Beyond Text Messages: How to Secure 2FA Against Phone Authentication Scams

February 12, 2021
| |
3 min read

If you or your employees access protected information with authentication codes sent to a cell phone, you might want to rethink your plan. Two-factor authentication (2FA) using text messages can fall prey to phone authentication scams.

That’s not to say 2FA itself is a problem. You should keep using it, and many groups have turned to it to prevent threat actors from using stolen account credentials. Malicious actors may still try to grab authorized users’ credentials for their own purposes. In fact, the unauthorized use of credentials accounted for 29% of all attacks in 2019, X-Force IRIS observed.

So why is short-message service (SMS) 2FA not as secure as it looks? What other kinds of mobile-based multifactor authentication (MFA) can you use instead?

SIM Jacking: The Problem With SMS-Based MFA

SMS-based MFA is particularly vulnerable to a SIM swap-phone authentication scam, says Alex Weinert, group program manager for identity security and protection at Microsoft. This is one of several types of social engineering attacks. In this case, a threat actor contacts a mobile service provider and pretends they are one of their customers.

First, the attacker claims to have lost their device. They ask the cell phone carrier to transfer the targeted customer’s SIM card to a device under their control. Many mobile service providers require customers to set up PINs to protect their accounts against a SIM swap attempt. But that doesn’t prevent customer service workers from feeling the tug of compassion and agreeing to help them out anyway. If this works, the attacker can use their device along with the transferred SIM card to receive SMS-based MFA codes. This gives them all they need to compromise a protected web account.

Phone company employees can cut down on phone authentication scams on their end, too. They could check whether the caller really uses their service. Several free services online are able to look up the cell phone carrier of a mobile number.

Attackers used this tactic against a major social media company in 2018. They were able to access user emails, internal files, source code and other data. To do this, the attackers intercepted the SMS-based MFA codes for some of the company’s accounts with cloud and source code hosting providers. Further investigation showed the attackers had targeted some of the company’s employees with SIM hijacking attacks. In response, the social media company first notified a small number of users who might have been affected. Next, they worked with law enforcement to prevent a similar incident from happening in the future.

What Safe Phone Authentication Might Look Like

The threat of a SIM swap scam needs to be addressed. But it doesn’t mean users should turn away from their mobile devices for MFA. It also doesn’t mean they can’t use SMS text messages for phone authentication. Instead, they could set up a Voice over Internet Protocol (VoIP) phone using a service, such as Google Voice. This provides an alternative to using the phone number assigned by their mobile service provider. These services are free to set up, and give users the ability to use a phone number tied to a major email system like Gmail.

The advantage is that they can protect those accounts using strong passwords and their own forms of MFA that don’t depend on the fallibility of human customer support agents. That way, someone can’t just gain control over a person’s phone number with a fake sob story about having lost an account. An attacker would need to compromise their victim’s email account first.

One potential problem with this method is that not all web services accept VoIP for phone authentication purposes. In response, users can avoid SMS-based MFA altogether by turning to an authentication app, such as Google Authenticator or Microsoft Authenticator. These and other programs like them aren’t tied to a cell service provider. They’re bound to the device itself, meaning a SIM swap won’t have any effect. An attacker would essentially need to steal the user’s device to obtain an MFA code. With that fact in mind, users who choose this method should make sure they’ve removed that phone authentication app from their mobile device before they get rid of it.

Safe Phone Authentication Across the Connected Workforce

Employers can help their workers use safe MFA phone authentication methods by settling on a MFA plan and writing it into their security policies. Then, use security awareness training to educate users about these policies. At the same time, employers can use Mobile Device Management to standardize vulnerability management, MFA and other security functions across their entire connected workforce.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more