Beware of 2FA via SMS: the 2 main hacks used to steal your account or wallet

in crypto •  7 years ago  (edited)

2FA consists in adding a second factor during the authentication process to increase the level of security. The main 1st factor being usually the account credentials i.e. Login+Password, the internet industry has found many advantages in using the phone number and the mobile telecom network as a 2nd factor to verify that the 1st factor is not corrupted by sending a message to an out-of-band device: the mobile phone.

2FA via SMS is an efficient solution to prevent the vast attacks such as phishing where the attacker has access to the credentials of the user but does not have access to his/her mobile phone. The mobile phone number is attached to a SIM card, which cannot be compromised and internet services implementing 2FA via SMS have an easy access to telecom APIs such as Twilio, Nexmo, or Telesign to send a verification code globally to their user's mobile phones via SMS for 0.X to a few X usd cents per message.

The NIST (National Institute of Standards and Technology) in the U.S. had published a recommendation to stop using SMS as a 2FA method.

Here are 2 of the main attacks used by hackers to steal your account or wallet using 2FA via SMS:

1- Number portability

The hack consists in porting the number of the user to another phone service controlled by the attacker. It is probably the most popular one, especially in the U.S.. Number portability has been initially designed to allow mobile subscribers switching carriers to keep the same phone number while using the new service. A simple process is run in the background by the new phone service which requests the number to the former phone service releasing the number, after some data about the user is verified. The security of this process is one of the weakest links, since it only demands a porting PIN, which is some cases only contains 4 digits and some basic information about the user such as the address and the account number. The default PIN is also sometimes related to some personal data of the user such as the social security number, which does not make it more secure, especially after the Equifax security breach. The attacker will try to retrieve the information needed to port the number, and will port the number to a mobile phone service in his/her control, which can also be virtual e.g. Google Voice.

After the number has been ported, the attacker will be able to receive all the SMS from the user, and even retrieve the account credentials (1st factor) if the internet service in question uses 2FA for forgotten password.

2- SIM card duplication

This hack is slightly more difficult to achieve as it requires the collaboration of a dishonest mobile phone reseller, in the network of the mobile phone service provider of the user targeted. It implies the duplication of the SIM card of the user. This process was originally designed for mobile subscribers who: 1) lost their SIM card 2) have changed mobile phone and require a new SIM card format 3) have noticed a malfunction with their SIM card.

Once the SIM card has been duplicated, the 2FA process can be used against the user by the hacker.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  
  ·  7 years ago Reveal Comment