Risks and mitigations for using SMS for 2-Factor Authentication

Using 2-factor authentication is a great strategy for providing additional security to your account.  One strategy is to have a site generate an SMS message to your phone number with a numerical code you enter in addition to your password

This is sometimes better nothing for some accounts, but there are vulnerabilities you should be aware of.  NIST, the national standards body for the US, recommends you do not use SMS for 2FA (https://pages.nist.gov/800-63-3/sp800-63b.html) . This is of particular concern for high value targets, such as people with large bank or crypto accounts.  Hackers can perform SIM cloning, SS7 attacks, hijacking, text interception, and phishing type attacks to obtain access to your phone number in order to impersonate you, use your number, or port your number over to their phone.


How to protect yourself:

-Choose a different 2FA method (The best option):

Many sites now use time-based tokens such as Google Authenticator, and you should choose these options if possible.  Other sites allow you to request a keyfob that provides time-based codes.

-Switch to a virtual phone number(The second best option):

If you have no other choice but use SMS 2FA, consider using a virtual phone service capable of receiving text messages such as Google Voice (https://voice.google.com/).  Some sites won’t support this method as they might recognize Google Voice prefixes and prevent them from being used for 2FA. To port a number off of google voice, it requires your google credentials to unlock the number, as well as a fee.

-Use a different phone number for 2FA:

Buy an additional phone service specifically to use for 2FA, do not share or publish this number.  Install the SIM into a cheap phone or a dual SIM phone.

-Install anti-malware on your phone and don’t click on suspicious links:

Malware can allow attackers to take over your phone or forward your 2FA messages.

-Request additional security be added to your cellular provider account.

Some cellular providers allow you to add a secret pin or password to your account in order to make any changes.


Although its use is declining, some organizations have been slow to adopt replacements for SMS 2FA.  While it’s better than no 2FA at all, you should take steps to protect yourself, look for alternatives, and request that your providers make the switch to more secure methods.

Someone lost 24 million in BTC due to a SMS 2FA attack:

https://www.ccn.com/bitcoin-investor-sues-att-for-224-million-after-mobile-linked-theft/

Here’s an example of a SS7 attack:

https://www.forbes.com/sites/thomasbrewster/2017/09/18/ss7-google-coinbase-bitcoin-hack/#636de6e541a4

Leave a Reply

Your email address will not be published. Required fields are marked *