Two-step authentication has become prominent amongst many online service providers. Requiring users to log in using their phone or any other mobile device after supplying their username and password, mobile carriers might inadvertently expose their customers to cybersecurity threats simply by relying on that second factor of authentication.
How can Hackers Utilize Mobile Carriers to Hack you?
Logic and rationality may well lead us to the conclusion that a two-factor authentication system is a necessary feature in dealing with cybersecurity threats, regardless whether such a system is implemented in financial services or simply login into your Facebook account. However, people tend to become preoccupied with the former, securing access to their financial accounts becomes the dominant narrative, obliviously neglecting the fact that such precautions can be rendered useless if a hacker can gain access to your email account. It is almost a universal requirement; sign up with any online service, and there is little to no chance that you would not be asked to provide an email address along with your registration. Hence, being in control of your email address, one can easily request a password reset email sent to them, who follows in regards to potential cybersecurity threats, is self-evident.
It should not come as a surprise seeing webmail providers nowadays starting to actively encourage a two-factor authentication system in addition to suggesting increasingly more complex and diverse password combinations for their users. In such cases, a user is asked to enter their mobile number to their account which is then used to send a one-time code, bound to expire after a certain period has elapsed, which needs to be entered after supplying the account password. It is a simple and yet an efficient concept, with the premise being that if somehow hackers manage to gain access to your email password – via phishing or other methods, they would still need access to your mobile phone so to obtain the one-time code, thus gain access to your email account.
Ironic as it is, the commonly used form of two-factor authentication that of a one-time code in the form of a text message being sent to the user’s mobile phone, distributed via their mobile carriers, is also the least secure. With that in mind, not all two-factor authentication methods are equally secure for their user base. For hackers, the whole two-factor authentication method could inevitably reveal itself as an easy exploit. If an attacker manages to phish out your email password, there are no precautions or security measure put in place to prevent them from engaging in social engineering and ringing up your mobile carrier, disguising themselves as you, claiming you have lost your phone. From there on there is not much hassle in the way of the hacker to request an activation of a new phone and a new corresponding SIM card to go along with it. Least of all, people display credulous behavior all the time; hackers could also phone customer support pretending to be you and request all calls and text be forwarded to a different phone number.
Mobile Carriers and what you can do to prevent an Intrusion from Occurring
It is recommended that you stay away from two-factor authentication services that text’s user’s codes. Instead, you could take a moment and double check whether the online services that you use and that offer a two-factor authentication might also make use of an app-based method of authentication in the likes of Google Authenticator and Authy. Organizations have recently been urged by the National Institute of Standards and Technology (NIST) to adopt other forms of two-factor authentication in a new proposed digital authentication guideline – time-based one-time passwords generated by mobile applications are a proposed alternative to the commonly used text message method.
Krebsonsecurity has elicited to a great extent as to how valuable your email can be to hackers and the dangers a compromised email exposes its owner to. Users are encouraged to take time out of your schedule to review any authentication options available for the online services you use on a regular basis. You can do this by visiting twofactorauth.org. For example, a basic “Facebook” search will reveal that the social networking platform offers secondary authentication options via other means other than text messages which include hardware token (in the likes of a physical USB security key) or a software token (Google Authenticator).
In some cases, as it is with Facebook, if you had previously opted in for a two-factor authentication and received a one-time token via SMS, you may have to temporarily disable the two-factor authentication feature via SMS if you decide to switch to a different method of authentication that does not involve your mobile carriers.
There are of course additional minor inconveniences for those who are dealing with large capital per se and need that additional peace of mind that their security is guaranteed and assets well protected. Many large sites dealing with large capital tied in online services do not yet provide much comfort and serenity for their users mainly due to not so robust authentication options.
In the unfortunate event that your phone is stolen or you lose it, experts suggest that you phone up your mobile provider and request that your SIM card is locked to your device, preventing the phone from being used with another SIM card. You could also ask your provider to set a passcode or a PIN on your account that needs to be supplied before a customer service representative is tasked with discussing or altering any of your details and personal information.
On another note, it is important to apply a two-factor authentication system to your account even if the only available one is authentication via a one-time code sent through as a text message. It is a worthwhile security step that should not exclude available two-factor authentication options in the absence of alternative methods of two-factor authentication. That said, any form of two-factor authentication is better than solely relying on a simple username and password however complex and sophisticated it may be.
It goes without saying, but mobile carriers are not the only potential vulnerability, one ought to remain vigilant and sagacious when installing applications on your mobile device. Do make sure to spend some time researching the application and developer’s reputation before you commit to installing it. Another thing to be cautious about is any permissions asked by applications as well as the permissions you have already given to any of your existing applications. If your phone is compromised by mobile malware, it is no good, or any use to you if you decide to you a two-factor authentication feature.