Stop Using Text Messages For Authentication RIGHT NOW
This week, a stunning story from Vice revealed how easy it is for an attacker to steal your text messages and do evil things with them. Let me illustrate how easy it is:
- Pay a trivial sum of money.
- Convince a VoIP wholesaler that they’re a reseller.
- Sign a form swearing that they’re allowed to route messages to your number to another number.
- Pwnage
Why is this important? It’s important because a lot of people use text messages as a means to do two-factor or multi-factor authentication for websites and other online accounts. Which means that if someone has access to your text messages, they have access to any account that uses text messages for authentication.
While that sounds scary, and it should sound scary, there are ways to protect yourself from this. You should be using a dedicated two-factor authentication app that requires physical access of your hardware—typically your phone—to finish the login process for an account. An example of this would be Microsoft Authenticator or Google Authenticator which bypass text messages to deliver the codes required for two-factor or multi-factor authentication. It also means that the bad guys need physical access to your phone to try and break into your online accounts. Quite simply, that’s not going to happen.
But there’s one slight problem. What if the service that you need to use only use text messages for authentication? Then I guess you are kind of stuck. Sort of. You can use a service like this one to monitor if, or when, your phone number’s texts are routed elsewhere. And a really, really strong password helps too. Along with not using obvious answers for your security questions.
Do you have any other suggestions that can help all of us keep our online accounts safe? If you do, leave them in the comments and share your thoughts.
March 18, 2021 at 10:17 am
This is really concerning that rerouting services are allowed to operator like this without any hard confirmation from the owner of the number that they approve the rerouting…this is worse than SIM swapping as you wouldn’t know it happened. Now that the info is out there, it will become more common. I don’t think they should be allowed to reroute.
It’s bad enough some banks have no 2 factor authentication available, and then some (like TD) only allow cell and not an authenticator app.
Is okey a safe service? They seem new and I can’t find much info on them other than that they released this info as they have a solution for it (their service). I don’t want to sign up til I can verify they are safe!
March 18, 2021 at 10:26 am
Okey is in beta which is why you likely can’t find any info on them. But one of the people behind this service is quoted in this article: https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80
The guy in question has a bit of a history of being a privacy advocate. But to answer your question, the service to me APPEARS to be legit based on the available evidence that I have access to. You may want to direct your questions to them directly and see if they respond with answers that give you some comfort.
March 18, 2021 at 10:40 am
Thank you! I appreciate you bringing this new issue to our attention