Not all two factor authentication is created equal

And apparently, not all ambulances are created equal, either

Two factor authentication  is an important security tool; by using 2FA, an attacker get ahold of your user name and password still can’t get into your accounts.

But not all two factor authentication is created equal.

Good two factor authentication uses an app on your phone or a hardware key to provide the secret codes needed to complete the login process.

Bad two factor authentication uses SMS (text) messages to send you the login code.

Why is this bad?  Attackers have increasingly been using social engineering techniques to get mobile phone companies to switch victims’ phone numbers to phones which the attackers control.  Once this is done, the attacker with a user name and password has everything they need to drain your bank account or read your email.

What you need to do to protect yourself:

Make sure that your mobile phone account is protected by a PIN code which must be given in order to port your phone number to a new phone.  You can do this on your mobile carrier’s web site or by calling their customer service number.

Some services give you a choice as to whether to use an app on your phone or an SMS message to complete your login.  Whenever you have this choice, choose the app.

If you are using services which provide SMS only 2FA, let them know that this is not acceptable in today’s security climate.  Hearing a requirement from customers is the only way these companies will make the investment in the improved technology.

If you would like to read more about this scam and how to protect you and your loved ones, here is an article on the topic.  And here is an example of a recently announced data breach at Reddit which was the result of this type of attack

While SMS based 2FA is better than no 2FA, it is time to stop using it wherever possible.

*** This is a Security Bloggers Network syndicated blog from Al Berg's Paranoid Prose authored by alberg214. Read the original post at: