Signing into websites and services used to be as simple as putting in your username and password. But as cybercriminals technology became more sophisticated, so too did the need for more robust security procedures. Tap or click here to see how nasty malware steals banking passwords and 2FA codes.
The first two-factor authentication (2FA) patent was awarded in 1998. It took some time for the security measure’s adoption by mainstream websites — reaching peak application in the mid-2000s.
As with anything in technology, it was only a matter of time before hackers cracked the code. Two-factor authentication is still one of the strongest security tools, but a new hack is putting it in jeopardy.
Here’s the backstory
2FA is an added step when signing into a service or website. After putting in your username and password, the site will send you a code to verify that you are the account owner. A generator creates a code, or the system sends one to you by SMS (text message).
A hack has been uncovered where criminals can intercept the text and use the 2FA code to access your account. The worst part is that it’s invisible to you, so you would have no idea what’s happening.
With a $16 piece of software, Motherboard asked a hacker to replicate the attack on a journalist’s mobile phone number. Within minutes, the journalist’s Bumble and Postmates accounts suffered a breach. A little while later, the hacker had full access to his WhatsApp account.
This is how it works
A hacker can exploit a service or account associated with a mobile number for verification. Networks like WhatsApp, Facebook or Tinder can be verified in this way, as can many others.
The only thing a hacker would need is your mobile number. The hacker then sends login requests to the service and reroutes the 2FA verification code to their mobile phone. Using the number and the generated code, the criminal will have full access to that account.
“I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info,” the hacker told Motherboard. An LOA is a Letter of Authorization that gives someone the authority to change mobile numbers.
What can you do about it?
The hack uses basic text messages for authentication, so your first line of defense would be to stop using that method. There are more secure ways for you to receive a generated code or 2FA credentials. Here are a few:
- Push notifications
When offered by a service or website, opt for push notification from the official app to verify your identity. Push notifications are generated by the company and are enacted through the app on your phone. If you are signing into a website on your desktop, push notifications from your phone will pop up. It’s more secure and can’t be hacked in the same way.
- Code generators
The most secure method for 2FA is through a timed code generator. Facebook, Microsoft, Google, and many banking apps use this. A 6-digital verification code is displayed for a few seconds and is only valid within a specified time. Tap or click here for more details.
- Standalone 2FA apps
There are several standalone 2FA apps available on Apple’s App Store and Google Play Store. These apps allow you to generate codes for a wealth of websites and services that you might use. Like the code generators above, these apps integrate all the services into one application. Have a look at andOTP for Android, andOTP for iOS, or Twilio Authy for Android, Twilio Authy for iOS.