How two-factor authentication can protect you from a hacker
Users who rely on two-factor authentication via SMS and consider it as a safeguard for account login are in a fix. Cyber miscreants are embarking on new tactics to swindle users.
The second layer of authentication implemented on applications to keep accounts protected usually involves a code sent on the mobile devices via SMS. However threat actors have devised decisive tactics to acquire the code sent on the mobile phones and hence gain unauthorized access to your device or application. These tactics include:
- Intercepting unencrypted messages sent over a network: Attackers leveraged this ingenious technique to target German Bank Accounts last year. Threat actors exploited the vulnerability in the signaling network of telecom operators to redirect calls and text messages. Hence, users attempting to login to their bank accounts waiting to receive a code via a text message were deceived. The text message containing the code were re-routed to hackers that enabled them access user’s bank account and deprive them of their hard earned money.
- Steal telecom Operators database information that comprise of user personal details: T-Mobile, an infamous telecommunication brand suffered from data breach last year. Vulnerability in the API of T-Mobile’s website was utilized to acquire personal details of the users. This information was used to impersonate them and obtain a copy of their SIM cards.
- Social Engineering: Instances have been reported wherein cyber miscreants are known to have persuaded telecom operators to provide an identical SIM on the pretext of having lost their phones.
- Stingrays: The StringRay is an IMSI-catcher (International Mobile Subscriber Identity-catcher). It is a telephone eavesdropping device used to intercept mobile phone networks developed for military and intelligence community. However cyber miscreants use stingray devices to mimic mobile phone towers to capture the information of nearby mobile devices.
The list of data breach operations leveraging two-factor authentication via SMS is non – exhaustive. Hence it is always recommended not to share sensitive information over standard text messages as they are insecure and can be easily intercepted.
Cyber Securities therefore expressed a die hard need to devise other forms of two-factor authentication. Many tech companies have already started working in this area. They have designed tools to protect their apps against the vulnerability of SMS-based two-factor authentication. For instance:
- Authentication App: Google has built its own Authentication App that generates random code with a strict time limit. These apps do not rely on SIM cards. This allows users to relax as they no longer need to check for the website authenticity. The code inserted by them does this job. If there is a mismatch in the code that is entered, Google apps cannot be accessed.
Also, if anyone including the user tries to access the account from any other device, they are notified about this via an email or a text message. This is useful to prevent unauthorized access to users account.
- Hardware token: It is a security token possessed by an authorized user to gain access to electronically restricted resources to ease authentication. Since it is a physical device, information delivered using hardware token does not rely on telecom network. Hence, two- factor authentication using Hardware token is widely preferred by consumer tech companies. It leaves no room for cyber criminals to breach cyber security unless they possess a physical access to the device.
Most popular example of hardware token is the Yubikey, which works for a bunch of tech giants like Facebook, Google etc. Yubikey is a hardware authentication device that allows users to securely log into their accounts. It supports one time passwords, public-key encryption and authentication, and U2F (Universal 2nd Factor) protocol.
Universal 2nd Factor (U2F) is an open authentication standard that uses specialized USB (Universal Serial Bus) or NFC (Near-Field communication) devices to strengthen and simplify two-factor authentication (2FA)
- Biometric Second Factor Authentication: This technology is majorly used in banking sectors. It involves the use of facial, fingerprint or retina recognition to study behavioral bio-metrics to access the bank account.
Two-Factor authentication is recognized as an important cyber security measure to protect user accounts. More or less all major services now implement some form of two-factor authentication, but the technique adopted by them varies. Weaker implementations are easy targets of threat actors who face negligible problem in bypassing the security, intercepting codes or exploiting account-recovery systems.
Hence, just achieving two-factor authentication is no longer enough. Adopting a more comprehensive approach and cleverly selecting the right step-up 2FA mechanism based on your environment is deemed vital in enhancing service security.