risks of using SMS for two-factor authentication

You may not know, but the login system for computers using passwords was not designed for the way we use them nowadays. The invention of this protection mechanism goes back to the early days of personal computing when computers were still restricted to companies, universities and research centers. In general, there were only one or two machines for a whole team to use. So, with the aim of “separating” the jobs being handled by each of his friends, engineer Fernando Corbató, who passed away in 2019, invented the password methodology.

Over the years, identity protection technologies have evolved and, nowadays, we rely on things like two-factor authentication, currently an essential account protection resource. 

To access an account when this function is enabled, besides entering the password, you need to confirm that the login is legitimate for a second time. Generally, the system requests an additional code commonly sent to your phone.

The most popular means to receive these two-factor authentication codes is via text message, that is, the famous SMS. What many people don’t know is that, despite this second confirmation via SMS being better than nothing, it isn’t completely safe. It’s not hard for malicious agents to intercept your SMS and then steal these codes.

A completely flawed standard

This danger exists for a really simple reason: text messages were not designed to be safe, rather, they were designed for quick exchanges. Years ago, no one could have imagined that this standard would be used to send such critical and confidential information. As a result, there are a series of flaws that criminals can exploit and which have been highlighted live on many occasions by cybersecurity specialists at specific sector events.

Examples include the SS7 attacks, thus called due to using flaws in the SS7 telecommunications protocol. Employing some simple hardware and a little technical know-how, a criminal can intercept your communication with a mobile phone operator and read all the SMS that reach your phone. It’s the kind of strategy that requires a certain investment and patience on behalf of the criminal, though remains a favorite in striking especially high-profile victims.

A simpler approach is the famous SIM Swap attack. In these cases, the scammer contacts the carrier pretending to be you (often using stolen information from a data leak) and uses social engineering to convince the attendant to transfer the phone line to another SIM card. When you eventually realize what is happening, the scammer will already be getting all your text messages and it will be too late to prevent your account from being invaded.

Employing TOTP applications

Nowadays, the safest way to get two-factor authentication codes is by using authenticator apps. As the name suggests, these are apps that communicate with servers of services you’re attempting to log into and create random codes, which are only valid for a few seconds.

In addition to eliminating the problem of SMS interception, these codes are a lot safer, since they use the TOTP (time-based one-time password) standard. It generates a unique sequence of numbers and characters, based exclusively on local time and expires after a few seconds, while only valid for use once.

As such, TOTP codes are more “random” and harder to guess than tokens arriving via SMS. It’s a good idea to invest in authenticator apps; choose what best suits you and increase your authentication security!

Article originally written in Portuguese by Perallis Security Content Team: Entenda os riscos de usar SMS para autenticação dupla — Perallis Security