The SMS verification code based password resetting and 2FA are both vulnerable to attacks. Soon after the hacker get your phone number, he/she may reset the passwords of victims accounts by intercepting password reset verification code sent via SMS. Despite of having the victims account protected with 2FA, hackers can pass through the second authentication factor by intercepting SMS verification code, hence hijacking the account. This SMS interception attack is called SS7 redirection attacks (SRAs).
Papers:
T. Fox-Brewster, “All that’s needed to hack gmail and rob bitcoin: A name and a phone number”.
T. Moore, T.Kosloff, J. Keller, G. Manes, and S. Shenoi, “Signaling system 7 (SS7) network security,” 45th Midwest Symposium on Circuits and Systems, 2002
Peeters, Christian, et al. "Sonar: Detecting SS7 redirection attacks with audio-based distance bounding." 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 2018.
https://www.forbes.com/sites/thomasbrewster/2017/09/18/ss7-google-coinbase-bitcoin-hack/#43151cca41a4
”SMS SS7 Fraud”: https://www.gsma.com/newsroom/wp-content/uploads/2012/12/IR7031.pdf
Simple solution:
Don't use anything in the verification cycle which can be intercepted and used by an attacker - especially don't use SMS for 2FA.
What you need to do, is to get the user to send the second factor, preferably as a unique device signature, and to send it simultaneously with the password metadata. This is not the password, and is useless to anyone who intercepts it.
Look at this example of someone logging into a bank account and and tell me
a) What was the password entered?
b) What was its length?
If your answer includes any characters obscured by the clicks, you're wrong.
If your answer is 6 or 7, you're wrong.
If you remembered the order of the clicks, that's no use either. It'll be different next time.
If you try to use these credentials from a different device, that won't work.
If there was malware on your device performing the same checks - it's wrong too.
I believe I've answered your question: This is the most recent advance in 2FA security
- Badges
- Science topic
- Similar topics
- Biological Science
- Zoology
- Ornithology