Is Your Mobile Carrier Your Weakest Link?

More online services than ever now offer two-step authentication — requiring customers to complete a login using their phone or other mobile device after supplying a username and password. But with so many services relying on your mobile for that second factor, there has never been more riding on the security of your mobile account. Below are some tips to ensure your mobile device (or, more specifically, your mobile carrier) isn’t the weakest link in your security chain.

For reasons explored more in The Value of a Hacked Email Account, many people become so preoccupied with securing online access to their financial accounts that they overlook or forget the fact that all of those precautions may be moot if hackers can access your email inbox. From that 2013 piece:

“Sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts –merely by requesting a password reset email.”

Many webmail providers now encourage users to take advantage of two-step (a.k.a. “two factor”) authentication methods in addition to passwords for securing access to email. This usually involves the user adding a mobile phone number to their account that gets sent a one-time code that needs to be entered after supplying the account password. The idea here is that even if thieves somehow manage to phish or otherwise glean your account password, they still need access to your phone to discover the one-time code.

Depending on how you’ve set up two-step authentication, however, this may be far from airtight security. What’s more, not all two-step authentication methods are equally secure. Probably the most common form of secondary authentication — a one-time code sent to your mobile device via SMS/text message — is also the least secure.

That’s because thieves who manage to phish or otherwise filch your password can then simply ring your mobile provider pretending to be you, claiming that your phone is lost and that you need to activate a new phone and corresponding new SIM card. Or, they convince a gullible or inexperienced customer support rep to temporarily forward all of your calls and texts to a different number (this happened to me in 2013).

A harrowing story in The New York Times last week showcased several such hacks against Bitcoin enthusiasts, but in truth these types of social engineering attacks have been going on for years.

True, not everyone will attract the kind of interest from cybercrooks as someone holding large amounts of a non-repudiable virtual currency. But it’s still a good idea to take a few minutes and check whether some of the services you use that offer two-step authentication might offer an app-based method — such as Google Authenticator or Authy — as opposed to a text-based method.

By the way, I’m not the only one bugging people to move away from texting for codes: The National Institute of Standards and Technology (NIST) recently issued new proposed digital authentication guidelines urging organizations to favor other forms of two-factor — such as time-base one-time passwords generated by mobile apps — over text messaging.

Fortunately, some of the more popular online services offer multiple options for two-step authentication, although many of those that offer alternatives to texting one-time codes still steer users toward this option. I took stock of my own exposure to text-based two-step authentication and found three services I rely upon daily for my work still had the SMS option selected when a more secure app-based option was available.

Take a moment to review the authentication options available for the services you use on a regular basis. To do this, head on over to twofactorauth.org. A simple search for “Facebook,” for example, shows that the social networking site offers secondary authentication options via SMS, hardware token (such as a physical USB security key) and software token (Google Authenticator, e.g.).

In the case of Facebook, if you previously received one-time tokens via SMS, you may have to temporarily disable two-step authentication via text message before enabling the security key and software token approaches.

Continue reading…

Source: Krebs on Security