Technical Support: 412-349-6678 | Incident Response

Phones & Multifactor Authentication Vulnerabilities

Mobile devices and multifactor authentication

Single-factor authentication leaves you vulnerable to hacking.

That’s why we always recommend using multifactor authentication, or at least two-factor authentication, to present an attacker with additional friction and complexity.

If you’ve added multifactor authentication into place, that’s great. You’re more secure for it. However, you’re now vulnerable to what’s known as a multifactor authentication attack.

Two-Factor & Multifactor Authentication Hacks on Your Phone

Let’s focus on the most common forms of two-factor authentications: Phones and hardware tokens.

If you are using your phone as a multi-factor or password recovery device, the most commonly used method, by far, is SMS text messaging. Unfortunately, it is also the least secure method.

Recent: 2019 Malware – A Year in Review

Losing your phone makes you vulnerable to SMS text message one-time passwords. Typically, they show up on your lock screen in plain text. All of the sudden, an attacker won’t need to break into the phone you left behind in that restaurant. 

Nicole Sette, of Dark Reading, used her own phone to see which accounts she could hack. Without even unlocking the phone, she could change access rights to Twitter.

And, by simply using her Hotmail email address, she had full access to her Hotmail account. With that access, she then had access to bank statements. 

Finally, by using the information and links within those statements, she broke into one of her financial accounts, which revealed her social security number. 

Social security numbers may seem like a stretch. But, if you were one of the 143 million people who had information leaked by Equifax, your social security number just might be for sale on the dark web… along with your email address. 

Also, consider this. Facebook sells our phone numbers as part of its business model. So, many attackers can simply buy the information needed to start personal attacks.

The most notable issue revealed in Sette’s self-hack article is that, for many poorly constructed two-factor authentications, once a cell-phone is used, the account effectively uses one-factor authentication instead of two. 

Recent: Hackers, Economics, and Red Teaming

Granted, if you forgot your access password, the one-factor authentication is very convenient. However, that account has fundamentally become less secure.

Sette recommends upgrading from a phone to a more robust two-factor authentication, such as Duo, Microsoft Authenticator, Google Authenticator or a USB hardware authentication device.

Further, you should disable notifications on the phone’s lock screen so that one-time-passwords don’t simply show up for anyone to read.

Text Message (SMS authentication) Attacks

An additional issue can arise from cellphone authentication, even without losing your phone. But, these drift from “attacks of opportunity” to “targeted attacks.”  Some proven exploits include: Intercepted SMS, redirected SMS, and SIM Swap attacks. 

Intercepted SMS attacks exploit the SS7 interconnection cellular network via vulnerabilities, or through hijacking services. While these attacks usually target Bitcoin wallets, obtaining access to the network provides visibility to SMS traffic in that area. And, hackers will make attacks of opportunity if they sense a valuable target.

Redirected SMS attacks require hackers to break into carrier accounts and set-up call forwarding from legitimate phone numbers to their own phones. As with the intercepted SMS attacks, this requires access to the phone company’s infrastructure or systems, but the third attack is more simple.

SIM-swap attacks, or Subscriber Identity Module card-swapping attacks, switch your phone number over to a new SIM card on a phone controlled by a hacker. While this requires the phone company’s assistance — since this is a standard procedure done with every new phone purchase — cell phone company representatives can be tricked into performing the task by using simple social engineering.

Recent: Tips to Prepare Your Team With Holiday Security

If you’ve been victimized by a SIM-swap attack, you’ll only notice that your number stopped working if you’re actively using your phone. Meanwhile, without a phone number, you may find it difficult to contact the phone company to resolve the issue. 

The hacker will enjoy access to all of your accounts that use your phone for SMS two-factor authorization, or as a password backup.

Intercepted and redirected SMS attacks can be difficult to directly counter, so we recommend that you use one of the more secure two-factor authorization methods.

To help prevent SIM swap attacks, there are two steps you can take to increase your security.

First, add PIN numbers to your phone accounts to increase security for any potential changes. Second, request in-person only SIM transfers.

While SMS remains the most widespread multifactor authentication method for one-time passwords, NIST special publication 800-63-3 now discourages the use of SMS for delivery of OTP and for use as a second-factor authentication.

So, what other MFA options do you have?

Other Types of Multifactor Authentications

Hardware tokens remain as classic options for multifactor authentications. 

Usually provided as a key fob with time-based one-time passwords, this method is quite secure. But, it has vulnerabilities. 

The most common problem is that if you lose the token, your account is rendered useless until the token is replaced and reconnected to your accounts. These solutions tend to be more expensive than smart-phone-based methods.

Mobile tokens take the physical token concept and wrap it into a mobile smartphone app. While more convenient than a hardware token, mobile tokens require you to scan a QR code for setup. 

If you choose this method, make sure that your code is not delivered by email. A hacker with access to that email account will also have access to the QR set-up code.

Push-based authentication tokens take the token concept one step further. Instead of relying upon a time-based code, this method pushes an encrypted message to your phone.

This method is considered more secure than a mobile token because you’ll be notified each time someone tries to access your account. In that case, you must actively approve the action to start generating a code.

Recent: Which Data Storage Solution Works Best for You?

Once approved, the app will open the encrypted push message to generate the one-time password code. While the push-based method improves mobile token security, your device must be connected to a network to receive the push notification.

A third phone-based authentication is the use of QR code-based tokens. When using this method, the website or service will display a QR code on the screen. You can then use your phone to scan the QR code, then generate a one-time password code to type into the app. 

This method includes an additional advantage: Your phone no longer needs to be connected to a network to receive the push notification. Also, it’s very easy to use.

The increased security from these multifactor authentication methods comes with a cost, though. And, it’s far from foolproof.

The additional security can be more expensive, and it depends heavily upon you have the device in your possession at all times.

Unfortunately, even these methods are not without fault.

The FBI notes that poorly designed websites can be hacked to bypass multifactor authentications. Thus, phishing attacks can trick you into providing an adversary with your security codes. 

Simply put, additional layers of difficulty add complexity for any attacker. If you provide enough of a hassle, it may encourage the attacker to look for easier targets.

The Right Support

The best cybersecurity strategy should be tailored to your specific needs and budget.

Ideal Integrations & Blue Bastion are by your side. We’ll help improve your security profile and test its effectiveness with red teaming to make sure your data and your organization remain safe.

It’s time to maximize your return on IT!

For a risk-free demonstration, contact us today by completing the form below, or by calling us at 412-349-6680.

If you’ve been actively breached, and you need immediate support, call our incident response team at 412-349-6678.

Building networks and partnerships, we are on your side.

Request Your Risk-Free Consultation Today!

  • This field is for validation purposes and should be left unchanged.