• Home
  • Blog
  • Products
    • Partner Subscription
    • Breach Prevention Platform
    • HIPAA Services
    • Dark Web Monitoring
    • In-Email Training & Email Analysis | Catch Phish Outlook Plug-In
  • Request a Demo
  • About Us
  • Contact Us

Call us at: 877-275-4545

Partner? Login here
Breach Secure Now!Breach Secure Now!
  • Home
  • Blog
  • Products
    • Partner Subscription
    • Breach Prevention Platform
    • HIPAA Services
    • Dark Web Monitoring
    • In-Email Training & Email Analysis | Catch Phish Outlook Plug-In
  • Request a Demo
  • About Us
  • Contact Us

Phone-Based 2FA: Not so Secure After All

August 3, 2018 Posted by Art Gross Data Breach, Security No Comments

In a time where data breaches have become the norm, there is no such thing as exercising too much caution when it comes to protecting your online assets, including your login credentials and access to accounts. Two-factor authentication (2FA), a method of confirming a user’s identity via combining two factors is widely accepted and recommended by security experts as a necessity for optimum security online. 2FA is a great added security feature to protect your account because an unauthorized individual is unlikely to supply the factors required to successfully gain access. However, the type of authentication you select can either help protect you or do just the opposite.

Two-Factor Authentication (2FA)

2FA may be accomplished by entering a one-time password (OTP) that is sent to or generated by a user’s mobile phone or could be in the form of a cryptographic token that is sent to the user through a security key attached to the device attempting to log in.

It has become rather clear in recent years that OTPs sent through SMS messages are not secure. In fact, even Congress has noticed the vulnerabilities associated with the delivery of OTPs, which is done through Signaling System Seven (SS7). SS7 is used by wireless carriers globally to ensure their networks interoperate. While the functionality of SS7 is meant to provide quality service with uninterrupted phone calls, country to country messaging, etc., the same system can be used maliciously to eavesdrop, geographically track, and hack individuals.

Despite many security professionals advising against phone-based authentication, many individuals and organizations continue to operate using this method for 2FA. Unfortunately, some of those organizations are learning the hard way that phone-based authentication really is a vulnerability waiting to be exploited.

Reddit Breach – Employees Did Have 2FA enabled

Reddit recently learned the security flaws of phone-based 2FA when some employee accounts were breached as a result of the type of authentication they were using for their 2FA, which was SMS-based (using the OTP method).

On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
-Reddit

The hackers that broke into Reddit’s systems got away with some current email addresses and accessed a 2007 backup database, which contained old login credentials. While that may not sound like much, login credentials were inappropriately accessed, which could cause some serious trouble for individuals who created a Reddit account in 2007 and have not updated their passwords, or who reused them across various platforms.

Although having some form of 2FA is better than having none at all, the Reddit hack serves as a huge reminder that phone-based authentication lacks one major feature; true security.

Token-Based Authentication – The Safer Approach

Tokens are more secure than other authentication methods such as SMS-based authentication because the token itself doesn’t store any sensitive information. This is made possible because tokens can be used to replace a user’s actual credentials. The token acts as a placeholder for a user’s credentials that way the credentials cannot be compromised as they travel between the server, web application, and user’s browser.

Whether or not you’re using 2FA, it is important to maintain healthy password practices. Don’t reuse passwords across various systems, update your passwords periodically, keep them complex or use a passphrase, and don’t share them with others. Remember, passwords are the keys to your online doors; do your best to protect your assets.

Tags: Data BreachSecurityTwo-Factor Authentication
No Comments
Share
0

You also might be interested in

Welcome to Breach Secure Now!

Oct 28, 2014

The Breach Secure Now! website will try to educate and[...]

Top 5 Security Actions Every CEO Should Take

Nov 21, 2014

An article over at Security Intelligence discusses the 5 actions[...]

Hey Small Business: You ARE a cyber-target!

Nov 22, 2014

The security firm, FireEye, has a very eye opening report[...]

Leave a Reply Cancel Reply

Dark Web Assessments

Search

Recent Posts

  • The Importance of Ongoing Cybersecurity Training March 17, 2023
  • Chatbots and Human Error March 10, 2023
  • What is CIRCA? March 3, 2023
  • The Importance of Ongoing Engagement & Marketing February 24, 2023
  • Mental Health Data for Sale February 17, 2023

Contact Us

  • Breach Secure Now!
  • 55 Madison Ave, Suite 400 Morristown, NJ 07960
  • 877-275-4545
  • info@breachsecurenow.com

Get Social

Schedule a Demo

Recent Blog Posts

  • The Importance of Ongoing Cybersecurity Training March 17, 2023
  • Chatbots and Human Error March 10, 2023
  • What is CIRCA? March 3, 2023

© 2023 · Breach Secure Now!

Prev Next