If you or your employees access protected information with authentication codes sent to a cell phone, you might want to rethink your plan. Two-factor authentication (2FA) using text messages can fall prey to phone authentication scams.

That’s not to say 2FA itself is a problem. You should keep using it, and many groups have turned to it to prevent threat actors from using stolen account credentials. Malicious actors may still try to grab authorized users’ credentials for their own purposes. In fact, the unauthorized use of credentials accounted for 29% of all attacks in 2019, X-Force IRIS observed.

So why is short-message service (SMS) 2FA not as secure as it looks? What other kinds of mobile-based multifactor authentication (MFA) can you use instead?

SIM Jacking: The Problem With SMS-Based MFA

SMS-based MFA is particularly vulnerable to a SIM swap-phone authentication scam, says Alex Weinert, group program manager for identity security and protection at Microsoft. This is one of several types of social engineering attacks. In this case, a threat actor contacts a mobile service provider and pretends they are one of their customers.

First, the attacker claims to have lost their device. They ask the cell phone carrier to transfer the targeted customer’s SIM card to a device under their control. Many mobile service providers require customers to set up PINs to protect their accounts against a SIM swap attempt. But that doesn’t prevent customer service workers from feeling the tug of compassion and agreeing to help them out anyway. If this works, the attacker can use their device along with the transferred SIM card to receive SMS-based MFA codes. This gives them all they need to compromise a protected web account.

Phone company employees can cut down on phone authentication scams on their end, too. They could check whether the caller really uses their service. Several free services online are able to look up the cell phone carrier of a mobile number.

Attackers used this tactic against a major social media company in 2018. They were able to access user emails, internal files, source code and other data. To do this, the attackers intercepted the SMS-based MFA codes for some of the company’s accounts with cloud and source code hosting providers. Further investigation showed the attackers had targeted some of the company’s employees with SIM hijacking attacks. In response, the social media company first notified a small number of users who might have been affected. Next, they worked with law enforcement to prevent a similar incident from happening in the future.

What Safe Phone Authentication Might Look Like

The threat of a SIM swap scam needs to be addressed. But it doesn’t mean users should turn away from their mobile devices for MFA. It also doesn’t mean they can’t use SMS text messages for phone authentication. Instead, they could set up a Voice over Internet Protocol (VoIP) phone using a service, such as Google Voice. This provides an alternative to using the phone number assigned by their mobile service provider. These services are free to set up, and give users the ability to use a phone number tied to a major email system like Gmail.

The advantage is that they can protect those accounts using strong passwords and their own forms of MFA that don’t depend on the fallibility of human customer support agents. That way, someone can’t just gain control over a person’s phone number with a fake sob story about having lost an account. An attacker would need to compromise their victim’s email account first.

One potential problem with this method is that not all web services accept VoIP for phone authentication purposes. In response, users can avoid SMS-based MFA altogether by turning to an authentication app, such as Google Authenticator or Microsoft Authenticator. These and other programs like them aren’t tied to a cell service provider. They’re bound to the device itself, meaning a SIM swap won’t have any effect. An attacker would essentially need to steal the user’s device to obtain an MFA code. With that fact in mind, users who choose this method should make sure they’ve removed that phone authentication app from their mobile device before they get rid of it.

Safe Phone Authentication Across the Connected Workforce

Employers can help their workers use safe MFA phone authentication methods by settling on a MFA plan and writing it into their security policies. Then, use security awareness training to educate users about these policies. At the same time, employers can use Mobile Device Management to standardize vulnerability management, MFA and other security functions across their entire connected workforce.

More from Endpoint

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …