September 2nd, 2021
Two Factor Authentication (2FA) for protecting online accounts and sensitive information is fast becoming the norm for increasing one’s overall cybersecurity. Also known as MFA (Multi-Factor Authentication) and two-step verification, 2FA is an extra layer of security to prove that the person accessing an account is the authentic owner. So, in order for a hacker to gain access to your account, they would need to know your username, password, and have your 2FA method – making it less likely that your account could be compromised.
2FA methods come in many forms including authentication emails, specialized authenticator apps, hardware keys, and SMS codes – but not all 2FA methods are created equal in terms of their security. In fact, SMS-based 2FA is known to be a hot target for hackers through a method called SIM swapping (or SIM jacking), where your phone number is migrated to a phone that a hacker controls.
If you’re using text message based codes as a second factor of authentication to access online services, including your bank or crypto accounts, your assets are more likely at risk. So in this article, we’ll discuss the safety of 2FA SMS, explain what SIM swapping is, and what you should do to protect your online accounts.
2FA has become such an essential part of online security that even Google will enroll all users automatically into two-step verification. However, of all available multi-factor authentication methods, SMS-based 2FA is the least safe. The National Institute of Standards and Technology once declared that the age of SMS-based 2FA was over, and Kraken, one of the largest cryptocurrency exchanges in the world, has never offered SMS 2FA, citing safety concerns.
But why is SMS 2FA so unsafe? It starts with the fact that it’s a relatively easy process for hackers to socially engineer telecommunication service providers into giving up your confidential information. Here’s an example of how it works:
Some of the more high profile SIM swapping cases include Twitter Founder, and now major Bitcoin supporter, Jack Dorsey being successfully targeted by hackers. There are also a number of documented cases where users have sued mobile carriers over lost crypto assets as a result of the carrier failing to safeguard their accounts. That is why SMS 2FA should be avoided unless absolutely necessary and, even then, you’ll need to do everything you can to safeguard your accounts. Below are suggestions to take your online security a step further.
To protect yourself from SIM swapping attacks you can do things like:
However, an even better set of options include avoiding SMS-based 2FA altogether and instead using safer alternatives as outlined below.
Mobile apps such as Authy, Microsoft Authenticator and Google Authenticator provide you with a code passcode that changes every 30 seconds. What makes authenticator apps much more secure than SMS-based 2FA is that hackers would need actual physical possession of your device in order to breach your account, whereas SIM swapping can happen quite easily from a remote location.
If you want an even higher level of security than mobile authenticator apps, consider using a hardware authenticator like a YubiKey, which supports a number of secure protocols. YubiKeys provide a single-use passcode for each login instance, and they also require you to physically touch the key in order to activate it – making it impossible for a hacker to access this 2FA method remotely.
If the fact that you own cryptocurrency is public knowledge, or if you’re part of a project in the crypto space, then having good 2FA security is essential for the safety of your assets.
For more information on how to keep your accounts and sensitive data safe, reach out to our cybersecurity experts at email@example.com.