Why SMS and voice-based authentication are vulnerable to attacks
Multi-factor authentication (MFA) is perceived as the bare minimum level of security to protect accounts against phishing and brute force attacks. As mentioned in our earlier guidance, MFA prevents attackers from accessing your account if they guess your password.
Alex Weinert, the Director of Identity Security at Microsoft, has advised everyone to move away from SMS and voice authentication methods as he believes they are the least secure mechanisms available today.
In this blog, we’ll explore why SMS and voice-based authentication are vulnerable to attacks and discuss recent real-life examples.
SIM swapping
To swap your SIM into their phone, hackers will contact your phone operator and impersonate you using personal information like date of birth and address to trick the customer service representative.
Once the hacker has cloned your number onto their new SIM, they can easily intercept any multi-factor authentication prompts which reply on your phone number – like SMS and phone. This was the case for Twitter’s previous CEO, Jack Dorsey in 2019.
The FBI has also raised awareness of this scam to protect consumers against digital currency theft.
Texts can be intercepted
Without SIM swapping, hackers can use third party companies to reroute text messages meant for you to their number silently.
A more technical approach is a Signaling System 7 (SS7) attack. SS7 is a protocol that telecommunication companies use to communicate with one another. As SS7 is a legacy protocol, it was created before we had a general awareness of cyber security. The National Cyber Security Centre advises these are like a ‘man-in-the-middle’ attack; a hacker will intercept the SS7 and target your incoming messages for a brief period undetected.
Network outages
If working or studying in older buildings, in remote areas or on public transport, your network may be susceptible to brief outages and prevent you from receiving texts or phone calls.
Many mulit-factor authentication smartphone apps also act as a token generator, to present you with an offline number key even when you lose signal.
How to move from SMS and voice to smartphone apps
Staff using Duo Security can sign into the Duo portal and change their authentication method to the Duo Mobile smartphone app on iOS or Android.
Students using Microsoft multi-factor authentication can sign into the online portal and change their authentication method to the Microsoft Authenticator app.
Get in touch with the IT Service Desk if you need assistance.