Hackers Exploit Two-factor Authentication to Steal Millions and How to Fix It

ftrias

Fernando Trias

Posted on April 13, 2020

Hackers Exploit Two-factor Authentication to Steal Millions and How to Fix It

Summary: Hackers hijack phone numbers to reset password and take over accounts, thereby stealing millions. Authenticator apps offer a better solution than using phone numbers for two-factor authentication.

Hacker

When you log into your bank, chances are it will send a code to your phone to confirm that it's really you and not some imposter. In addition, if you forget your password the bank will send you a code to confirm that it is you before letting you create a new password.

This is called two-factor authentication. The first factor is your password. The second is you phone number. Since you control both, it's the double the security and is the basis of most current security systems on the web. It seems secure. Or is it?

SIM swapping

The emerging threat known as SIM swapping puts this method at risk. In SIM swaps, hackers take over your phone number, either by physically stealing your phone's SIM card or by persuading your provider to assign your number to a new phone that they control. Once your number has been hijacked, they then proceed to visit your web sites and reset your passwords using the forgotten password link.

To confirm it's really you, the web site sends your phone number a code, which will now go the hacker's new phone. The hacker enters the code and creates a new password. The web site will probably send you an email notifying you of this, but since your phone isn't connected to the network any more it won't receive the email.

Stealing a SIM card--and thus a phone number--can be done in seconds. For AT&T, T-mobile and GSM-based providers, you phone number is tied to your SIM card, which is usually located in a small slide-out slot on the side of your phone, and thus easily accessible to anyone who is able to hold your phone for more than few seconds. Once they have the SIM card, they can insert into a new phone that will receive new text messages and calls.

Another way to steal your number is to call your provider--AT&T, Verizon, T-mobile, Orange--and persuade them to transfer your phone number, perhaps by telling them your phone was stolen or lost. To do this you just need to know enough to answer some security question. But if you show up to a store pretending to be your target, you sometimes don't need to answer any questions.

Losses mounting

Financial accounts, social media and email are prime targets. In the most obvious cases, hackers reset your password in order to clean out your bank accounts and hold your other accounts for ransom, promising to disclose the new password only after being paid off.

Crypocurrency accounts are particularly vulnerable because unlike with bank accounts, transfers are virtually untraceable and unrecoverable. For example, in a recent SIM swap heist, Michael Terpin, a successful cryptocurrency investor, lost $24 million in 2018. His number was hijacked not once, but twice. He recently won $75 million in a lawsuit against AT&T for enabling hacker to steal his phone number.

Terpin

Often, these crimes are perpetrated by criminal networks. For example, in May 2019, the US Justice Department filed charges against 9 AT&T and Verizon employees for providing criminals with private customer information that was then used to impersonate wealthy customers in order to perform the swap. One employee earned $3500 for information that enabled criminals to impersonate a single high-value customer.

Hackers are even using the COVID-19 pandemic to extract information aimed at stealing your personal information, leading to SIM swapping. Read this CNet article to learn more.

In more elaborate cases, hackers may gather information about your associates and businesses in order to prepare for a larger scam. They add additional recovery information to your account so that they can easily regain access to your accounts at a later time. Then they transfer the phone back by returning your SIM card or telling the provider the undo the change--perhaps under the pretense that the lost phone has been found again. Unsuspecting victims might think they've merely forgotten their passwords when they try to log in again.

For more chilling reading, Vice wrote an expose that involved ordinary people:

The problem has been growing for several years and may soon reach a critical point. In January 2020, six Senators sent a letter to the FCC, asking it to combat the rising danger of SIM swapping. 

To read even more, there is a web site dedicated to this problem where you can read about hundreds (or thousands) of hacks.

Solution

Granted, the problem is not necessarily using a phone number to perform two-factor authentication. Rather the problem lies in using a phone number to recover lost passwords. However, that distinction is lost in most cases. The majority of web sites implement both.

You'd think providers would be more careful about swapping phone numbers, but that would be wishful thinking. AT&T and Verizon live and die by customer service. If a customer calls asking to transfer the phone number to an exciting new phone, they want to make the transition as smooth and hassle-free as possible.

The other side of the problem is that it is common for people to have hundreds of passwords and so forgetting a password is a normal and frequent occurrence, exacerbating the problem because people want the least amount of hassle when resetting passwords, especially since they're already annoyed at having to remember so many passwords.

A promising solution to this dilemma is the use of authentication apps such as Authy, Duo, Authenticator by Google and Microsoft Authenticator. To use these apps, you first unlock your phone and then confirm access, either by entering a code or via a direct connection to the web site. These apps use complex encryption to ensure that it's really your phone. In this scenario, the phone's locking mechanism ensures only you can access the app. Thus, the Authenticator app is only as secure as your phone's locking mechanism.

Auth

It's well-known that older phone locking measures such as PIN codes and swipe patterns were susceptible to hacking. In one well-known hack, all that is required is angling the phone in order to observe the grease marks left on the screen and discern the last code entered on the phone. In addition, customers don't like them and don't turn them on.

But with biometric identification such as fingerprint scanners and 3D facial recognition, people are now able to easily secure their phones against tampering with very little additional effort. Because of this, unlike hijacking a phone number, taking over a phone to access its apps is proving more challenging than ever.

It's time to abandon the use of phone numbers and text codes. These techniques don't improve security very much and they have glaring shortcomings that are impossible to protect against. Web sites should use an authenticator app instead. It's about the same amount of effort for a user, but far more secure.

💖 💪 🙅 🚩
ftrias
Fernando Trias

Posted on April 13, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related