Hackers have always been a thorn in everyone’s side. Though their methods can be countered, they will always have new tricks up their sleeves. In recent weeks, evidence has come out that they have found a way around one of the most common methods of securing an account, dual factored authentication.
Dual factor authentication or 2FA is the most common way for someone to secure access to their account. When it is set up properly, when you put in your password, the website will send a message to another account, typically either a second independent email or a cell phone. These codes are one time use and they expire after a certain amount of time. In practice this is a secure method for normal people to access the various accounts they have and for those looking for cyber insurance one of the basic things brokers now look for granting coverage to clients.
Despite conceptions, 2FA is not infallible much like firewalls. In a Forbes interview, white hat hacker group Positive, the type of hackers that are supposedly the good hackers, demonstrated how easily these the procedures were easily exploited. They talked about an old exploit on many phones called Signaling System Number 7 (SS7), a system that’s used to allow various phone networks to talk to each other.
“In their attack, the Positive researchers first went to Gmail, using Google's service to find an email account with just a phone number. Once the email account was identified, the hackers initiated a password reset process, asking one-time authorization codes to be sent to the victim's phone. By exploiting SS7 weaknesses they were able to intercept text messages containing those codes, allowing them to choose a new password and take control of the Gmail account. They could then simply head to the Coinbase website and do another password reset using the email they'd compromised.”(1)
The ability to get around 2FA’s is alarming but not unexpected. Nothing is completely hacker proof. It is the ease with which hackers could infiltrate systems that has people worried. Being able to spoof emails and credentials has raised concerns as hacks have increased. 2FA isn’t completely worthless if you’re constantly vigilant and trained properly to look for spoofs. But some companies have begun looking at a different method to secure accounts, through authenticator apps.
In the various app stores, some companies have rolled out specialized applications that allow you to connect with authentication services of various websites. Authenticator apps are great alternatives to SMS messaging, especially if you’re harboring incredibly sensitive data. Authenticator apps are separate applications that generate random numbers for end users. While, the apps are linked to specific accounts, they have all of the security features of 2FA and are less vulnerable. This is because the number that’s generated is random and changes after a set interval of about 30–60 seconds, depending on the app used.(2)
As new methods of securing your account become available, hackers will continue to find ways to breach them. 2FA works to a certain degree, as long as you do not become careless. Take the time to determine what method of securing your data works best for your company and your insurance needs.