SMS-based two-factor authentication poses risks

0
882
A user entering SMS-based two-factor authentication code to access his account on his mobile phone.
A user entering two-factor authentication code to access his account on his mobile phone.

The most common online and smartphone security protection method has become one of the greatest risks to data and information technology systems.

The standard two-factor authentication method; that you probably use to access most of your online accounts, is now so easy to crack that the United States government considers it a security threat. The National Institute of Standards and Technology (NIST); the US agency that develops technology standards, wants to ban the use of two-factor authentication, Fortune reported.

Two-factor authentication is the standard online access protocol that asks users for a password and a username. NIST wants to end its users because it is easy for hackers to steal or replicate passwords. A major reason why NIST wants to get rid of the protocol is that it creates a false sense of security.

The risk from text messaging

Another motivation for NIST’s action is the growing threat to security posed by SMS (Short Message Service) texts; like those sent over Twitter and WhatsApp. The danger is that hackers will trick an organisation into sending them a temporary access code; that give them access to data such as bank or credit card accounts.

To make matters worse hackers can now seize control of SMS accounts. American political activist DeRay McKesson found that somebody had taken over his Twitter account; and used it to send out messages supporting Donald Trump, whom he opposes.

The hackers achieved that by calling McKesson’s phone company; Verizon, impersonating him and having his messages redirected to another SIM card. It would be a simple matter for hackers to use the same tactic to steal financial data, or sensitive business information.

Nor is it just Twitter that is at risk; Telegram Messenger accounts belonging to political activists in Russia and Iran were hacked. Telegram is an encrypted SMS-solution that is considered to be far more secure than Twitter. The hackers may have been able to get access to the accounts by using information provided by state-owned telecom companies.

A major risk for insurers here is the growing use of solutions like Telegram and Twitter to send money. Apps like StartChat enable users to send payments in the form of Bitcoin. Another is the growing use of app-based payment solutions such as Apple Pay to access bank accounts.

The risk for banks, financial services, technology, and credit card companies is that criminals will use similar methods to redirect access codes, and other text messages to fake SIM cards. A crook that cloned your SIM card would be able to get your bank to send him an access code – that would provide access to your accounts for example.

Another threat is the use of devices called stingrays to intercept text messages. Hackers can use stingrays to capture text messages and change a user’s phone number, or subscriber information.

Risk management for SMS messaging

The risks SMS messaging and two-factor authentication pose for the insurance industry are great and obvious.

The insurers most exposed to this threat are those that issue identity theft and data protection policies. The use of false SIM cards is obviously identity-theft which increases potential losses to companies that issue such policies.

An obvious consequence of this risk will be the need to rewrite some insurance policies. Data-protection and identity-theft policies might need to contain provisions banning the use of some SMS solutions and two-factor authentication.

Another would be to require the use of apps like Google Authenticator which creates a one-time token or code that changes every few seconds. Such security is hard to crack, because hackers have no way of knowing what the new code is.

Other potential solutions include tokens, QR (quick read) code technology and blockchain (the technology used in Bitcoin). All of these encryption solutions employ a stratagem like Google Authenticator, which creates a new code or token for each message or transaction.

Requiring the use of blockchain-based payment solutions such as bitcoin; or Ethereum, for SMS money transfer might be another effective risk-management measure. These products use encryption technology that is theoretically invulnerable to cracking.

A final measure might be to bar the use of unencrypted SMS messengers like Twitter. Twitter only relies on two-factor authentication so it is fairly easy to hack.

New opportunities for insurers

There are some obvious opportunities for insurers here including data-theft coverage for SMS messaging, telecom and technology companies. SMS and phone providers might have to start providing such coverage for each account they issue.

New kinds of data protection and identity theft policies for individuals and organisations might also be needed. Financial services companies and banks in particular might need to add new layers of insurance coverage because of the growing threat. Some companies may also need insurance for corporate SMS messenger accounts.

The insurance industry will need to study the issues of two-authentication and SMS carefully, because the security threats are far greater than is commonly believed. New technologies and risk-management techniques will have to be developed if insurers want to avoid major losses.

LEAVE A REPLY

Please enter your comment!
Please enter your name here