Coro Cybersecurity received an AAA Rating from SE Labs for Enterprise Advanced Security Protection. Read the report
Coro Cybersecurity

The End for SMS-Based Two Factor Authentication

September 19, 2016

For home users and enterprise professionals alike, SMS-based two-factor authentication (2FA) has become a relatively annoying fact of life. Type your password into your computer, wait while a text is sent to your phone, and then race to type in a second passcode before it expires. It's a bit of a hassle, but for many it's been the most important line of defense between hackers and confidential, SaaS applications, and financial information. Now, all of that may be about to change.

A new draft of the Digital Authentication Guideline issued by the U.S. National Institute for Standards and Technology (NIST) indicates that the days of SMS-based 2FA are numbered. The reasons are manifold. In short, new mobile snooping technology has made it easier for hackers to spy on the one-time passwords that are sent to mobile devices. With the use of this technology, hackers are able to bypass this once-foolproof protection mechanism.


How to Break Mobile 2FA

Two-factor authentication is necessary, in short, because passwords are bad. Many users—even people who should know better—often use the same password for more than one account. Thus, it's both easy and quite possible for a hacker to steal a password from one account, and log into another. At the same time, it's much harder for a hacker to steal a user's phone. Where mobile 2FA is concerned, a user's phone acts as a "token" which allows them to verify their identity in a way a hacker cannot.

As mobile technology has matured, however, there are now a number of ways that hackers can break into a user's phone. Some of these methods involve redirecting the confirmation text message away from the victim's phone, and into the attacker's phone. This usually involves a social engineering attack, as was the case when a group of teenage hackers compromised the email accounts of CIA director John Brennan and other top intelligence officials late last year.

Another method involves mobile malware. Malware that specifically affects mobile devices isn't too common yet, but its incidence has been steadily growing. Earlier this summer, security researchers discovered a sophisticated mobile malware package known as 'Pegasus,' targeted at iOS devices. Among other sinister capabilities, the malware had the ability to read text messages on an infected device. This would have allowed attackers to intercept SMS passwords in order to break mobile 2FA.

Lastly, there's straight-up eavesdropping. You may have heard about something called a 'Stingray' device. This hardware essentially impersonates a cellphone tower, and forces nearby mobile devices to connect to it. Once they're connected, the device captures cellphone metadata, and some versions can read SMS messages. Stingrays are usually used by state and federal law enforcement, but it is totally possible for garden-variety hackers to build and use them as well.


A Stronger Approach is Needed

There's more than one way to skin a cat, and there are definitely more than three ways to hack mobile phones and break two-factor authentication. Social engineering, malware, and eavesdropping are just scratching the surface. A creative individual, not overly burdened with morals, has a plethora of choices if they decide to break into an account protected by mobile 2FA.

Fortunately, Coronet provides a robust buffer against individuals who wish to intercept two-factor authentication and break those solutions. Our service determines whether an attacker is present in the WiFi or cellular network your laptops and mobile devices are connected to, and prevents them from eavesdropping. For more information about how we can reinforce two-factor authentication and keep your devices safe, contact Coronet today.