Stop Using Text Messages For Authentication RIGHT NOW

This week, a stunning story from Vice revealed how easy it is for an attacker to steal your text messages and do evil things with them. Let me illustrate how easy it is:

  • Pay a trivial sum of money.
  • Convince a VoIP wholesaler that they’re a reseller.
  • Sign a form swearing that they’re allowed to route messages to your number to another number.
  • Pwnage

Why is this important? It’s important because a lot of people use text messages as a means to do two-factor or multi-factor authentication for websites and other online accounts. Which means that if someone has access to your text messages, they have access to any account that uses text messages for authentication.

While that sounds scary, and it should sound scary, there are ways to protect yourself from this. You should be using a dedicated two-factor authentication app that requires physical access of your hardware—typically your phone—to finish the login process for an account. An example of this would be Microsoft Authenticator or Google Authenticator which bypass text messages to deliver the codes required for two-factor or multi-factor authentication. It also means that the bad guys need physical access to your phone to try and break into your online accounts. Quite simply, that’s not going to happen.

But there’s one slight problem. What if the service that you need to use only use text messages for authentication? Then I guess you are kind of stuck. Sort of. You can use a service like this one to monitor if, or when, your phone number’s texts are routed elsewhere. And a really, really strong password helps too. Along with not using obvious answers for your security questions.

Do you have any other suggestions that can help all of us keep our online accounts safe? If you do, leave them in the comments and share your thoughts.

3 Responses to “Stop Using Text Messages For Authentication RIGHT NOW”

  1. This is really concerning that rerouting services are allowed to operator like this without any hard confirmation from the owner of the number that they approve the rerouting…this is worse than SIM swapping as you wouldn’t know it happened. Now that the info is out there, it will become more common. I don’t think they should be allowed to reroute.

    It’s bad enough some banks have no 2 factor authentication available, and then some (like TD) only allow cell and not an authenticator app.

    Is okey a safe service? They seem new and I can’t find much info on them other than that they released this info as they have a solution for it (their service). I don’t want to sign up til I can verify they are safe!

Leave a Reply

%d bloggers like this: