17 October 18, 10:26
Quote:In the past couple of years, the concept of two-factor authentication (2FA), long the preserve of geeks, has found its way into the mainstream. However, the talk is still largely confined to using 2FA for one-time passwords over SMS. Sad to say, this is not the most reliable option. Here’s why:
- It’s easy to sneak a peek at passwords sent by SMS if lock-screen notifications are enabled.
- Even if notifications are turned off, a SIM card can be removed and installed in another smartphone, giving access to SMS messages with passwords.
- Password-bearing SMS messages can be intercepted by a Trojan lurking inside the smartphone.
- Using various underhanded tactics (persuasion, bribery, etc.), criminals can get hold of a new SIM card with the victim’s number from a mobile phone store. SMS messages will then go to this card, and the victim’s phone will be disconnected from the network.
- SMS messages with passwords can be intercepted through a basic flaw in the SS7 protocol used to transmit the messages.