The global pandemic has seen a huge rise in cyber-related crimes. According to MonsterCloud, Cybercriminals have taken this opportunity to up their attacks, both in frequency and scope.

To avoid being hacked online, people choose Two-factor authentication (2FA). 2FA brings an extra layer of security that passwords alone can’t provide. Requiring an extra step for a user to prove their identity reduces the chance of a bad actor gaining access to data.

One of the most common methods of 2FA is SMS text messages. The problem is that SMS is not a secure medium. Hackers have several tools in their arsenal that can intercept, phish, and spoof SMS. Despite this security flaw and better options for authentication, SMS-based 2FA is still used by several institutions.

SIM swapping and SS7 spoofing are real and present dangers. They make cellphones into weak-as-kitten second factors and useless for password resets.

The most widely reported method for intercepting phone-based authentication passcodes, according to the researchers, is a SIM swap attack. They explain that by making an unauthorized change to the victim’s mobile carrier account, the attacker diverts service, including calls and messages, to a new SIM card and device that they control.

What Is Sim Swapping?

SIM swapping is a malicious technique where threat actors target mobile carriers in an attempt to take over users’ accounts. The end goal of the attack allows the threat actor to thwart SMS-based two-factor authentication and what it is designed to protect.

READ
Russian National Extradited to U.S. on Charges of Running Phobos Ransomware Operation

A study conducted by the Department of Computer Science and Centre for Information Technology Policy at Princeton University confirms the risks associated with using SMS as a 2FA. The study, An Empirical Study of Wireless Carrier Authentication for SIM Swaps, notes that, although this means of authentication is ubiquitous as a second factor or account recovery method, it does expose customers to “severe risks”.

Using two-factor authentication, or 2FA, is the right thing to do. But you put yourself at risk getting codes over text.

What should I Use Instead?

An authentication app such as Google Authenticator, Microsoft Authenticator, or Authy. It has the advantage of not needing to rely on your carrier; codes stay with the app even if a hacker manages to move your number to a new phone. And codes expire quickly, usually after 30 seconds or so. In addition to being more secure than SMS, an authentication app is faster; you only need to tap a button to verify your identity instead of manually entering a six-digit code.