Texting troubles with 2FA
Subject: General Tech | September 19, 2017 - 02:07 PM | Jeremy Hellstrom
Tagged: security, sms, 2fa
Two factor authentication is the way to go when dealing with important information online, unfortunately the most common way of enabling 2FA has proven rather vulnerable. With just your name, surname and phone number an unsavoury type could use a vulnerability on cellular networks to gain access to your accounts. The example given over at Slashdot is of a Coinbase wallet with 2FA, registered with a Gmail address also protected by 2FA, which the security researchers easily took control of. Take a look at the article for more details on the SS7 network vulnerabilities this attack exploits as well as better ways of making use of 2FA.
If you do intend to continue to use SMS as part of your 2FA, at least consider disabling the feature on your phone which allows you to breifly read a text without unlocking your phone.
"The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"
Here is some more Tech News from around the web:
- Surface Pro 3 users can't boot from latest Windows Insider Builds @ The Inquirer
- Aluminium oxide film staves off battery ageing @ Nanotechweb
- Sure, HoloLens is cute, but Ford was making VR work before it was cool @ The Register
- iOS 11, thoroughly reviewed @ Ars Technica
- Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks @ The Register
- EFF resigns from W3C over DRM standard decision @ The Inquirer
- Upgrade My PC Please! Episode 3: Core Hi Five! @ TechSpot