Security experts recommend using two-factor authentication to secure your online accounts wherever possible. Many services default to SMS verification, sending codes via text message to your phone when you try to sign in. But SMS messages have a lot of security problems, and are the least secure option for two-factor authentication.
While we’re going to lay out the case against SMS here, it’s important we first make one thing clear: Using SMS is better than not using two-factor authentication at all.
When you don’t use two-factor authentication, someone only needs your password to sign into your account. When you use two-factor authentication with SMS, someone will need to both acquire your password and gain access to your text messages to gain access to your account. SMS is much more secure than nothing at all.
If SMS is your only option, please do use SMS. However, if you’d like to learn why security experts recommend avoiding SMS and what we recommend instead, read on.
Here’s how SMS verification works: When you try to sign in, the service sends a text message to the mobile phone number you’ve previously provided them with. You get that code on your phone and enter it to sign in. That code is only good for a single use.
It sounds reasonably secure. After all, only you have your phone number and someone has to have your phone to see the code—right? Unfortunately, no.
If someone knows your phone number and can get access to personal information like the last four digits of your social security number—unfortunately, this be easy to find thanks to the many corporations and government agencies that have leaked customer data—they can contact your phone company and move your phone number to a new phone. This is known as a “SIM swap“, and is the same process you perform when you purchase a new device and move your phone number to it. The person says they’re you, provides the personal data, and your cell phone company sets up their phone with your phone number. They’ll get the SMS message codes sent to your phone number on their phone.
We’ve seen reports of this happening in the UK, where attackers stole a victim’s phone number and used it to gain access to the victim’s bank account. New York State has also warned about this scam.
At its core, this is a social engineering attack that relies on tricking your cell phone company. But your cell phone company shouldn’t be able to provide someone with access to your security codes in the first place!Read More...
© 2017 eOnline24.com . All rights reserved.
Welcome to the eonline24.com - eonline24 is an website portal providing latest news globally.
We pleasure ourselves with bringing you great and fresh quality content on technology, entertainment,
business, marketing tips, latest gadget, startup news and much more. Are you in to know the latest news,
new update, live news, current news gossips, photos and more, then don’t hold back!