Why SMS and voice-based authentication are vulnerable to attacks 

Tracy Moffat
Wednesday 1 November 2023

Multi-factor authentication (MFA) is perceived as the bare minimum level of security to protect accounts against phishing and brute force attacks. As mentioned in our earlier guidance, MFA prevents attackers from accessing your account if they guess your password.  

Alex Weinert, the Director of Identity Security at Microsoft, has advised everyone to move away from SMS and voice authentication methods as he believes they are the least secure mechanisms available today.  

In this blog, we’ll explore why SMS and voice-based authentication are vulnerable to attacks and discuss recent real-life examples. 

SIM swapping 

To swap your SIM into their phone, hackers will contact your phone operator and impersonate you using personal information like date of birth and address to trick the customer service representative.  

Once the hacker has cloned your number onto their new SIM, they can easily intercept any multi-factor authentication prompts which reply on your phone number – like SMS and phone. This was the case for Twitter’s previous CEO, Jack Dorsey in 2019.  

The FBI has also raised awareness of this scam to protect consumers against digital currency theft. 

Texts can be intercepted 

Without SIM swapping, hackers can use third party companies to reroute text messages meant for you to their number silently. 

A more technical approach is a Signaling System 7 (SS7) attack. SS7 is a protocol that telecommunication companies use to communicate with one another. As SS7 is a legacy protocol, it was created before we had a general awareness of cyber security. The National Cyber Security Centre advises these are like a ‘man-in-the-middle’ attack; a hacker will intercept the SS7 and target your incoming messages for a brief period undetected. 

Network outages 

If working or studying in older buildings, in remote areas or on public transport, your network may be susceptible to brief outages and prevent you from receiving texts or phone calls. 

Many mulit-factor authentication smartphone apps also act as a token generator, to present you with an offline number key even when you lose signal. 

How to move from SMS and voice to smartphone apps 

Staff using Duo Security can sign into the Duo portal and change their authentication method to the Duo Mobile smartphone app on iOS or Android

Students using Microsoft multi-factor authentication can sign into the online portal and change their authentication method to the Microsoft Authenticator app. 

Get in touch with the IT Service Desk if you need assistance. 

Subscribe to the IT Services blog

Enter your email address to subscribe to this blog to receive notifications of new posts.