Disable SMS based two-factor authentication

On August 30, 2019, Twitter CEO Jack Dorsey's Twitter account started posting racial slurs and anti-Semitic posts. Twitter quickly removed the posts and later blamed the issue on Jack's cell provider.

The source of the hack was a common attack vector, sim swapping. Sim swapping is the act of taking control of a users mobile number by having the cellular provider swap a phone number's service to a sim card that the attacker controls.

A sim card is all you need

The swap can occur in several ways. In some cases, attackers have built tools to alter the provider's database, as happened to T-Mobile customers in 2018. In other cases, attackers use public information about a person to convince cellular support agents that they are the phone number owner and for them to enable the sim swap. No matter the method, the result is a compromised phone number.

MSJ believes that mobile phones are not a safe solution for two-factor authentication. Sim swapping continues, and providers continue to struggle to keep up with the methods required to protect phone numbers.

MSJ is not alone. The National Institute of Standards and Technology, NIST, placed restrictions on phone/cellular-based authentication due to the issues with sim swapping in 2017 in special publication 600-63B.

What does this mean for you, the user?

We strongly encourage all users to disable SMS and phone-based authentication for all services. Using an authentication app on your phone or a physical token is a better choice. For authentication apps, we like Google Authenticator or Authy.

As always, we're here to help. Reach out today if you need assistance with two-factor authentication or other IT security issues.

4 views0 comments