Multi-factor authentication is often pointed to as a great step in increasing security for account access. In addition to your password, “something you know,” you’ll also need access to your cell phone, “something you have.” For example, if you enable two-factor authentication for a Google account, when you try to log in with your password from a new computer or other device, Google will send a text to your cell phone with a code you’ll need to enter on the login screen to verify that along with having the correct password, you also have physical access to the associated cell phone for the account. However, problems arise if your access to your cell phone is compromised.
In a recent article on TechCrunch, John Biggs describes a nightmarish experience when hackers take control of his cell phone number and begin resetting his account access to multiple accounts and sending texts to his contacts. He writes, “At about 9pm on Tuesday, August 22 a hacker swapped his or her own SIM card with mine, presumably by calling T-Mobile. This, in turn, shut off network services to my phone and, moments later, allowed the hacker to change most of my Gmail passwords, my Facebook password, and text on my behalf. All of the two-factor notifications went, by default, to my phone number so I received none of them and in about two minutes I was locked out of my digital life.”
It's a frightening scenario that will hit home for anyone who takes security seriously and makes a point to implement the latest recommendations for securing access. By tying a single cell phone number to all our digital identities, access to this number can quickly become a common point of failure for access to multiple accounts.
With sophisticated social engineering techniques and technical weaknesses in cell phone infrastructure, attackers don’t even require access to your physical cell phone. Hackers can intercept text messages or convince telecoms to redirect your number to phones they control. As I wrote last summer, NIST is no longer recommending SMS messages for two-factor authentication because of the weaknesses in the SS7 telecom infrastructure. However, many of the multi-factor authentication systems in use today continue to utilize SMS messages to deliver their secondary factor.
A better solution are tokens (such as RSA) or apps (like Google Authenticator) that generate ever-changing passcodes. These solutions work by starting with common seed value between the client and server side at the point they are generated, from which future values are algorithmically derived. Without access to the seed values and hashing algorithm, it’s impossible to ‘intercept’ the codes, as no data is actively sent. Both sides are generating matching hashes independently. While adding multi-factor authentication adds an extra layer of protection, you should look to avoid using SMS messages or phone call-based authentication in favor of token-based solutions whenever possible.
Companies implementing two-factor systems need to remain vigilant in monitoring account access and user behavior to identify anomalous activity and mitigate the impact of any unauthorized access. Companies need to be prepared to identify and quickly respond should an account become compromised, even with multi-factor authentication in place. Good security practices including implementing log management and SIEM along with programs for vulnerability assessment and patch management can go a long way towards reducing the attack surface and ensuring rapid incident response. For organizations with limited resources or staff, EiQ’s SOCVue services can help.