Updated: Aug 3, 2018
At a recent presentation at Usenix's Enigma 2018, Google's software engineer Grzegorz Milka revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2017 Pew study.
What is two-factor authentication (2FA)?
Two-factor authentication is a security tool that requires a user’s password as well as an additional form of authorisation. It adds another layer of security if your password has been stolen, or you use the same password for multiple websites.
If you haven't already done so, just enable two-step authentication. This means when you or someone else tries to log into your account, they need not only your password but authorisation from another device, such as your phone. So, simply stealing your password isn't enough – they need your unlocked phone, or similar, to to get in.
In Akamai's State of the Internet Q4 2017 report, there were 8.3 billion login attempts across the Akamai platform in November and 8.75 billion logins during December, despite a slightly shorter data collection window. Of the logins in November, a whopping 3.6 billion were determined to be malicious login attempts. In other words, 43% of all logins seen by Akamai were attempts to log in to an account using password guessing or account details gathered from elsewhere on the Internet.
A case for not relying on SMS for 2FA
Two-factor authentication is becoming ever more popular as companies deal with growing concerns over cyber-insecurity. This “second factor” is not fool-proof, though. DeRay Mckesson, an activist with Black Lives Matter, had his 2FA-protected Twitter account hacked last year. Banking customers in Germany had their 2FA accounts hijacked in May. And in August a bitcoin entrepreneur had the equivalent of $150,000 drained from his virtual wallet. How did a second factor fail them?
The major problem with two-factor authentication is that it typically relies on text messages, which apparently can be easily hijacked. Although such vulnerability of text messages has been known and discussed for a long time, security experts at Positive Technologies have recently shown what it actually looks like.
The video below (first published by Forbes) demonstrates how researchers managed to intercept text messages and use 2FA to get access to a user’s Gmail account. From there it took them a few moments to reset the password from Coinbase and take control of a bitcoin wallet. Apparently, your name, surname and phone number is all hackers need to break two-factor security if you use to claim your identity via SMS.
The flaw lies largely with the weakest link: the phone system and the humans who run it. Mr Mckesson and the bitcoin victim, for example, suffered at the hands of attackers who fooled phone-company employees into re-routing the victim’s phone number to a device in the attacker’s possession. Such a move should require either private, personal details or the customer’s PIN. But even if a customer-service rep ignores the scammer’s entreaties, the scammer will just try calling again, to another rep, and may eventually succeed.
Another flaw, used in the German attack, is found in a system known as Signalling System 7 (SS7), which routes calls on networks worldwide and dates back to 1975. Vulnerabilities abound, and though mobile operators claim to be monitoring for abuses, access to an SS7 system allows hackers to intercept voice calls and SMS messages.
If not SMS, then what?
Even hijackable, text-based 2FA is better than no digital protection. However, if you care about your data security, you may want to consider choosing an alternative authentication method, such as Google’s Authenticator app for your Gmail accounts or even our GRID Beacon app for your customised web applications.