Here is a video of entrepreneur and self-help author Richard Heart teaching his audience about SMS two-factor authentication and SIM-swap hacks:
Most people use a username and password to secure their online accounts. As an additional layer of security, some people will use SMS two factor-authentication (“2FA”). This is commonly used by centralised exchanges like Binance.
SMS 2FA is where the platform you are logging into texts you a one-time passcode that you need to enter along with your password. People who opt to use this method think that as long as no one steals their phone, they’ll be just fine.
Spoiler alert: they are wrong. You should always be using a better version of 2FA alongside using a hardware crypto wallet and in this article we will explain why.
Many people have lost vital information and millions of dollars because they used SMS authentication. While SMS 2FA is convenient, it is vulnerable to an increasingly common attack called “SIM-swapping”.
In this article we will teach you how:
- How SIM-swapping works and why SMS authentication is dangerous, and
- What you can do to protect yourself.
What is Two-Factor Authentication (2FA)?
Simply put, 2FA is a method of securing your account in addition to using a password. Most platforms offer their users the option to use different kinds of 2FA or not to use it at all.
There are various types of 2FA, the most common being SMS or email 2FA. A step above this is Authenticator app 2FA. And yet another step beyond this is hardware 2FA. Hardware 2FA (“security keys”) is emerging as the new standard for cyber security, it being used by large organisations and recommended by cyber security professionals worldwide.
What is SMS Two-Factor Authentication (2FA)?
SMS 2FA relies requires that you enter your mobile phone number and store it with the given platform. Whenever you enter your password, you will be prompted to enter a one-time passcode that will be texted to you before you. The code will only be valid for a defined duration – commonly 10 minutes. So, how can this be dangerous?
If a hacker gets hold of your password on the dark net, or brute forces their way in, they would need access to your texts messages in order to enter your account. This seems secure, but there are ways to get hold of your texts without even possessing your phone!
What is SIM-Swapping?
We do not recommend using SMS 2FA because hackers can overcome this layer using a hack called SIM-swapping – also referred to as simjacking , port-out scam, Smishing and SIM splitting.
How it works is as follows:
- The hacker obtains personal details of their target, such as name, date of birth and address. Usually this is by using phishing emails that trick you into providing them willingly.
- The hacker then calls up the target’s phone network provider and impersonates them, using the details they have obtained in step (1). They persuade the phone network provider to port over the target’s phone number to a different SIM. Often the phone company will have an insider, someone who is bribed to facilitate this process for the hacker.
- The target’s phone number is then generally changed directly by the phone company to the hacker’s own SIM. The target now essentially no longer controls their phone number – they can’t make calls or receive and send SMS. Anyone who calls or sends them and SMS them will actually be contacting the hacker’s device. Thus, the hacker can easily bypass SMS authentication, because they can now receive the one-time passcode.
This is an increasingly common hack. As you can see, it allows hackers to hijack your method of 2FA. All they need to do is figure out your password and they will be able to gain access to your accounts and impersonate you, get banking information etc. Some people even save their seed phrases in an email on their account [shakes head] – if they get hacked in the way we describe, they will very swiftly lose all of their crypto.
If you thought your password was secure enough, think again. Password acquisition is easy in relation to most people because most people use passwords within an easily guessable set; eg Password123, Letmein111. A bot can run through the common ones in no time.
If you have a more complex password, good for you. But installing a key logger on someone’s device by implanting one into a porn site is a common way for hackers to out-smart us. The key-logger logs and transmits very key stroke you make to the hacker. Sometimes a hacker can simply buy a password that has been leaked on the darknet.
We suggest trying to limit the number of times you include your phone number on an online profile. Avoid it if you can, because if that platform gets hacked, now the hackers have more details about you.
I hope you are sufficiently scared away from using SMS 2FA. It is not a sufficient failsafe mechanism.
So how do you protect yourself from all this?
What is the best method of two factor authentication (2FA)?
Authenticator app 2FA
This is a little different to SMS 2FA. Typically, people will download an app such as Google Authenticator or Authy. They will initially connect it to the given platform they are using (eg PayPal or Ebay). Then, when they want to login to the platform, they will be prompted to enter the app and use a passcode that will be generated within it. This method of 2FA bind the authentication process to the mobile device itself.
If you use authenticator app 2FA, a hacker would need to find your password AND have physical possession of your phone AND be able to login into it. This is not an easy task for a hacker to accomplish as they would generally need to bypass some fairly robust security measures. With this method of 2FA, it is not possible for a hacker to defeat you using the SIM-Swapping method we describe above. As such, this method of 2FA could be argued to be better than SMS.
It is fairly strong, in our opinion. The authenticator app is tied to the phone you are using but it’s sometimes also backed up in the cloud, as with Microsoft’s authenticator app. Authenticators like Authy (another commonly used one) do enable you to re-install the app in the event you lose your phone. But you need to go through an account recovery flow that can take 24 hours or more. While having the possibility of recovering your app is convenient, it again represents an attack vector that a clever hacker could potentially overcome. But still, authenticator apps are better than SMS.
As mentioned, this class of 2FA is emerging as the new standard for cyber security. It employs an industry standard called FIDO (“Fast IDentity Online”), whose aim is to “help reduce the world’s over-reliance on passwords.” One of the most famous devices in this class is the Yubikey – a small usb stick-type device that is required for logging in. These are also called “security keys.” If a hacker has your password, they cannot login to your account unless they have this key in their possession.
By selecting this as your 2FA method, the relevant platform you log into would require that you insert a small USB stick into your device before you can login. As such, you could lose your mobile phone or computer and still be able to login. The hacker would need the actual key itself to login into your account. Please note: some security keys offer near filed communication or biometrics. We do not recommend these as they are vulnerable to attack.
Cyber security professionals recommend security keys because they are very secure. But they come with their own set of issues. If you lose your hardware key, you can no longer log into your accounts. For this reason, you are best off making backup key(s) and hiding those. In the event that you lose your main key, you can use the backup to gain access to your account. It is advisable to set up your backup key at the same time as your main key. Before you embark on using hardware 2FA, research it thoroughly on the relevant website and create backups!
There are also ways of creating paper backups using a written code that would enable you t create unlimited backups. Before you do this you need to really think about how you would secure that code.
Overall, security keys are excellent choices for the security conscious. They represent a significant improvement over SMS 2FA and even Authenticator 2FA. But they present a significant responsibility to the user, who must be ready to take on that responsibility.
SMS 2FA represents a very bad way of securing your online accounts. It is best to use an app authenticator or even a “security key”. But there are downsides to consider for each of these methods.
As a final note, we want to highlight a practice that many platforms will use. If you selected SMS 2FA and used it, then changed to app or security key 2FA, the platform will often still allow you to use SMS 2FA as a “backup”. Since you want to avoid SMS 2FA, we recommend two principles:
1) Never use SMS 2FA to begin with;
2) If you’ve used SMS 2FA already and have now changed to a better form of authentication, try to delete the SMS 2FA option. You can usually do this yourself, by accessing your account security settings online, or by chatting with the platform and asking them to do so for you.