What you need to know
- Princeton researchers wanted to know if 2FA is secure using SMS as a factor.
- Researchers called carriers trying to transfer (steal) accounts to new SIM cards.
- Major carriers made it easy to steal prepaid accounts, confirming that SMS is not a secure 2FA method.
Researchers at Princeton University were questioning whether SMS text messaging is a secure authentication method to use as one factor in a two-factor authentication (2FA) setup. The answer turned out to be a resounding no, especially as the team started to attack prepaid plans on the largest mobile carriers.
If an attacker can gain control of a phone number by switching a victim's account to the attacker's SIM card, the attacker can then hijack the verification process that uses SMS by receiving the authenticating text messages instead of the victim. In ten out of ten attempts to steal numbers from prepaid customers on AT&T, Verizon, and T-Mobile, researchers were able to transfer the account to their own SIM card. Attempts on Tracfone and US Mobile were less successful, but those carriers were not completely secure.
In some instances, researchers called trying to steal a user's identity and the customer service representative guided them to the correct identity verification answers, or simply gave the attacker access even after they had guessed incorrectly. The researchers found vast inconsistency, occasional failures to verify identity altogether, and generally enough weakness in the security policies to recommend avoiding SMS as a password authentication method altogether. Since the study was revealed to carriers last year, T-Mobile has said it has updated its verification methods to be avoid less secure checks.
The report suggests carriers abandon all of the lousy, insecure methods currently in use and switch to secure methods like an account password/PIN, or at least a one-time code sent directly to the user via SMS or email. Many of the current forms of identification like street address, date of birth, and some credit card information can be found through public record searches. Identifying info, such as the date of the victim's last payment or the phone numbers of recent callers, can be manipulated or spoofed to fool representatives. Websites are also recommended to cease using SMS as part of a multi-factor authentication scheme.
We may earn a commission for purchases using our links. Learn more.
It's time to stop using SMS for two-factor authentication
Not all 2FA is equal. Using SMS to get a code might not be "better than nothing" after all.
Fresh Surface Duo renders are here, reportedly coming to AT&T
Microsoft hasn't exactly been camera shy with the Surface Duo, but a new set of renders have leaked that offer an even closer look at the device. Alongside the leaked images, the leaker says Duo will be headed to AT&T in the U.S.
24 hours with the Galaxy Note 20 Ultra: Big, beautiful, and backwards
It's still too early to give any conclusive thoughts on the Galaxy Note 20 Ultra, but Samsung's latest flagship is already proving to be a tremendous phone in more ways than one.
Grab a case that comes from the same place as your Note 20
Now that the Galaxy Note 20 and Note 20 Ultra have arrived, the first thing you'll want to do is pick up a proper case. But instead of waiting around for third-party retailers to make their cases available, why not grab one from Samsung alongside your Note 20, giving you the whole package right at your doorstep?