Criminals find a way with 2FA and this is not news
Twitter has come under fire for using two-factor authentication for its new Blue accounts, just as the technology’s use as a security tool has come into question after its vulnerabilities were exposed.
SMS messaging was never invented as a security tool, writes Rick Findlay in Reclaim The Net. Developers used it as a make shift solution to a problem and since then online businesses have sent users security codes to access their most important accounts.
As evidence of its shortcomings emerged, the practice of using SMS 2-factor authentication is slowly being phased out. “News of Twitter starting to only make the feature available to has brought the vulnerable technology back into the public conversation,” said Findlay.
Too late to the the 2-step party
Twitter users trying to secure their accounts using text message codes will no longer be able to do so after March 19 unless they subscribe to Twitter Blue. “Twitter is likely making the change because the company is trying to cut costs and it actually costs the company money to send text messages and the feature is insecure anyway,” said Findlay.
SMS-based 2-factor authentication (2FA) is less secure than other forms of 2FA because it is vulnerable to a number of attacks, with SIM swaps, social engineering, interception and phone theft offering criminals at least four modus operandum to choose from
In a SIM swap attack, a hacker impersonates a victim and convinces the victim’s mobile carrier to transfer the victim’s phone number to a SIM card controlled by the hacker. Once the hacker has control of the phone number, they can intercept SMS-based 2FA codes sent to the victim’s phone and use them to gain access to the victim’s accounts. Even Twitter CEO’s Jack Dorsey was once hacked using this method.
Social engineering
Attackers can use social engineering tactics to trick victims into revealing their SMS-based 2FA codes. An attacker might send a phishing email or text message that appears to be from a legitimate source and ask the victim to enter their 2FA code.
SMS messages are not encrypted, so they can be intercepted and read by anyone who has access to the mobile network. This means that an attacker could potentially intercept the 2FA code and use it to gain access to the victim’s accounts.
If a victim’s phone is stolen, an attacker may be able to access their accounts if the phone is not secured with a passcode or other security measures.
Because of these vulnerabilities, SMS-based 2FA has never been considered a secure form of 2FA. More secure alternatives include time-based one-time passwords (TOTP) generated by an authenticator app or hardware-based security keys like YubiKeys.