Blog Feed

4 Reasons Two-Factor Authentication Isn’t a Panacea

Posted by on 19:07 in Engineering, R&D | 0 comments

4 Reasons Two-Factor Authentication Isn’t a Panacea

Two-factor authentication (2FA) is an indispensable cybersecurity measure used to protect data. Most of the modern information security standards despite the area of application such as PCI DSS, PSD2, HIPAA, etc., demand the multifactor authentication (MFA) among other data protection methods. This approach allows mitigating the danger coming from such attack vectors as brute force password cracking, keylogging, social engineering, phishing, and some kinds of man-in-the-middle attacks. Nevertheless, two-factor-authentication is not a cure-all solution by itself. This is just a single component in a major set of requirements for high-quality data protection. Taking care of data security means implementing a complex plan of actions. For example, this is clearly seen in the in the article 10 Steps to Eliminate Digital Security Risks in Fintech Project where we analyzed the components needed to protect payment gateways from cyber threats. In the current article, we’ll unveil all the weaknesses of two-factor authentication you have to keep in mind when strengthening your security infrastructure with MFA. And, of course, we’ll discuss all possible solutions to these weaknesses. 1. SMS authentication is not secure The US National Institute of Standards and Technology (NIST) recommended every company to abandon SMS authentication as insecure and no longer suitable strong authentication mechanism long ago. But many companies worldwide still opt for SMS to deliver the one-time passwords in their 2FA infrastructures. And it was only three months ago that Reddit has admitted this method to be not as effective and secure as the company was hoping. No doubt, SMS authentication is convenient for companies and users alike. But is this a reliable option? Unfortunately, no. Let us review the SMS authentication vulnerabilities. SIM-card Replacement In most cases, it wouldn’t be a hard task for a dedicated culprit to use a mobile operator’s SIM-card replacement service and intercept a victim’s number. The information needed for this fraud can be found in public sources or bought on the dark web. Network Protocol Vulnerabilities The next potential risk hides in the cellular protocols. And the fact that SMS exchange is not encrypted in any way. The security of SMS transport depends on the cellular network security. There is a number of vulnerabilities in consumer cellular networks as well as methods of exploiting them. Some of the most advanced ones do not even require costly hardware or specific skills. From this point of view, using SMS for security is rather dangerous. Moreover, if to take into account the fact that a usual SMS exchange is not encrypted in any way, an employee of a network center with a proper access can freely read all the messages. Not to mention all the possible ways to intercept the radio transmissions. Malware There are tons of fraudulent software aimed to steal the sensitive data. And mobile device trojans intercepting SMS messages are nothing new. Infection is immediate; the consequences are dire. Malware that ingrained itself into the gadget can play a variety of roles: Intercept the entered login credentials and one-time passwords as well; Track all the sent and received messages; Record the voice calls; Copy the SIM card parameters and contact information; Provide capabilities for remote control; Turn a device into a member of botnet or crypto-currency mining agent, etc. The tech-savvy attacker has nearly unlimited opportunities especially it concerns making use...

read more

Duo Security vs Protectimus

Posted by on 13:50 in Protectimus Products, R&D | 0 comments

Duo Security vs Protectimus

Recently, Cisco declared its intention to purchase Duo Security for US$2.35 billion. Naturally, this is an important event not only for Duo Security, but for the entire multi-factor authentication industry. A sale of this magnitude confirms that the demand for two-factor authentication is higher than ever before. This also shows that there is a demand for simpler, less expensive means of delivering one-time passwords, since Duo prominently advertises its rejection of hardware tokens in favor of 2FA apps, push notifications, and SMS messages (which are expensive and not secure). Protectimus fully supports Duo Security’s efforts to simplify and reduce the cost of OTP delivery, but we remain convinced that security must not be sacrificed in the process. For example, in order to hasten the move away from SMS authentication to more modern, reliable MFA technologies, we’ve figured out how to deliver one-time passwords using chatbots on messaging services. This is much more efficient, secure, and convenient than SMS. Hardware tokens are also among the products we offer, and they can be connected to practically any site: from Google, Facebook, Dropbox, and Slack to cryptocurrency exchanges like Bitfinex, Coinbase, Poloniex, and so on. In light of that, has Cisco made the right decision? Should they maybe have spent $2.35 billion on acquiring Protectimus instead? We’ve decided to compare the solutions from Duo and Protectimus to settle the matter objectively. DON’T LIKE LONG READS? FIND OUR CONCLUSIONS IN A COMPARISON TABLE AT THE END OF THE ARTICLE. 1. Server-side component Duo Security Duo is a cloud-based 2FA solution. The choice of the SaaS model is completely logical. It makes integration fast and reduces the cost of deploying, protecting, and maintaining an authentication server. This style of interaction is convenient and easy for the client and company alike. In addition, it’s a rather modern approach to strong authentication, so it fits well with Duo Security’s concept as a modern, innovative provider of revolutionary MFA solutions. Protectimus Protectimus two-factor authentication solution is available not only in cloud-based form but also as an on-premise platform. Often, we advise customers to choose the cloud-based service, since it’s convenient, fast, and modern. Clients connected to the Protectimus SaaS service don’t need to waste time and money on extra equipment, security measures, and sysadmin salaries — there’s no load balancing or other infrastructure issues to worry about. The result is rapid integration with minimal costs. However, some companies can’t make use of cloud-based services because of strict information security rules, either from within the company or imposed by the government. For these cases, we made it possible to purchase an on-premise platform that clients can install in their own environments, allowing them to retain full control of the authentication server. Both the on-premise platform and cloud-based service are available with a subscription. Lifetime licenses for the platform can also be purchased. You can find out more about the differences between the cloud-based service and the platform here. 2. Features Duo Security Note: Nearly all features examined in this section can be activated only with Duo’s most expensive payment plans, Access and Beyond. Self-service is also available in the Duo MFA basic plan. Duo offers a range of additional features to make administration easy and increase the level of resource access protection: User self-service. Geographic filters. Prohibiting access from...

read more

Duo Security vs Protectimus: Features

Posted by on 13:44 in Protectimus Products, R&D | 0 comments

Duo Security vs Protectimus: Features

In Duo Security vs Protectimus, we touched on all the aspects of Duo and Protectimus two-factor authentication solutions. We examined the technologies these companies use, their methods of delivering one-time passwords, the availability of an API and pre-made plugins for integration, pricing, availability in cloud-based and on-premise forms, and — briefly — the features of each solution. In this article, we describe in greater detail the features available to administrators and users of the Duo and Protectimus multifactor authentication services. You can use this table to navigate the article more easily. User self-service User self-service Geographic filters Geographic filters Network- or IP-based access control Adaptive authentication Role-based access policies Differentiation and delegation of authority within the system Monitoring and identification of vulnerable devices Ability to assign different types of tokens to different users Time-based filters CWYS (Confirm What You See) data signing functionality Duo Security Note: Nearly all features examined in this section can be activated only with Duo’s most expensive payment plans, Access and Beyond. Self-service is also available in the Duo MFA basic plan. User self-service Users can issue and manage tokens themselves. This saves administrators time. Saving administrators time means saving the company money, which is always good. Geographic filters These allow administrators to grant access to a resource only from a specified geographic location. Or, they can deny access from certain countries (for example, North Korea or Russia). Network- or IP-based access control This feature is also referred to as adaptive authentication by Duo. It gives administrators the ability to block access to a resource from anonymous networks (such as Tor). Access can also be allowed or denied from a specific range of IP addresses. Role-based access policies This makes it possible to impose stricter authentication rules for specific users or groups of users, depending on their roles and their levels of access to data. For example, an accountant might be able to choose any authentication method — SMS, push notifications, or a one-time password from an app — while a network administrator might be required to use a hardware token exclusively. Monitoring and identification of vulnerable devices This unique technology allows you to keep tabs on users’ “device hygiene” if they have the Duo Mobile app installed. Using this system, you can see how well-protected each device is: find out if biometric authentication and screen lock settings are configured; find out if antivirus is installed; find out what operating system, browsers, and plugins are installed, and whether they’re up to date; see if the device is personal or company-owned; see if the device has been rooted, etc. An administrator can block access to the system from devices that don’t meet preset requirements (for example, if no antivirus is installed). Protectimus Note: All features examined in this section are available with all payment plans, including the no-cost Protectimus Free plan. User self-service This feature takes a burden off of the system administrator’s shoulders, saving the administrator time and the company money. Users can issue and manage their own tokens. Geographic filters These allow restricting access to specific countries only. Access from specific countries (Russia, North Korea, etc.) can also be blocked. Time-based filters This feature allows granting access to a resource only at certain times; for example, only during business hours. This approach significantly increases...

read more

Duo Security vs Protectimus: Authentication Methods

Posted by on 13:31 in Protectimus Products, R&D | 0 comments

Duo Security vs Protectimus: Authentication Methods

You can find a general comparison of the Duo Security and Protectimus two-factor authentication solutions in the article “Duo Security vs Protectimus“. In it, we explore the features and technologies used by Duo and Protectimus, the availability of these solutions in cloud-based and on-premise forms, integration options and prices, and the authentication methods offered by each company. Here, we describe the authentication methods available to Duo and Protectimus clients in greater detail, as well as examining each option’s pros and cons. You can use this table to navigate the article more easily. 2FA app 2FA app Push notifications Push notifications HOTP tokens HOTP tokens TOTP tokens TOTP tokens U2F tokens OCRA tokens SMS authentication Reflashable TOTP tokens Voice calls SMS authentication Backup codes Email authentication Protectimus Bot Duo Security Duo Mobile 2FA app Duo Push Duo Security’s pride and joy. Push notifications were introduced to make the process of two-factor authentication as simple as possible. Instead of opening a 2FA app for one-time passwords generation, finding the code generated for the desired service, and then inputting 6 digits into a password entry window, the user needs only to unlock their smartphone and tap the “Approve” button. There’s another advantage: if a hacker attempts to gain access to the user’s account, a push notification will appear. The user can block the access attempt by tapping the “Deny” button. The Duo Mobile app can be synchronized with smart watches, so users can receive push notifications directly on their watches. It’s quite convenient. The main drawbacks are that it’s impossible to authenticate without internet access, and users may have to use their personal phones for business purposes. HOTP and TOTP The Duo Mobile app can generate one-time passwords using only the HOTP and TOTP algorithms (note that TOTP tokens can become desynchronized from the server time; Duo Mobile lacks a synchronization feature). HOTP passwords are used to log into accounts protected by the Duo two-factor authentication service if the user cannot receive push notifications. Support for the TOTP algorithm is included in order to facilitate the use of the app for authentication with third-party services not connected to Duo Security, such as Google, Dropbox, and GitHub. Hardware tokens HOTP tokens The Duo Security two-factor authentication service supports hardware HOTP (HMAC-based One-Time Password) tokens from any vendor. It also sells its own HOTP tokens. It’s worth noting that while the HOTP algorithm does meet OATH (Initiative for Open Authentication) standards, this algorithm is outdated and cannot be considered sufficiently secure, particularly in the case of hardware tokens. The moving factor used to generate one-time passwords with the HOTP algorithm is a counter. If an attacker has the opportunity to gain control of the token for even a few minutes, the attacker can write down a few one-time password values and use them at any time. In the process, the actual user may also lose access to their account, as the token will become desynchronized from the authentication server. TOTP tokens Duo Security allows connecting third-party TOTP hardware tokens to its 2-factor authentication service but doesn’t recommend it as there is no functionality for time synchronization in its MFA system. U2F tokens The Duo Security two-factor authentication service also supports the U2F (Universal 2nd Factor) standard, developed by the FIDO (Fast IDentity Online) alliance...

read more

How to Protect Facebook Account from Being Hacked

Posted by on 15:20 in Engineering, R&D | 0 comments

How to Protect Facebook Account from Being Hacked

Why should you worry about protecting Facebook from hacking Many tend to believe that the security of their social media presence isn’t the first thing worth the effort to work on. You don’t often see a question like ‘How Can I Protect Facebook Account From Being Hacked?’ unless the person making such a request got hacked recently and now seeks the protection based on the bitter experience. What does a hacker get when they hack FB account of yours? Obviously, criminals get access to all your photos and messaging history, which opens ‘great’ social engineering opportunities. You might have heard stories where close friends ask to borrow some money in a message and, well, many people say ‘Sure, here you go!’ and get scammed. Criminals may also extract much more of other information from your private messages. Who would like their messages to be read by a stranger at all? There may be some confidential info there. Secrets. Passwords. Nudes? What if all this becomes public? You can ask Jennifer Lawrence about what might happen. Hackers can ultimately undermine your reputation and make your friends’ private information also vulnerable to publicizing and other manipulations. But the main thing is that GDPR (General Data Protection Regulation) has now come into force and Facebook allows users to download all private data related to their personal accounts in one click. That means a hacker interloping your profile will be able to do the same. This article will tell you how to protect Facebook account from being hacked and offer a whole list of Facebook security best practices. Let’s secure your account and keep your private info safe. Zuckerberg's own Facebook account got hacked in breach https://t.co/Fs4DHBeSS6 pic.twitter.com/AzL9HUw5Sa — New York Post (@nypost) September 29, 2018 Useful to know: Top 10 Ways Hackers Use To Hack Facebook Accounts Now let’s get acquainted with a list of Facebook profiles hacking options and find out how to protect Facebook account from being hacked: Method Description What to do Password phishing The most popular and fruitful way to get your account data is the creation of full copies of real Facebook pages. Victims enter their emails and passwords to log into a fake page, becoming an easy prey for a scammer. Try not to work with Facebook from unknown devices; Use VPN while using public WiFi; Don’t click the links in emails from the ‘Facebook team’ claiming your account is hacked and you must enter your verification data immediately; Try to use Google Chrome for Facebook, this browser is able to recognize some phishing web pages. Authentication data saved in the browser A browser usually offers you to save login and password to automate further authorizations when you enter your Facebook page. If you accidentally launch a hacker resource and allow saving the data, your security gets ultimately undermined. Never use automatic authorization in your browser for any website including Facebook. To find out which passwords you have already saved and secure yourself from chances of being hacked enter the following in Google Chrome: chrome://settings/passwords Learn how to check saved passwords in Firefox here. Email breach Sometimes, it’s easier for scammers to break into your email than hack FB. If you don’t use a strong password to protect access to your email account and don’t activate two-factor...

read more

Windows Computer Safety Tips

Posted by on 12:20 in Engineering, R&D | 0 comments

Windows Computer Safety Tips

Windows is undoubtedly the most popular family of operating systems for personal computers and laptops worldwide. It is used on home machines and corporate workstations alike, so the question of ensuring Windows user profile security is essential. This article provides some Windows computer safety tips we hope will be useful to you. In order to understand how to protect Windows and what Internet safety measures are there, we must first understand what Windows security breaches are possible and widespread. Thus said, there are 10 major Windows security issues to keep in mind: Unpatched and outdated software. Lack of antivirus for Windows 7 or later versions. Disabled Windows firewall. Absent disk encryption and backups. Lack of minimum Windows security standards. Full access permissions for everyone. Weak passwords. Insufficient Windows security policy strength. Legacy software within the corporate network. Mobile access exploits. Even this short breakdown of the main issues of Windows computer protection allows highlighting the massive problems any business can face if they prefer to leave the matter unattended. Luckily enough, there are multiple solutions for each of the aforementioned issues, and we will list them too. 1. Update Windows and Software Regularly Disabling the automatic Microsoft Windows update is the easiest way to ensure the system won’t begin to upgrade while you are playing your favorite online game, yes. However, this is the shortest route for the hackers to get access to your system once they are inside the network. Still thinking that providing that full access to anyone was a great idea? When you use only licensed and fully updated software, the risk of catching a virus is significantly reduced. Do you recall the 2017 Petya ransomware attacks in Europe? It turned out the major part of infestation was done through a security backdoor that was fixed by a Windows update released… 6 months prior to the attacks! If only the users had 10 minutes to download an install it…Instead, they either paid ransom or lost their sensitive data. Enable automatic Windows updates For Windows 7 update just go to your Windows control panel from the Start menu, there go to System and Security>Windows Update>Change Settings. Then choose the time when you can spare about 15-30 minutes to download the Windows upgrade files, install them and reboot the computer — and rest assured your Windows system files are up-to-date. The same goes for all the software you use, as new vulnerabilities in multiple software and hardware tools are discovered daily, like these Meltdown and Spectre processor vulnerabilities.   Create a restore point One of the best ways to secure Windows computers is to create a Windows restore point. Sometimes the new drivers are incompatible with some of your hardware, or update process may go awry, etc. There is a widely-known case when Windows 7 users have to download the outdated Nvidia drivers to play Heroes of Might & Magic VI, as any new version of the video drivers results in black screen. However, the consequences might be much more serious than the inability to play one of the best turn-based games of all times. To create a system restore point on Windows 7 go to the Start menu, there to Control Panel>Systemand Security>System and go to System Protection tab. Press the Create button and choose the name...

read more

Why US, Canadian, and EU Universities Choose Programmable Hardware OTP Tokens

Posted by on 18:03 in Protectimus Products | 0 comments

Why US, Canadian, and EU Universities Choose Programmable Hardware OTP Tokens

Almost all universities and colleges in the US, Canada, and EU use two-factor authentication to protect their faculty and staff accounts. Quite often they choose in-app 2-factor authentication, which means that one-time passwords are generated on the users’ smartphones. Though, in this case, they face a few issues: Not everybody agrees to use their personal smartphones for corporate needs. Some people still use old models of cell phones and can’t download a 2FA app physically. When people use their own devices there is no guarantee that these devices aren’t infected with viruses. Many universities turned to Protectimus for help describing the same situation. Among them are The George Washington University, Middle Tennessee State University, College of Central Florida, University of Guelph, Simon Fraser University, Old Dominion University, The University of Groningen, Trent University, etc. And actually, there is a simple solution (not to consider buying corporate smartphones for all the staff) – programmable hardware tokens Protectimus Slim NFC. These OTP tokens are programmed as if it was a 2FA app. Everything you need is one NFC enabled Android smartphone for the administrator. The admin scans the QR code with the secret key using TOTP Burner application and then flashes this secret key to the token via NFC. TOTP Burner app is available on Google Play for free. The administrator can program an unlimited number of tokens with one smartphone. So, with programmable hardware tokens: You don’t have any troubles with people who don’t have a smartphone or don’t want to use their own device at work. You don’t worry about any malware. The hardware OTP token is a standalone device which works without Internet or GSM connection. So the user can’t infect this device even if they want to. The administrator is the only person who knows and stores the secret keys. It’s not possible to pull the secret key out of the token. Besides, we offer custom branding for any number of Protectimus Slim NFC tokens starting from a single piece. Check the custom branded tokens our customers already use. Read also: Read more about Protectimus Slim NFC tokens or order few pieces to test How to Program Protectimus Slim NFC Token How to Backup Google Authenticator or Transfer It to a New Phone The Pros and Cons of Different Two-Factor Authentication Types and Methods 10 Basic BYOD Security Rules Top 7 Tips How to Protect Yourself from Phishing Scams Social Engineering: What It Is and Why It...

read more

Reddit was hacked: how it happened, who the victims were, and why SMS authentication failed

Posted by on 17:59 in Industry News, R&D | 0 comments

Reddit was hacked: how it happened, who the victims were, and why SMS authentication failed

Reddit was hacked. The attackers managed to extract logins, e-mail addresses, passwords (salted and hashed, fortunately), and even a complete list of private messages from users who joined the site before 2007. The hackers were also able to access the e-mail addresses and logins of all users who received the site’s newsletter in June 2018. The SMS authentication failed. The attackers were able to intercept SMS messages containing one-time passwords, gaining access to the accounts of several Reddit employees. Let’s take a closer look: What exactly happened, and what is Reddit doing to minimize the consequences of the attack? Who were the victims of the Reddit attack, and how can you tell if you’re one of them? Why did the SMS-based two-factor authentication fail, and what can you replace SMS messages with if you’re still using them?   Reddit just disclosed a breach, says it’s still investigating severity. Of particular note was that the intruders managed to bypass SMS-based two-factor authentication in the compromise. https://t.co/LCu6XAVn34 This is why physical 2-factor or at least app-based 2FA is superior. — briankrebs (@briankrebs) August 1, 2018 How Reddit was hacked On June 19, 2018, the Reddit team realized that there had been a data leak. The attack itself happened sometime between June 14 and 18. The attackers managed to compromise the accounts of several Reddit employees who had access to cloud storage and source code. Access to the employees’ accounts was protected by two-factor authentication, but through the traditional, old-fashioned method of delivering one-time passwords in SMS messages. The attackers intercepted the SMS messages containing one-time passwords and were able to bypass two-factor authentication. If all of Reddit’s staff had been using hardware tokens, the hackers wouldn’t have had even a chance at succeeding. Despite the seriousness of the attack, the attackers weren’t able to make any changes to the system. They had only read access. Nonetheless, they were able to view source code, configuration files, and internal logs. They were also able to download backups. Thus, all data regarding users and the operation of the forum, from its founding until 2007, fell into the hackers’ hands. The attackers also downloaded a database of e-mail addresses belonging to users who received e-mail newsletters in June 2018. What Reddit has done First of all, Reddit’s administrators strengthened the security of the logging, encryption, and monitoring systems. They also discontinued SMS authentication, in favor of software and hardware OTP tokens. They reported the incident to law enforcement agencies, and an investigation was launched. Reddit users who may have been affected were sent messages with information about the incident, encouraging them to look after the security of their accounts — change passwords, enable two-factor authentication. Detailed instructions on how to activate two-factor authentication for Reddit are available here.   So is Reddit actually emailing people who had their addresses and usernames exposed? The way this reads, it doesn’t sound like it and they’re relying on people to check if they’ve been receiving email digests and draw a conclusion from that, right? https://t.co/s2pFDAD9NN — Troy Hunt (@troyhunt) August 1, 2018 Who was affected by the Reddit attack Reddit’s team is not disclosing the number of affected users. All the same, we’re talking about millions of people. The affected users can be divided into 2 groups: Everyone...

read more

How to enable two-factor authentication on Reddit

Posted by on 19:38 in Setup Guides | 2 comments

How to enable two-factor authentication on Reddit

Learn more about Protectimus Slim NFC security token or order one here:  Protectimus Slim NFC The best 2FA token to protect your Reddit account! Ho set-up two-factor authentication on Reddit, first of all, log in your Reddit account and initiate the two-factor authentication setup. 1. Go to the “User Setting” page using the navigation menu in the right upper corner ->   2. Click “Privacy & Security” ->   3. Choose “Two-factor authentication” ->   4. Click the button “click to enable” ->   5. Confirm that your email address is correct ->   6. Enter your password and click “Next” ->   7. You will see the QR code with the secret key. Now you can either scan it with your authentication app (Google Authenticator, Protectimus Smart, Authy, etc.) or add it to your hardware security token Protectimus Slim NFC. Learn how to program Protectimus Slim NFC token.     8. After you programmed the hardware OTP token or enrolled a software token on your smartphone, enter a 6-digit one-time password to the corresponding field and click “Enable two-factor”.   9. You’ll see the notification about successful 2-factor authentication setup.   Enjoy reliable and convenient protection for your account — make hackers’ lives difficult with two-factor authentication on! Main image...

read more

Non-SMS Two-Factor Authentication for Instagram. Why Is It Good?

Posted by on 13:03 in R&D | 0 comments

Non-SMS Two-Factor Authentication for Instagram. Why Is It Good?

Did you know your Instagram two-factor authentication is ensured by a technology that has a backdoor as big as the one in the Titanic after it met the iceberg? Well, we will tell you more: the same faulty technology may still ensure the security of your Facebook and Twitter accounts! The last, but not the least important — you use the same technology to confirm most of your online purchases, so yeah — your banking account can be compromised as well. The name of that flawed technology is SMS authentication. SMS based 2-factor authentication has few huge drawbacks, undermining the system functionality: SMS are stored and sent as plaintext on your smartphone and can be compromised with malware; SMS are transmitted over inadequately protected channels; Every mobile operator’s employee can change your phone number to another SIM card. Therefore, either by bribing a mobile operator’s employee with access to the SMS database or by using the technique known as “SIM porting”, the hackers can steal your Internet identity. Meddling with OTPs opens up a wide field of manipulations — from stealing your Facebook, Twitter or Instagram account via the password reset procedure (which is exactly what happened when Katy Perry’s Twitter account was hacked) and up to stealing your banking accounts, as the banks still mostly rely on SMS to ensure the 2-factor authentication. Fortunately, more and more services start moving to more secure two-factor authentication alternatives. And Instagram supports this good trend. On July 18th, 2018 an article on Techcrunch announced that Instagram started building non-SMS two-factor authentication.   Instagram is finally working on token-based two-factor authentication!! 🎉 Thank you Instagram! I have been waiting for this since 2016! We finally won’t have to rely our account’s security on SMS! 😍 pic.twitter.com/u0iIPTaZO2 — Jane Manchun Wong (@wongmjane) July 17, 2018 What’s wrong with SMS authentication? 1. SIM swap is real! The hackers can contact the mobile operator’s technical support with a request to port your phone number to another SIM-card, and by completing the verification with the help of social engineering tactics, they will be receiving your SMS (including the ones with one-time passwords) from now on. In fact, the issues with SIM porting has become so common and using SMS for two-factor authentication were proven to be so grave, that the US National Institute of Standards and Technology (NIST) has recommended dropping using SMS for OTP delivery back in 2016. However, this call was not yet followed by the majority of the financial industry, healthcare, insurance and so on. Almost any business dealing with your Personally-Identifying Information (PIA) promotes using SMS two-factor authentication as an additional lever for ensuring the security or at least leaves this opportunity to their users. | Read also: Dutch Scientists: SMS Verification Is Vulnerable 2. Your smartphone might be compromised with malware SMSs are stored in plain text on your mobile device. Many models of smartphones are susceptible to specific Trojans like Perkele, Zitmo, Zeus or Citadel, which can be downloaded as a malware with some third-party apps and monitor the SMS messages with OTP codes. Thus said, as your smartphone is considered a safe haven device for the case when your PC or laptop are compromised, it is actually the smartphone that can provide the backdoor to your data. 3. Don’t rely...

read more
Share This