What you need to know
- Princeton researchers wanted to know if 2FA is secure using SMS as a factor.
- Researchers called carriers trying to transfer (steal) accounts to new SIM cards.
- Major carriers made it easy to steal prepaid accounts, confirming that SMS is not a secure 2FA method.
Researchers at Princeton University were questioning whether SMS text messaging is a secure authentication method to use as one factor in a two-factor authentication (2FA) setup. The answer turned out to be a resounding no, especially as the team started to attack prepaid plans on the largest mobile carriers.
If an attacker can gain control of a phone number by switching a victim's account to the attacker's SIM card, the attacker can then hijack the verification process that uses SMS by receiving the authenticating text messages instead of the victim. In ten out of ten attempts to steal numbers from prepaid customers on AT&T, Verizon, and T-Mobile, researchers were able to transfer the account to their own SIM card. Attempts on Tracfone and US Mobile were less successful, but those carriers were not completely secure.
In some instances, researchers called trying to steal a user's identity and the customer service representative guided them to the correct identity verification answers, or simply gave the attacker access even after they had guessed incorrectly. The researchers found vast inconsistency, occasional failures to verify identity altogether, and generally enough weakness in the security policies to recommend avoiding SMS as a password authentication method altogether. Since the study was revealed to carriers last year, T-Mobile has said it has updated its verification methods to be avoid less secure checks.
The report suggests carriers abandon all of the lousy, insecure methods currently in use and switch to secure methods like an account password/PIN, or at least a one-time code sent directly to the user via SMS or email. Many of the current forms of identification like street address, date of birth, and some credit card information can be found through public record searches. Identifying info, such as the date of the victim's last payment or the phone numbers of recent callers, can be manipulated or spoofed to fool representatives. Websites are also recommended to cease using SMS as part of a multi-factor authentication scheme.
We may earn a commission for purchases using our links. Learn more.
One UI 2.5 tracker: When will my Samsung Galaxy be updated?
Samsung's next update for One UI is rolling out. Find out which phones are getting it and when!
What do you think about the leaked Galaxy S21 renders?
Thanks to a massive leak over the weekend, we now know what the Galaxy S21 and S21 Ultra look like. What's your take on how the phones are shaping up?
OnePlus has lost the one thing that made it unique — and that's a problem
The new OnePlus 8T looks like a great phone — but not a unique one. With fierce competition from Samsung, Google, and others, OnePlus is losing its one unique edge that it used to rely on.
Dropping the Note 20 Ultra would be a disaster. Protect it with a case!
Whether you prefer a heavy-duty case or a thin and shiny variety that catches the light just right, there's a great Note 20 Ultra case out there for everyone.