Two-factor authentication via SMS

Login, User, cyber security in two-step verification, identification information security and encryption, Account Access app to sign in securely or receive verification codes by email or text message.

Perhaps you have already noticed: Since March 2023, Twitter has made its two-factor authentication available to users only against payment. Of course, this announcement caused quite a stir and was not necessarily received positively. At the same time, the SMS is not necessarily secure.

The problems with two-factor authentication via SMS

Two-factor authentication – or 2FA for short – is used to protect accounts. Instead of just using the user name and a password as access data, 2FA brings another component into play. This is to prevent accounts from being hacked by unauthorized persons.

As a rule, this also works, because 2FA works exclusively via something personal that hackers cannot simply copy.

In the case of two-factor authentication via SMS, this personal item is the user’s cell phone. So hackers need not only the name and password for access, but also the cell phone so they can receive the SMS.

Right?

Unfortunately, hackers are intelligent people who always find ways to circumvent or undermine security systems. This also applies to two-factor authentication via SMS.

Cell phones and smartphones are a popular target for hackers. After all, they usually contain a lot of personal data such as telephone numbers and e-mail addresses of friends, family and acquaintances. A paradise for hackers, so to speak.

If a cell phone is infected with malware, hackers can not only read the data on the cell phone. In the worst case, they can also read all the messages and text messages that arrive on the cell phone. This also applies to text messages within the scope of 2FA.

The SS7 protocol

The reason why the danger is so high is the so-called SS7 protocol. This is the “Signalling System 7”. This protocol was developed in 1975 to connect all telephone networks worldwide. The problem is that in 1975 the Internet did not yet exist, and cell phones as we know them were still a long way off.

So in a way, the SS7 protocol is outdated, but it is still in use. Updates and improvements have been and are being made, but authentication is not possible with the SS7 protocol. This means that hackers can gain access relatively easily and then listen in on conversations or read text messages, for example. The SMS with the authentication code is then easily visible and the security is gone.

Unfortunately, the SS7 protocol itself cannot be influenced and nothing can be done about the vulnerabilities. But you can at least make your own cell phone as secure as possible against hackers. This reduces the probability of an attack.

Measures for secure SMS

Of course, it is very important that you protect your cell phone or smartphone from direct access by using a screen lock. This can be a password, but even better is a fingerprint or an eye scan. Something that no one can steal from you.

You should also turn off notifications on the lock screen. What’s the point of using a screen lock if everyone can still read everything as soon as it pops up on top?

It is also important to protect the SIM card with a PIN. If the phone is lost or falls into the wrong hands, the SIM card can be used for all kinds of mischief that you would rather avoid.

Speaking of SIM cards, skilled hackers are able to use a separate SIM card to tap into your phone number and install it on the phone. Then messages and calls won’t go to your SIM card, but to the hackers’. If for some reason your SIM card no longer seems to work, it’s best to have it blocked by your provider. Safe is safe.

Something that is often forgotten, but should really go without saying: Install anti-virus software on your cell phone. What is standard for most people on their home computer is often neglected on their cell phone. This opens the door to hackers.

Conclusion

2FA with SMS is not the most secure method. There are certain vulnerabilities that unfortunately cannot be influenced. However, you can take measures yourself to make your cell phone more secure against unauthorized access.

By the way: There is a very simple solution to the problem with Twitter: An alternative two-factor authentication like the Authenticator from Reiner SCT. This can be used to protect any account, including the one on Twitter. And at no additional cost.