Blog Feed
Twitter Two-Factor Authentication in Details
With over 145 million active users Twitter is widely used not only for personal entertainment but for business and political agendas too. Yet, surprisingly (or not, considering that they did admit to using phone numbers for targeting ads) Twitter has been reluctant to forgo SMS to deliver one time passwords for their 2 step verification for a very, very long time. Until finally, in November last year, they gave in and allowed for Twitter two-factor authentication without requiring the phone number. In this post we will look into all the 2FA methods Twitter supports, show you how to activate each of them and how to make sure you are able to login even if you lose your 2FA Twitter token. Buy a hardware token for Twitter 2FA How to enable Twitter 2FA via SMS and whether it’s worth it As we’ve already mentioned above — we are decidedly against Twitter 2FA SMS based. As a matter of fact — we vehemently insist that using SMS to deliver verification code for MFA anywhere, not only in Twitter 2FA, is not safe and should be avoided if at all possible. Why are we so against SMS? While it is convenient and cheap to use, it is also astonishingly easy to hack. The ways to break into an account that’s protected only this way are numerous. Starting with a simple SIM swap and ending with more complex things like intercepting the passwords by exploiting the numerous vulnerabilities of the telecom infrastructure. We’ve talked about these and other SMS 2FA vulnerabilities like fake cell towers extensively before, you can read it here. Yet, while Twitter 2FA without SMS is the way to go, we do understand that circumstances might be demanding otherwise and one might want to know how to send Twitter two-factor authentication code via SMS. So here’s a simple guide on it: Go to your account settings (“More” → “Settings and privacy”) and find “Security” →“Two-factor Authentication”. Check the “Text message” box and press “Get Started”. Enter your user pass then press on “Verify”. If there’s no telephone number allied with the user, you will need to provide one now. Type in the Twitter confirmation code that was messaged to the provided number. Next you’ll get a Twitter backup code on the screen, make sure to save it, or make a screenshot and save that in a secure place. We’ll expand on why later in this article. Click “Got it” to finish. From now on to get into your Twitter account on any device, be it Twitter mobile or desktop, an authentication code will be required and that code will be messaged to your phone. | Read also: 2FA Chatbots vs. SMS Authentication Twitter two-factor authentication with code generator app So we’ve established that Twitter two factor authentication without phone number is much more preferable. But what are the alternatives? A 2FA code generator app for Twitter is a nice Twitter phone number bypass that provides more security than SMS ever could. A one-time twittercode is generated directly on the smartphone, which eliminates a good portion of vulnerabilities that can be exploited to gain unauthorized access to your Twitter account. A Twitter verification code hack is way harder to do if the password is not transmitted via GSM, or even Internet....
read moreTOTP Tokens Protectimus Slim NFC: FAQ
The first programmable TOTP tokens Protectimus Slim NFC were released just a couple years ago. Since then, we’ve received hundreds of orders, as well as hundreds of questions about how it works, how programmable security key differs from the classic one, how to program tokens, and whether or not using this kind of OTP token is secure. In this article, I’ll explain how classic TOTP hardware token and programmable TOTP token work, show you how to program the Protectimus Slim NFC OTP token, and answer all the other common questions we get. Order TOTP token Protectimus Slim NFC A table of contents for your convenience: How do TOTP tokens work? How does the authentication server verify one-time passwords? How are classic TOTP tokens different from programmable ones? Why are reprogrammable TOTP tokens better than the rest? How can I tell whether the Protectimus Slim NFC token is compatible with a service? How do I program the Protectimus Slim NFC token? Frequently asked questions How do TOTP tokens work? TOTP meaning is time-based one-time password. Correspondingly, there are two parameters used to generate one-time passwords using the TOTP algorithm: The shared secret. A unique code, generally 16-32 Base32 characters long. The current time interval (usually 30 or 60 seconds). Time intervals are counted from the beginning of UNIX time (which starts at the midnight between December 31, 1969 and January 1, 1970, UTC time). That means that for a TOTP device supporting 30-second intervals, the number of seconds that have passed since midnight on January 1, 1970 is divided by 30. The resulting number is used for generating a one-time password. The OTP device processes these two values according to the TOTP algorithm (RFC 6238). The result is hashed, and the hash is truncated, leaving only the last 6 (sometimes 8) digits. The result is shown on the token’s display. In this way, we receive a time-based one-time password. How does the authentication server verify one-time passwords? For the two-factor authentication server to be able to verify one-time passwords and allow or deny access to accounts, it needs the same information — the same time interval and shared secret. Time interval. Every server has a clock, which means it also has the ability to calculate the current time interval. Shared secret. There are two options here: The administrator can upload a CSV file to the server containing predetermined shared secrets (this is how classic tokens with hard-coded secrets are connected), or The shared secrets can be generated by the server (this is how one-time password generator apps, like Protectimus Smart and Google Authenticator, are connected, as well as programmable hardware TOTP tokens). This brings us to an explanation of the differences between classic and programmable hardware tokens. Classic TOTP tokensProgrammable TOTP tokensClassic hardware 2FA tokens come from the factory with a hard-coded secret key that can’t be changed.Programmable OTP hardware tokens don’t come with a secret key. The user can add one to the token after obtaining it from an authentication server, as when using a smartphone app for authentication. How are classic TOTP tokens different from programmable ones? Classic TOTP tokens Classic TOTP hardware tokens (Protectimus Two) are OTP tokens with predefined secret keys. To use classic OATH TOTP tokens, customers need the ability to upload the shared secrets...
read moreBest Protectimus MFA Features for Financial Services Cybersecurity
The financial services industry is inherently more at risk of cyberattacks than any other industry. Financial sector includes everything from investment consultants and stocks to insurance and banking; naturally, the money that floats within the financial industry is very tempting to hackers. In fact, according to Verizon’s 2019 Data Breach Investigations Report — 71% of recent cyber attacks were motivated by money itself, nothing else. Besides, as every other aspect of modern-day life, more and more financial services are moving online. It is inevitable that cyber attacks on financial institutions become more frequent and more viscous. As a response to this trend financial data security standards have no other choice but to evolve as well. This is why secure authentication has become one of the cybersecurity standards in recent years. 2fa service providers cater to banking cyber security standards specifically now. Protectimus is one of such 2-factor authentication providers, our financial security solutions are fine-tuned, affordable and easily applied. Today we will look closely into what financial cyber attacks Protectimus MFA can protect from and how exactly we achieve the best results in this endeavour. From what dangers does 2-factor authentication protect financial organizations The vast majority of financial services cyber attacks start with compromised (stolen) login credentials. The bad news is — there are numerous ways to steal credentials: phishing, vishing, smishing, pharmingbrute force attackskeyloggerssocial engineeringman in the middle attacks and many more. The good news is — add two-factor authentication to website login and you eliminate these threats. | Read also: The Most Common Ways of Credit Card Fraud Why one password isn’t enough We now know that the famous Yahoo hack back in 2013 affected an astonishing number of 3 billion accounts. The more recent Marriott data breach is estimated to have jeopardized about 500 million accounts. These numbers look terrifying, but these are a fact of the times. So much so, that an FBI agent who investigates cyber attacks told the Wall Street Journal that every US citizen can expect that their personally identifiable data (all of it) has already been stolen and sold on the dark web. Yet, “12345”, “test1” and “password” are still the most used passwords; one password is reused on average 13 times by employees; stolen and reused credentials produced 80% of data breaches in 2019. Terrifying, isn’t it? These are the reasons why information security in banking and financial industry has to be taken more seriously. Simple and easily stolen user password is by far not enough to create any semblance of financial cyber security. That’s why we must insist — 2FA adds the much needed second layer to the financial data security and has to be implemented by every financial service. | Read also: How to Choose and Use Strong Passwords Why Financial Services Choose Protectimus’s 2FA Solution There’s quite a number of financial institutions among Protectimus clients, so we had an opportunity to deeply understand the industry’s needs and fine-tune our solutions to cyber security in banking as well as to other types of financial cryptography and data security. Protectimus MFA solution will protect both the end-user accounts and the corporate infrastructure. We believe finance and cyber security have to go hand in hand, so we developed a feature for protecting transactions specifically (CWYS or Confirm What You...
read moreSophos 2FA with Hardware OTP Tokens
Sophos solutions allow for reinforcing Sophos 2FA (two-factor authentication) with Protectimus OTP hardware tokens with one of these two methods: Enabling ‘Auto-create OTP tokens for users’ feature. This automatic method allows for using our programmable Slim NFC token instead of the standard application for multi-factor authentication.Disabling ‘Auto-create OTP tokens for users’ feature. This manual method allows for adding classic TOTP tokens Protectimus Two or Protectimus Crystal to generate the Sophos one time password. Both methods have their advantages, but the second one is a bit more lucrative. Today we will provide you with a guide on how to implement each of the two methods for your Sophos 2 factor authentication and answer the most common questions on Protectimus OTP tokens for Sophos client authentication. Buy hardware tokens for Sophos MFA Definitions Let’s give a couple of definitions for a better understanding of what comes next, so you won’t have to google “What is OTP?” or “what is a token?” First things first — OTP stands for One Time Password. Once generated, one OTP is valid only for one single transaction. Now let’s move to the more complicated matters. OTP secret — a completely unique 128bit encryption key, used for password creation. Each user has his or her own secret.OTP code — a time-limited one-time code, usually consists of 6 digits and is attached to the user passwords to allow authentication.OTP token — an object that assembles each of the necessary authentication elements (User, OTP secret, OTP pass). | Read also: How does 2-factor authentication work? How to Enable Automatic Creation of OTP tokens in Sophos Note: To configure programmable hardware token Protectimus Slim NFC you’ll need an Android smartphone with NFC support. Virtually every Sophos product comes with this option (Sophos UTM, Sophos Central, Sophos XG Firewall and others). For example, Sophos Central 2FA can be done via SMS or a 2FA application, which allows for switching to our Slim NFC hardware token. And thus upping the Sophos 2FA security level to the highest. Let’s see the steps to enable this option. Go to the One-Time Password tab To do this go to the Settings section at Configure > Authentication > One-Time Password. Enable Auto-create OTP tokens feature To permit the OTP and Auto-create tokens features, simply switch both buttons to ‘on’, don’t forget the ‘Apply’ button at the bottom. Get the QR code with the secret key Go to the user login page at Sophos. Since we’ve turned the auto-create option on, the login page now offers a QR code. Configure Slim NFC for Sophos multi-factor authentication 4.1. Download and launch the Protectimus TOTP Burner application (available for Android only).4.2 Turn on NFC.4.3. Open the Protectimus TOTP Burner app and click on ‘Burn the seed’.4.4. Scan that QR code with the secret key using your Burner app.4.5. As soon as the QR is finished scanning, turn on your Slim NFC token. Hold the hardware device within the range of your phone’s NFC antenna, click “Continue” and wait for the confirmation message. Now your 2FA hardware token is ready to become your Sophos 2FA authenticator. Log in by combining your user password with OTP Return to the User Portal and log in by combining your user password with your Sophos OTP generated using the Protectimus Slim NFC token. The...
read more2FA Chatbots vs. SMS Authentication
In this article, we’ll explain what is a bot for two-factor authentication and how 2FA chatbots (two-factor authentication with messaging service chatbots) work. We’ll look at the pros and cons of this one-time password delivery method and figure out which is best: 2FA bots or SMS authentication. Table of contents: How did the Protectimus Bot token come to be? How does two-factor authentication with chatbots work? 2FA Chatbots: the pros and cons SMS authentication: pros and cons In summary: 3 reasons to stop using SMS authentication and start using 2FA chatbots How did the Protectimus Bot token come to be? One of our clients (a payment system with 2,000,000 active users) was spending about $30,000 per month on SMS delivery. They were using SMS to send out one-time passwords and system notifications (withdrawals and deposit notifications, informational messages, etc.). This client gave us the task of developing a one-time password delivery method that would be just as convenient for end-users as SMS authentication, but more secure and less expensive. The solution we came up with while looking for SMS two-factor authentication alternatives is using 2FA chatbots on messaging services. Additionally, the Protectimus 2FA chatbots can be used to deliver both one-time passwords and notifications of any kind. Now, our client is saving about $20,000 per month that they used to spend on SMS messages. 2FA chatbots in instant messaging apps solve the majority of problems associated with SMS authentication: first, it’s more secure; second, it’s FREE! What’s more, chatbots are virtually just as easy to use as SMS. Learn more about Protectimus Bot How does two-factor authentication with chatbots work? Currently, the ProtectimusBot chatbot is available on three messaging services: Facebook Messenger Telegram Viber Practically every smartphone user already has at least one of these free messaging apps installed. When a user enables two-factor authentication via Messenger, Telegram or Viber they: Choose one of the messaging services listed and find the ProtectimusBot on it. Request their unique ID using the /getid command. Input the ID they receive into the system they wish to protect. Then, the Protectimus two-factor authentication service will create a token and send it to the user via the 2FA chatbot. The user confirms that they received the one-time password by inputting it into the appropriate field. This also completes the token issuing process. After that, all one-time passwords and messages from the service will be sent through the 2FA chatbot. Two-factor authentication using chatbots in messaging apps for Android and iOS is free for both our clients and their end-users. You’ll find an example of how the Protectimus Bot token is issued in the video below. https://youtu.be/gvFl2AQqz94 Let’s look into the technical side. The chatbot-based software OTP token supports all two-factor authentication algorithms: HOTP, TOTP, and OCRA. Because of this, the ProtectimusBot 2FA chatbots also support CWYS (Confirm What You See) data signing functionality. Data signing involves generating a one-time password based on data from the operation the user is performing; for example, transaction data can be used: the amount, currency, recipient, time, etc. This feature is indispensable for payment systems and banks. It’s impossible to use the one-time password, generated on the basis of such unique data, to sign an illicit transaction, even if an attacker intercepts the OTP. Currently, only four Protectimus tokens...
read moreHow to Protect Yourself From Email Hacking
We have almost stopped writing paper letters, those on crispy brand-new sheets. The lion’s share of the correspondence is now sent via emails. And often it is not even personal correspondence. For personal purposes, we have different messengers and can have an interactive dialogue. Usually, emails are used for sending business letters, which contain sensitive information. Thus, the email data protection is extremely important and you should know how to protect yourself from email hacking. Forewarned Is Forearmed: How Email Hacking Is Usually Performed By the phone number. If your phone number is connected to your email account, and a hacker knows it, the following scheme can be used. Hacker contacts the mail service to reset the password and specifies the real user’s phone. The mail service sends a code to this phone number to confirm the password changing. The hacker, in his turn, sends the SMS as if on behalf of the mail service, requesting to specify this code. If the account owner does not notice the difference in the address of the two SMS senders, the hacker will get a one-time password and use it for their own purposes. Using the Trojan Virus. One of the most convenient ways of email hacking is to install a Trojan virus on a victim’s computer. The malware is usually sent in the form of the link in the Email. The only difficulty is to convince a user to follow this link. Since only the most naive people now fall for the freebies, which were so popular previously, the cyber hackers had to change their attack style. Now, the virus-infected email may look like a letter from the bank or internet provider: with seals, logos, and an offer to download a file with new rules or to install a client-bank software system. Trojans are constantly being improved. Unfortunately, antivirus software cannot detect all of them. By getting physical access to the victim’s computer. Having an opportunity to stay alone with the victim’s computer at least for a short time, the hacker can install a key logger or a password recovery program. In the first case, a special key logger hardware or software will record everything the user is typing (including passwords), and then the logs are emailed to the hacker’s address. With the help of the password recovery tools (which generally are not detected with antiviruses), the ready-made data can be received immediately. There is a simpler version of email hacking, even without special programs. Just copy the Cookies catalog and analyze it with the passwords search tool. However, this can only work if passwords are stored in the browser. And this is what the vast majority of users exactly do. Using social engineering. Hacking of the CIA director Brennan’s email account has become one of the most clamorous recent scandals. It is surprising that an email of the Head of the Intelligence Agency was hacked by a teenager who hadn’t deep technical knowledge. The young hacker contacted the mobile operator, introduced himself as a technical support employee and found out all Brennen’s personal information he needed. Then he called his email service customer support on behalf of the account owner and asked for the password recovery. Since the necessary information (account number, phone number, PIN-code, etc.) had been already received...
read moreHow to Secure Bitcoin Wallet
A couple of years ago Bitcoin made quite a stir all across the mainstream media when the price skyrocketed. People that never even heard about blockchain, cryptocurrencies or Bitcoin wallet suddenly started looking into buying some. That’s when more and more horror stories from people that lost all their assets due to a lost password or stolen keys started to appear in common press, like the Guardian. Though we’ve all been reading such horror stories on Reddit for years before that. I remember reading this article back then, the guy described in every excruciating detail how he forgot his PIN and tried to get access to his money for almost a year. I clearly remember thinking when I finished reading — “I wouldn’t want to live through something like that”. Yes, investing in a bit of cryptocurrency seems to make sense, but the risk is too high, it’s too easy to lose all my investment. Or is it? Luckily, I have done the research and know precisely how to protect my investments. And today I’m going to share that knowledge with you. Read on to find out how a BTC wallet works, what are available Bitcoin wallet types, and most importantly — how to secure Bitcoin wallet to get yourself a safe wallet and thus never have to publish your own horror story on Reddit. Here is a table of contents for your convenience: How does a Bitcoin wallet work What are the types of cryptocurrency wallets Hot cryptocurrency wallets 1. Web wallets / online wallets / cryptocurrency exchanges 2. Mobile wallets 3. Desktop wallets & Bitcoin clients Cold cryptocurrency wallets 1. Paper wallets 2. Hardware wallets How to protect hot cryptocurrency wallet 1. Keep only a small amount of Bitcoins in your wallet 2. Use two-factor authentication 3. Encrypt your wallet 4. Backup your wallet! 5. Keep your Bitcoin Software up to date but turn off auto-updates 6. Use multi-signature to protect against theft 7. Think about the future 8. A few more security tips How to protect cold cryptocurrency wallet Final word Read more Protect your online wallet with 2FA token How does a Bitcoin wallet work For the purpose of not making this post as long as the Song of Ice and Fire saga, we assume that you already have an understanding of blockchain, Bitcoin and how it works. Now, let’s take a look at a cryptocurrency wallet. Unlike a physical purse, it does not actually store any coins. All the cryptocurrency is compiled in the blockchain, which in its turn is accumulated on thousands of node computers across the world. What the wallet does contain are the Bitcoin address, public key and private key, which combined create a permission for the wallet’s owner to use the coins associated with it. Every Bitcoin address is unique, there are no two identical addresses. It looks like a string of random characters (both numerical and alphabetical, upper and lower case). Think about the Bitcoin address as a bank account number. Just like you’d do with a bank account, if you want someone to pay you, you simply give them a wallet receiving address. One bitcoin wallet can have an unlimited number of receiving addresses, generated by the public key assigned to it. The public and private keys are...
read moreKeylogger Definition, Detection, and Protection
There are hundreds, if not thousands, types of malware spread online. Out of them all, keyloggers can legitimately be considered the worst. We are not being dramatic here. If you get infected with a keylogger virus you basically show the hackers everything typed on the keyboard. Passwords, credit card credentials, messages, everything you search for, all of it gets to be exposed and easily stolen. Read on to learn: the keystroke logging definition, types of this malware you can come across, how keylogger software is spread, ways to check for keylogger ways to protect yourself from all the types of keyloggers and spyware. Keylogger definition Key logger, keystroke logger, also called system monitor, is a perfectly legal surveillance technology. When installed with your own hands on your own computer or smartphone, that is. Corporations commonly use this tool to track and troubleshoot tech issues and surreptitiously monitor their employees. Parents can use this software to monitor the ways their kids use the Internet too. There are known episodes when governments used the technology to collect and analyse info for crime solving. So what is keystroke logging? As the name suggests, keylogging is a process of recording every key clicked on a keyboard (both desktop and mobile). Keystroke logging technology allows for gathering info on login credentials, web browsing, basically, everything that involves typing, and then sending the collected info, often encrypted, to a server, where it can be decrypted and read. | Read also: How Does Brute Force Attack Work Types of keyloggers There are two ways to divide all the keyloggers into types. First one takes into consideration the way the recording is performed. With this approach all the keylogging can roughly be divided into the following types: Form-grabbing Memory-injection API-based Kernel-based Hypervisor-based The second approach divides them into software and hardware ones, and it’s much easier to understand. Hardware keyloggers As the name suggests, hardware keyloggers are physical devices. These devices can be either inconspicuous looking plug-in types that are inserted into the keyboard port, or modules embedded into the keyboard or the internal computer hardware. Either way, the criminals will have to gain access to the victim’s computer to plant the device. And to collect it to read the info later, since most of these devices do not transmit the gathered information back to the hackers. Software keyloggers Software keylogging is much easier to do. There’s no need to install a physical device, so no need to break into an actual office or home. All the criminals have to do is infect the victim’s computer, which is much easier done than you might think. Unlike a lot of other malware, keylogging software is not harmful to the infected systems. Their whole point is to stay hidden, operate under the radar and silently and continuously send logs of every action done with the keyboard back to the hacker. The most commonly used software keylogger is memory injection soft. This is essentially a Trojan virus altering the system memory to bypass security. Another popular software records every form submitted online from the infected computer. So if you submit a form to create, say, a bank account, the hacker will know every piece of data you submitted. | Read also: Social Engineering: What It Is and Why It Works...
read moreHow Does Brute Force Attack Work
Brute force attack is one of the oldest hacking methods, yet still one of the most popular and most successful ones. With computers and technologies evolving as fast as they are, bruteforce attacking is now fairly easy to run and more difficult to protect against. Brute force attack definition So, what is brute force exactly? Brute force definition can be given as such — it is a type of cryptanalytic attack that uses a simple trial and error, or guessing method. In other words — a criminal gains access to a user’s account by guessing the login credentials. Sometimes, brute force attacks are still done by hand, meaning that there’s an actual person sitting in some basement and playing a guessing game with your credentials. But, more often than not these days, the hackers use a brute force algorithm, or brute force password cracker, which is, basically, a bot that submits infinite variations of username/password combination and notifies the hacker when it gets in. What is bruteforce attack with examples Brute force has been around ever since coding was invented. Naturally, the public’s been informed about some high profile attacks over the years. Though we can safely assume we do not know about a lot of the ones in the past and ongoing break-ins. The most well-known brute force examples are: the 2016 Alibaba attack, when millions of accounts were affected; 2018 Magento break-in that resulted in a thousand admin panels compromised; another rather recent example occurred in Northern Ireland, where several accounts of parliament members were compromised; and our favorite — in early 2018 it turned out that Firefox master password is very easy to crack with brute force, which means millions of user accounts might have been compromised over the years it’s been widely used. So, how does a brute force attack work exactly? As we’ve already established, brute force hacking implies that someone is trying numerous combinations of username and password, again and again, and again, until they gain the desired access. So let’s say a username is as simple as “admin” and doesn’t take too much effort to guess (we bet that’s the first one any hacker tries). The password is a whole other story. Usually, a password requires at least 8 alphanumeric characters. There are 26 letters, if the password is lowercase and letters only (which it rarely is), so it makes for 26 possibilities for one character of the password. We can double that, because most passwords are case-sensitive. So it makes 52 possibilities for one character of a password. Add to that 10 digits and, for example, 5 special characters, and you get 67, which roughly makes 406 trillion combinations for the whole 8 characters alphanumeric password. | Read also: How to Choose and Use Strong Passwords How fast can a password be cracked How long does a brute force attack take? We have 406 trillion combinations. Seams like it will take centuries to crack, right? The answer is yes, if the bot attempts a thousand combinations per second. But the technologies evolve, remember? So, taking that into consideration, how fast can a random password be cracked? There are computers that can do a hundred billion guesses per second and get the correct password in a few hours. There are even super...
read moreSMS Authentication: All Pros and Cons Explained
It’s delightful to see that more and more websites, apps and services employ MFA and even make this type of log-in protection a mandatory feature. What makes us a bit concerned, is that a huge portion of those websites still opt for SMS 2fa. Despite the facts that SMS verification has too many limitations and has been proven to be a lot less secure as any other two-factor authentication method. In fact, NIST (the National Institute of Standards and Technology) has issued a recommendation to replace SMS authentication with other types of MFA back in 2016. We do believe that SMS protection is way better than no protection at all. But is SMS secure? If it’s not, why so many companies continue to use it? Is SMS two-factor authentication really as evil as they say it is? What can it be replaced with? Let’s find out! SMS Authentication Pros SMS two-factor authentication is still alive and striving partly because of SMS ubiquity. It is a standard feature of most mobile plans from basically every mobile operator all over the world. Even if a user has no smartphone, they most probably have a simple mobile phone, which supports SMS.It is easy. There’s no need to download any apps, scan any QR codes, etc. SMS has been around for quite a while (the first SMS was sent back in 1992), even my grandmother knows how to use it, and she’s 90. So if you’ve got a non-tech savvy user you can bet they will be able to use an SMS authentication code, while a more advanced MFA type might become an issue.Finally, if someone tries to breach your account, an SMS code will be delivered no matter what. Some MFA apps, for instance, might malfunction in this scenario if there’s no Internet access. And with a two-factor authentication SMS you’ll know for sure something’s not right. Unless, of course, it’s a spoof SMS, or you are not the one receiving the verification password. And that’s where we come to the cons of SMS MFA. SMS Authentication Cons As a number of infamous data breach scandals has shown over the last couple of years – breaking into an SMS protected account is not that hard for an average crook, and very easy for a well-equipped and motivated one. The well-known Twitter break-in was done by impersonating the victim and convincing the provider company to transfer the victim’s text messages to the perpetrator’s SIM card. This is rather easy to do, especially if the criminals know some other bit of information about you, your social security number for example.A similar way to intercept your SMS one-time passwords is again by impersonating you, but this time requesting your telecom service provider to transfer the service to a different carrier. The criminals simply set up with another provider and carry on with their crime.Most of the SMS-based MFA systems offer a recovery option in case a user loses their phone or changes the number. If the hacker has access to your email they can reset the 2FA system, use the fake phone number for verification and you won’t even notice until it’s too late.If you are still wondering how secure is SMS, just consider the following. All the telecom infrastructure around the world relies on...
read more