Blog Feed
PayPal Two-Factor Authentication with Hardware Security Key
PayPal two-factor authentication became available to users in far 2007. Everybody wishing to protect their PayPal login could order a $5 security token directly from their account. Unfortunately, later the company discontinued the use of its own hardware tokens in favor of SMS-based authentication, decreasing PayPal security considerably. But the situation with PayPal two-factor authentication is changing once again, for the better now: Since 2018, you can use MFA applications to log into PayPal (Google Authenticator, Protectimus Smart, etc.) As MFA apps are available, it’s also possible to use hardware security keys again. There’s just one catch — only programmable tokens will fit for PayPal two-factor authentication. Buy hardware security key for PayPal How do I enable PayPal 2FA? Step 1 To activate two-factor authentication in PayPal sign in your account and navigate to the settings menu. Step 2 Choose the Security tab. Step 3 In the “2-step verification” section, click Set Up. Step 4 At this point, you’ll need to choose one of the available two-factor authentication methods: SMS or MFA application. Programmable hardware tokens can be linked with PayPal as MFA applications. SMS. When you choose SMS authentication, you’ll need to provide a real phone number. You’ll instantly receive a message containing a PayPal security code to confirm the number is correct. We don’t recommend using SMS if you’re able to set up a 2FA app instead or order a hardware token for use with PayPal. 2FA app. Choose this option if you want to link an in-app PayPal authenticator, or the Protectimus Slim NFC – programmable PayPal security key. Step 5 If you haven’t already installed a one-time password generator app, install a free app Protectimus SMART OTP or any other 2-factor authentication app. If you want to use a hardware security token, you’ll need to already have one at this point. It must be a programmable TOTP token – Protectimus Slim NFC or a similar one. The process to link a programmable hardware token to PayPal is no different than the process of linking a two-factor authentication app. To set up the token, you’ll need an Android smartphone that supports NFC. At this point, you’ll see a QR code containing the secret key. Scan this secret key using a two-factor authentication app, or using the Protectimus TOTP Burner app if you’re linking a hardware PayPal security key Protectimus Slim NFC. If you aren’t able to scan the QR code, you can input the secret key manually. You’ll find detailed instructions for programming the secret key into the Protectimus Slim NFC token here. Step 6 To finish setting up PayPal 2-factor authentication, generate a one-time password with your token and enter it in the provided field. Step 7 Create a backup token. If you lose access to your current token, you can restore access to PayPal with your backup token. Remember that if you choose SMS authentication for backup, your PayPal account login will be less secure, even if you linked a hardware security key in the previous step. The best option is to use a hardware token as your main means of authentication and a 2FA PayPal app as a backup, or the other way around. | Read also: How to Backup Google Authenticator or Transfer It to a New Phone What’s the best option...
read moreHow to Get Protected from RFID Credit Card Fraud
Remote stealing of money from bank cards embedded with RFID chips, which is also called an RFID credit card fraud, is quite common for all countries where people use RFID cards, especially for the US and Europe. Let’s try to figure out how this happens and what should you do to protect yourself from such attacks. The RFID technology simplifies the process of cashless payments and is used by international payment systems MasterCard (PayPass) and Visa (PayWave). The convenience of such cards is that when making a purchase for an amount not exceeding a bank-specified limit (in the EU – 25 euros, in the U.S. – $15, in the U.K. – 20 pounds, in Russia – 1000 rubles), the owner doesn’t have to enter the PIN-code or leave a signature on the check. A crooks’ scenario is similar to that of car hijackers. Their task is to get closer, wait for the right moment and seize the necessary data promptly – whether it’s an intercepted signal of an electric lock or an RFID credit card fraud. To steal money from the bank cards remotely the crooks use improvised contactless readers, which work similar to a PoS-terminal – a legal RFID-reader, but they are much more functional. To obtain the necessary information the hackers need to move this reader to the card at a distance of 5-20 centimeters. The thus-obtained data is either saved or transmitted to the counterfeit cards for future use. Even if the card with an RFID-chip is PIN-protected, its number and expiration date are enough for illegal transactions or even creation of a counterfeit magnetic stripe of the card. Coming from the above, even if your wallet with credit cards is securely hidden from prying eyes and hands deep in a pocket or handbag, you can still ‘get robbed’ in a public transport, street crowd, or even at a cash register at a supermarket. Any owner of a card with a contactless payment technology can be attacked. | Read also: The Most Common Ways of Credit Card Fraud How to get protected against RFID credit card fraud? There are not so many ways to protect yourself from the RFID credit card fraud: Data protection experts advise using special bags and wallets with insulation. It is also possible to complicate the task for the hacker having put a few credit cards in one place. Moreover, a few years ago Betabrand clothing manufacturer and anti-virus company Symantec cooperated to design jeans and blazers with pockets made using a special silver RFID-blocking material that prevents the scanner rays from passing through. Ready Jeans with a front and back left pockets being ‘under the Norton protection’ cost $168, and enjoy great popularity in the U.S. A Jacket Work-it at the cost of $198 is a little bit less popular than denims, but it is only because jeans are a more unique garment than the expensive blazer. It’s sad that even if using all the above mentioned costly data protection methods and complying with all safety rules, we cannot fully protect ourselves from phishing, online skimming, social engineering, MITM attack, etc. Thus, as a two-factor authentication provider, we also advise to be always cautious, careful and turn on two-factor authentication for every online bank operation you do in advance. Using 2FA...
read moreTime Drift in TOTP Hardware Tokens Explained and Solved
Multi-factor authentication by a Time based One Time Password (TOTP) generated with a physical device is, without any doubt, the staunchest approach to safeguarding sensitive data and securing access to your invaluable accounts. But being physical objects and having no internet connection gives physical TOTP tokens both their main strength and their major drawback. Without any connection to the net, the tokens’ internal clocks inevitably start drifting, and in a few years, this clock drift may become a major issue. In this post, we will look into the time drift problem with TOTP hardware tokens in detail, see exactly why and how this issue occurs, describe how TOTP works and show you how we finally solved the time synchronization problem in the latest Protectimus Slim NFC tokens generation. Buy TOTP token with time synchronization feature Protectimus Slim NFC How does the TOTP algorithm work? As has been mentioned above — TOTP is an abbreviation of Time-based One-Time Password. It’s a standardized cryptographic algorithm for generating unique one-time passwords, that remain valid only for 30 seconds. TOTP algorithm is a branch of HOTP – HMAC-based one-time password algorithm, so to understands TOTP it makes sense to understand the HOTP algorithm first. What is the difference between TOTP and HOTP? TOTP one-time passwords are valid only for 30 seconds. HOTP one-time passwords, in their turn, remain valid until the server receives a new one-time password verification request. TOTP algorithm is a much more secure version of the HOTP algorithm. HOTP HOTP is the parent OATH one-time password generation algorithm that generates a one-time verification code by mixing a secret key (a shared value) with a counter (a moving factor – variable). A counter is the event of generation of the OTP password. Every time a new one-time password is created, the number of events increases by one, and this monotonously increasing value is used as the variable in the HOTP algorithm. A secret key is the line of symbols shared by the authenticating server and the device on the user’s end (2FA token). The HOTP algorithm processes and hashes the input data (secret key and the current counter value), them cuts the resulting hash to 6 or 8 characters, and this is when we get the one-time password shown on the OATH token. TOTP TOTP algorithm works exactly like HOTP, but, in its turn, gets its moving factor from the running time interval. In other words, TOTP algorithm generates one-time passcodes by mixing a secret key (a shared value) with a current time interval (a moving factor – variable). Therefore, it is very important for the current time on the server and on the token to match. | Read also: One-Time Passwords: Generation Algorithms and Overview of the Main Types of Tokens How do TOTP tokens work? All of the existing multi-factor authentication tokens may be roughly split into two types — the software ones, which refer to using the user’s phone for generating or accepting one-time passwords (authentication apps, chatbots, etc.) and hardware ones (re-programmable or classic hardware OTP tokens). The TOTP algorithm itself can be used in any of these types of MFA tokens, but there’s a slight difference in their setup. Let’s dig deeper into this rather complex process. The TOTP token enrollment First of all, the user...
read moreTwo-factor authentication for Windows 7, 8, 10, 11
Since Windows is one of the most used systems, especially among various businesses, it makes sense to thoroughly protect it. Protectimus has an excellent two-factor authentication software for Windows 7, 8, 8.1, 10, 11. In this article, we will look into how it works and how to set it up. And we will address the most common questions on our two-factor authentication for Windows login. How does two-factor authentication for Windows login work Two-factor authentication for Windows login is rather simple. The process consists of two successive levels of login, just as the name suggests. First, the user has to sign in with their common Windows credentials (their regular username and password). On the second level, the user has to enter a one-time password (OTP). This password is valid only for 30-60 seconds and can be delivered or generated via a number of different ways, the user can choose which way they prefer. It can be a chat-bot message, 2FA app, email, SMS or one of our hardware security tokens. Windows 7 two-factor authentication ensures there’s minimum to none risk for the Windows user account to be breached if the user’s regular password is compromised. In this unfortunate case, the criminals will have to get access to the user’s email, phone or hardware token, which is much harder to accomplish. And at the same time, if the phone or OTP token is compromised, the attacker still has to guess the password. Besides, each one-time password generated by your two-factor authentication token can be used only once and is time sensitive. This means that the generated code will simply expire and won’t be usable within 30-60 seconds. Which makes it almost impossible to intercept and have the code used for unauthorized access to the protected Windows account. | Read also: 10 Windows Computer Safety Tips How to set up two-factor authentication for Windows 7, 8, 10, 11 It is very easy and fast to set up Protectimus dual factor authentication Windows solution and have your Windows 7, 8, 8.1, 10 or 11 thoroughly protected from unauthorized access, the whole process usually takes less than 15 minutes. This Windows two-factor authentication software is designed both for individual and business users. So it’s very easy to set it up. The set up can be done by any user themselves without involving an admin with special skills. 1. Create account in Protectimus Service Fill out the registration form and create your Protectimus 2FA service account. 2. Activate a Service Plan Choose a service plan and make sure to activate it, even if it’s a Free service plan. The API won’t function unless a service plan is activated. It can be deactivated at any time. 3. Create a Resource To group and easily manage the users and tokens we use Resources. So the first step to actually start using Protectimus MFA for your Windows is to create a Resource, which is done by clicking one single button and giving a name to the Resource you created. 4. Enable Automatic Registration of Users and Tokens Once a Resource is created, switch on automatic registration of Users and Tokens. When the automatic registration of Users and Tokens is enabled, your users will enroll their tokens themselves during their first login to the Windows account after you install the...
read moreElectronic Visit Verification with Hardware Tokens
Protectimus multifactor authentication solution is an ingenious, versatile system that can be used in many ways, from helping developers implement two-factor authentication on their apps and services to protecting an end user’s Office 365 account with the help of hardware tokens. Our team made Protectimus system truly versatile, it could be customized to create even the most unconventional solutions to fit our clients’ needs. In this article, we will describe in detail one such unconventional solution we created on the basis of Protectimus multifactor authentication — electronic visit verification system. You will learn what electronic visit verification actually is, where it is used and how the EVV solution from Protectimus works. Contact us for more information What Is Electronic Visit Verification? Simply put, EVV is an automated solution for home care workers that collects info on the time of attendance and all the necessary details of the care plan. Electronic visit verification software gives such care services as Home Health, Home Care and Hospices an easy and sustainable way of verifying visit activity (type of home care service, individuals receiving and providing the service, date, exact time and location the service was provided at) and ensuring the patients are never neglected, eliminating even the possibility of fraudulent home visit documents. EVV is mandated by a number of states and recommended by those that do not mandate it. The system is widely used by most states and other payers, as it is a far more reliable and effective way of monitoring caregivers than any document signed by hand can be. And with the 21st Century CURES Act passed, it became a requirement for all homecare providing facilities to have EVV adopted by 2023. EVV was invented way back in the 90s, since then the technology has moved worlds ahead, so new ways of implementing EVV are currently in demand. | Read also: Why is healthcare data security so important? How does Protectimus electronic visit verification system work? Time-based one-time passwords generation algorithm (TOTP) allows for calculating the exact time of when the used passwords were generated. This feature is what made it possible for us to build one of the most user-friendly EVV solutions on the market. Protectimus electronic visit verification system can be used with one of these hardware tokens: Protectimus Two, Protectimus Slim or Protectimus Crystal. Here’s how it all works exactly: The homecare provider or facility delivers one of the above-mentioned hardware tokens to a patient’s home. When the appointed healthcare specialist comes for a visitation he or she needs to turn the token on, generate a one-time password and write the provided code down. Once the home visit is done with the healthcare worker needs to generate a second TOTP and write it down as well.These two one-time passwords have to be passed on to the Protectimus electronic visit verification system next. Doing it is very easy — the healthcare specialist simply needs to call a special number and enter the patient’s id number and the two passwords generated during the home visit. The passwords can be sent over to the EVV system in bulk for all the patients visited in a day by the end of that day, or the call can be made after each and every visit.After Protectimus EVV system receives the passwords,...
read moreLiteBit 2FA with a hardware token
LiteBit 2FA (two-factor authentication) is mandatory for its users. This cryptocurrency exchange pushes you to set up 2-factor authentication during registration and it’s impossible to skip this step. It is also impossible to disable two-factor authentication in LiteBit, you can only change one authentication method to another. Unfortunately, LiteBit 2FA offers only two options by default: SMS authentication or authenticator app. Neither of these two-factor authentication methods can ensure maximum security. SMS authentication is vulnerable to SIM card replacement, smartphone viruses, and interception of one-time passwords by exploiting the cellular network vulnerabilities. Authenticator apps are also vulnerable to smartphone viruses. Also, people often lose smartphones or have to reset their devices back to factory default settings. This causes a lot of troubles with the recovery of all authentication tokens enrolled in authentication apps. We suggest you choosing hardware tokens for LiteBit 2FA instead. Fortunately, there are Protectimus Slim NFC – programmable hardware TOTP tokens. Protectimus Slim NFC are made to replace authenticator apps on all websites that don’t offer hardware OTP tokens by default. Buy a hardware token for LiteBit All you need to connect Protectimus Slim NFC token to your LiteBit account is an Android smartphone with NFC support and the token itself, of course: Download the application Protectimus TOTP Burner from Google Play. Use this app to scan the QR code with the secret key. Program the hardware token with this secret key via NFC. But let’s describe how to set up LiteBit 2FA with hardware token Protectimus Slim NFC in details. LiteBit 2FA with a hardware token Protectimus Slim NFC 1. Sign in to your account. To avoid phishing make sure you use the right URL: https://www.litebit.eu/ 2. Go to account settings. 3. Find 2FA settings. 4. Click the button “Change your 2FA settings”. 5. Either you use SMS authentication or Authenticator app, you’ll need to change your authentication method to another. Our goal here is to initiate the enrollment of a new secret key for the Authenticator app. So: if you use SMS authentication, just change your LiteBit 2FA settings to Authenticator app; if you use Authenticator app, at first you’ll have to change your LiteBit 2FA settings to SMS, and then back to Authenticator app. 6. So, start changing your LiteBit two-factor authentication method to Authenticator app. Choose “Authenticator app”. 7. You’ll get a 2FA code for SMS authentication deactivation via SMS. Enter it in the corresponding field. 8. You don’t need Google Authenticator, so just skip this step. 9. At last, you’ll see a QR code with the secret key. Use it to program the Protectimus Slim NFC token. The detailed instruction on programming Protectimus SLim NFC token is available here. 10. After the token is programmed, you’ll need to enter the 2FA code from the token in the necessary field. 11. If everything has been done successfully, you’ll see a recovery code. This code will help you to recover access to LiteBit if you lose your token someday. Save it very carefully, nobody should ever get access to this code. Then click the “Complete” button. That’s it. Please, let us know if you have any questions in comments or via...
read moreHow to Set Up 2-Factor Authentication on ICE3X
This guide has a purpose to explain three things: How to enable 2-factor authentication on ICE3X.How to disable two-factor authentication on ICE3X.How to use a programmable hardware token Protectimus Slim NFC for 2-factor authentication on ICE3X. Learn more about Protectimus Slim NFC token or order one here: Protectimus Slim NFC The best 2FA token to protect your ICE3X account! How to turn on 2-factor authentication on ICE3X 1. Login to your ICE3X account. To avoid phishing make sure you use the right URL: https://ice3x.com/ 2. Chose Account section at the main page. Just click the necessary icon in the right upper corner. 3. Go to SETTINGS section. Note: If you haven’t enabled 2-factor authentication on ICE3X yet, you’ll see a notification with the fast link to the settings section. You can use it instead. 4. Go to “SECURITY” settings. 5. Enable 2-factor authentication. 6. You will see the QR code with the secret key (seed). Use it to enroll the token in your authentication app or program Protectimus Slim NFC token. 7. Enter the one-time password from your 2-factor authentication app or Protectimus Slim NFC token in the field “2FA code”. Congratulations, your ICE3X account is under protection now! How to disable two-factor authentication on ICE3X To disable 2-factor authentication go to security settings and click “Disable”. Enter the 2FA code from your current token. How to add Protectimus Slim NFC to ICE3X To enable 2-factor authentication with Protectimus Slim NFC token: Make sure that your Android smartphone supports NFC technology and download Protectimus TOTP Burner application.Go to ICE3X security settings.Click the “Enable” button to set up two-factor authentication.Use the QR code with the secret key to program Protectimus Slim NFC. You’ll need to scan the QR code with Protectimus TOTP Burner app and add it to the hardware token via NFC. You’ll find more detailed instruction on programming Protectimus Slim NFC here.Submit the 2FA code from your hardware token in the corresponding field. Note: If you want to add Protectimus SLim NFC for 2-factor authentication on ICE3X and you already have 2FA enabled, at first disable 2-factor authentication. That’s it. Please, let us know if you have any questions in comments or via email...
read moreKeycloak Multi-Factor Authentication With Hardware Tokens
Nowadays, when hackers constantly look for vulnerabilities, while more and more aspects of life are being digitized, cyber security is of utmost importance and every app developer has to pay special attention to access management. Keycloak is one of the most ingenious solutions created with app developers in mind. It provides an elegant and easy way for securing modern applications and services. With Keycloak comes an easy to roll out Multi-Factor Authentication (MFA) with one-time passwords (OTP). By default, Keycloak multi-factor authentication supports time-based OTP (TOTP) delivered via an authenticator app only. But for those who want to add an extra layer of security for their users, there is a perfect solution — reprogrammable token Protectimus Slim NFC. This token is, basically, programmed to be utilized as a replacement for the mobile authentication app. Buy hardware token for Keycloak MFA Below we provide detailed instructions on: how to configure Keycloak MFA how your users will set up their hardware Keycloak token Protectimus Slim NFC how to run Keycloak 2FA with other ways of authentication (SMS, email, hardware tokens, chatbots) Keycloak multi-factor authentication configuration Configuring Keycloak multi-factor authentication is very easy and won’t take a lot of your time. Basically, all you need to do is enforce both your existing users and your new users to use one time passwords. Enforcing existing user: Go to your Keycloak admin area, find “Users” in the sidebar menu and select a user from your list. Then navigate to the “Details” tab and select “Configure OTP” in the “Required User Actions” section: Enforcing new users: Select “Authentication” in the sidebar menu in the Keycloak admin area, then find the “Required action” tab, in the top row (“Configure OTP”) check “Default action”. Keycloak two-factor authentication with hardware tokens To hook up Protectimus Slim NFC to Keycloak the following OTP Policies have to be applied: SHA1, TOTP, 30 or 60 seconds period. Find the “OTP Policy” tab in your “Authentication” section in the Keycloak admin area and adjust the required parameters as follows, don’t forget to click the “Save” button: Now your users will be able to follow these simple steps to add Protectimus Slim as the second factor when logging into your apps or services: 1. Download Protectimus TOTP Burner application. 2. Launch our application, click “Burn the seed”, then select the “Scan the QR code” option: 3. After completing the usual login process with username and password the user will have to set up the Mobile Authenticator. This is where they will get the QR code: 4. After the code scanning is done the user needs to turn the token on, place it within the mobile’s NFC antenna range and click “Continue”: 5. After the application provides the confirmation message, Protectimus Slim NFC can be used with your Keycloak protected application or service using Keycloak multi-factor authentication: Keycloak OTP via SMS, email, hard tokens, chatbots Out of the box, Keycloak is an awesome solution for managing security and access. But integrating it with Protectimus multifactor authentication service will expand your protection options, provide more features and make your apps and services truly bulletproof. With Protectimus you will be able to add any MFA method you wish: Keycloak two-factor authentication via email, hardware tokens with hardcoded keys (these are cheaper than the reprogrammable ones), Keycloak...
read more9 Must Follow Gmail Security Rules
Gmail is perhaps the most used email service, with which people exchange terabytes of information daily. A typical account contains lots of personal details such as banking data, digital identities, passwords, trade agreements, etc. Unfortunately, despite the service’s popularity, positive reputation and constant effort of its creators, personal data is not protected enough. Besides hidden security mechanisms that work automatically, there is an array of optional measures that must be activated manually. Nevertheless, most of the latter are unknown to or ignored by the majority of users. Often it does not even take a professional hacker to exploit Google Gmail security vulnerabilities using the basic skills in social engineering. In this article, we will talk about how to secure Gmail account by following the 9 simple rules. 1. Set a Strong Password for Your Gmail Account and Change It Regularly The first thing you need to keep in mind when coming up with a password for your Gmail account is to never use anything personal, such as dates of birth (or any other memorable dates), nicknames, names of animals, etc. In general, everything that a person from your environment may know about you. It is better if it is a random set of letters (in varying case), numbers and special characters. | Read also: How to Choose and Use Strong Passwords If you don’t want to bother inventing such a strong password, just use one of many online generators. And the newly created passwords can be stored in a special password manager (for example, such as this). If you want to change your account password right now, follow these steps: Sign into your Google account and open the homepage; Go to “Security” page and click “Password” in a Signing in to Google” block; Set a new password (you will need to enter the current password to confirm your identity first). 2. Turn the Two Factor Authentication On Gmail two factor authentication is the method, which requires the user not only to carry out the standard authentication procedure (with credentials) but also confirm their identity by entering the one-time code that is generated at their mobile phone by a special app – Google Authenticator or Protectimus Smart OTP. To enable the Gmail 2 factor authentication (2FA), follow these steps: Sign into your Google account and open the homepage; Go to “Security” page and click “2-Step Verification” in a Signing in to Google” block; Click the “GET STARTED” button at the bottom of the page and enter the current password to confirm your identity; Choose the desired 2-step verification option: SMS or phone call authentication. You can link your phone number to the Google account and use SMS or phone call authentication. Google Prompt. With Google Prompt you’ll need only to tap one button on your smartphone to sign in. Keep in mind that only those smartphones that are already connected to the same account can be chosen to receive Google Prompt messages. Security key. Security keys are hardware 2-step verification devices that support FIDO standards. Google offers 2 types of security keys – USB Security Key and Bluetooth Security Key. Google sells both devices in one bundle. You’ll need to buy the security key bundle for $50 first. Google Authenticator or another 2FA app. Google Authenticator is...
read more4 Reasons Two-Factor Authentication Isn’t a Panacea
Two-factor authentication (2FA) is an indispensable cybersecurity measure used to protect data. Most of the modern information security standards despite the area of application such as PCI DSS, PSD2, HIPAA, etc., demand the multifactor authentication (MFA) among other data protection methods. This approach allows mitigating the danger coming from such attack vectors as brute force password cracking, keylogging, social engineering, phishing, and some kinds of man-in-the-middle attacks. Nevertheless, two-factor-authentication is not a cure-all solution by itself. This is just a single component in a major set of requirements for high-quality data protection. Taking care of data security means implementing a complex plan of actions. For example, this is clearly seen in the in the article 10 Steps to Eliminate Digital Security Risks in Fintech Project where we analyzed the components needed to protect payment gateways from cyber threats. In the current article, we’ll unveil all the weaknesses of two-factor authentication you have to keep in mind when strengthening your security infrastructure with MFA. And, of course, we’ll discuss all possible solutions to these weaknesses. 1. SMS authentication is not secure The US National Institute of Standards and Technology (NIST) recommended every company to abandon SMS authentication as insecure and no longer suitable strong authentication mechanism long ago. But many companies worldwide still opt for SMS to deliver the one-time passwords in their 2FA infrastructures. And it was only three months ago that Reddit has admitted this method to be not as effective and secure as the company was hoping. No doubt, SMS authentication is convenient for companies and users alike. But is this a reliable option? Unfortunately, no. Let us review the SMS authentication vulnerabilities. SIM-card Replacement In most cases, it wouldn’t be a hard task for a dedicated culprit to use a mobile operator’s SIM-card replacement service and intercept a victim’s number. The information needed for this fraud can be found in public sources or bought on the dark web. Network Protocol Vulnerabilities The next potential risk hides in the cellular protocols. And the fact that SMS exchange is not encrypted in any way. The security of SMS transport depends on the cellular network security. There is a number of vulnerabilities in consumer cellular networks as well as methods of exploiting them. Some of the most advanced ones do not even require costly hardware or specific skills. From this point of view, using SMS for security is rather dangerous. Moreover, if to take into account the fact that a usual SMS exchange is not encrypted in any way, an employee of a network center with a proper access can freely read all the messages. Not to mention all the possible ways to intercept the radio transmissions. Malware There are tons of fraudulent software aimed to steal the sensitive data. And mobile device trojans intercepting SMS messages are nothing new. Infection is immediate; the consequences are dire. Malware that ingrained itself into the gadget can play a variety of roles: Intercept the entered login credentials and one-time passwords as well; Track all the sent and received messages; Record the voice calls; Copy the SIM card parameters and contact information; Provide capabilities for remote control; Turn a device into a member of botnet or crypto-currency mining agent, etc. The tech-savvy attacker has nearly unlimited opportunities especially it concerns making use...
read more