Many organizations send an SMS text message to your phone with a short number for you to enter after your password. It's a really convenient way to give you 2FA. This has been something that is important for things like online banking.
The problem is that hackers are now sending fake SMS messages:
Oh, foo. There's no authentication for the SS7 signaling, and so there's no authentication for the text message. If someone has your phone number and can send SS7 into the telephone network, they can send a text message seeming to come from your bank. More importantly (and this is what seems to have been used here) they can cause the victim's text to go to any old device they want - this is where they steal the codes.Financially-motivated hackers are using SS7 attacks to break into bank accounts.
Unfortunately, there's no solution yet. Watch your bank account closely is about all you can do.
Aside from the physical bother of carrying the hardware based authenticators, what is your take on that as a 2FA method? I seem to recall some sort of issue with them 4-6 years ago.
ReplyDeleteThere are a set of hardware devices (and software versions you can install on your phone), but these are expensive. Because of the cost, they are niche products.
ReplyDeleteI don't know that there is a good mass market solution to replace SMS.
Yikes! Turn off 2FA temporarily? I'm not even sure most banks offer regular consumers other 2FA options other than SMS.
ReplyDeleteGoogle, and some banks, offer the choice between a voice call and an SMS message. I'd think spoofing the voice call would be harder, but I doubt even it's foolproof.
ReplyDeleteI do not bank on my phone, plain and simple.
ReplyDeleteFB does not get my phone number. There is some government or official website that uses my number, but I had no choice with that, and it is not related to my bank account.
It unnerves me that financial institutions think it is such a great idea to do all that stuff on your phone.
Aside from the hacking, it is just too easy to lose a phone.
Appreciate this information. Thank you.