Why two-step authentication via SMS is a bad idea

It is a good security practice to enable two-step authentication for your accounts: even if someone finds out your password, you will still need an additional code to access your information.

Why two-step authentication via SMS is a bad idea

In most services, two-step authentication works through a numeric code registered in specific applications, such as Google Authenticator, Authy or 1Password. But many still provide SMS verification – and security researchers have decided to show how easy it is to intercept your operator’s text messages.

The Forbes published a video of a group of hackers from Positive Technologies showing how it was possible to access a portfolio bitcoin in Coinbase through SMS interception technique. The video has only three minutes:

It all starts when researchers try to recover a Gmail account password; they previously obtain some data (such as first and last name) from the “victim” and then request an SMS with the recovery code, which is intercepted using a tool. After Google confirms the user’s identity, you can change the account combination.

And, as all you need to attack someone is access to their e-mails, all you have to do is log into Coinbase and access the “I forgot my password”. The cryptocurrency wallet service sent a password exchange link, and the change was made. Account successfully committed.

This is kind of scary, but it’s so old that we don’t know why companies still insist on sending important data via SMS. The SS7 network (Signaling System 7), which is used to manage phone calls and text messages, has known flaws (not all corrected by operators) and can be the cause of an attack on an online account.

In other words, SMS, in addition to not being the most reliable thing in the world (some messages from me just never arrive; they even seem to be retained in Curitiba), is insecure.

Remember that at Google, you can remove your mobile number from 2-step authentication . I recommend.