If you or your employees access protected information with authentication codes sent to a cell phone, you might want to rethink your plan. Two-factor authentication (2FA) using text messages can fall prey to phone authentication scams.

That’s not to say 2FA itself is a problem. You should keep using it, and many groups have turned to it to prevent threat actors from using stolen account credentials. Malicious actors may still try to grab authorized users’ credentials for their own purposes. In fact, the unauthorized use of credentials accounted for 29% of all attacks in 2019, X-Force IRIS observed.

So why is short-message service (SMS) 2FA not as secure as it looks? What other kinds of mobile-based multifactor authentication (MFA) can you use instead?

SIM Jacking: The Problem With SMS-Based MFA

SMS-based MFA is particularly vulnerable to a SIM swap-phone authentication scam, says Alex Weinert, group program manager for identity security and protection at Microsoft. This is one of several types of social engineering attacks. In this case, a threat actor contacts a mobile service provider and pretends they are one of their customers.

First, the attacker claims to have lost their device. They ask the cell phone carrier to transfer the targeted customer’s SIM card to a device under their control. Many mobile service providers require customers to set up PINs to protect their accounts against a SIM swap attempt. But that doesn’t prevent customer service workers from feeling the tug of compassion and agreeing to help them out anyway. If this works, the attacker can use their device along with the transferred SIM card to receive SMS-based MFA codes. This gives them all they need to compromise a protected web account.

Phone company employees can cut down on phone authentication scams on their end, too. They could check whether the caller really uses their service. Several free services online are able to look up the cell phone carrier of a mobile number.

Attackers used this tactic against a major social media company in 2018. They were able to access user emails, internal files, source code and other data. To do this, the attackers intercepted the SMS-based MFA codes for some of the company’s accounts with cloud and source code hosting providers. Further investigation showed the attackers had targeted some of the company’s employees with SIM hijacking attacks. In response, the social media company first notified a small number of users who might have been affected. Next, they worked with law enforcement to prevent a similar incident from happening in the future.

What Safe Phone Authentication Might Look Like

The threat of a SIM swap scam needs to be addressed. But it doesn’t mean users should turn away from their mobile devices for MFA. It also doesn’t mean they can’t use SMS text messages for phone authentication. Instead, they could set up a Voice over Internet Protocol (VoIP) phone using a service, such as Google Voice. This provides an alternative to using the phone number assigned by their mobile service provider. These services are free to set up, and give users the ability to use a phone number tied to a major email system like Gmail.

The advantage is that they can protect those accounts using strong passwords and their own forms of MFA that don’t depend on the fallibility of human customer support agents. That way, someone can’t just gain control over a person’s phone number with a fake sob story about having lost an account. An attacker would need to compromise their victim’s email account first.

One potential problem with this method is that not all web services accept VoIP for phone authentication purposes. In response, users can avoid SMS-based MFA altogether by turning to an authentication app, such as Google Authenticator or Microsoft Authenticator. These and other programs like them aren’t tied to a cell service provider. They’re bound to the device itself, meaning a SIM swap won’t have any effect. An attacker would essentially need to steal the user’s device to obtain an MFA code. With that fact in mind, users who choose this method should make sure they’ve removed that phone authentication app from their mobile device before they get rid of it.

Safe Phone Authentication Across the Connected Workforce

Employers can help their workers use safe MFA phone authentication methods by settling on a MFA plan and writing it into their security policies. Then, use security awareness training to educate users about these policies. At the same time, employers can use Mobile Device Management to standardize vulnerability management, MFA and other security functions across their entire connected workforce.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…