Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fixing security of 2 factor authentication via SMS verification


  • Please log in to reply
No replies to this topic

#1 downloaderfan

downloaderfan

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 13 April 2017 - 07:31 AM

Hi, I'm sorry this post ended up being so long, there was just no way for me to explain it in short, so I would really appreciate if you read it in it's entirety.

 

Alright, by now, I think it's very well known among the security conscious about how easy it is to get access to someone else's phone number by calling his/her phone carrier and pretending to be 'that person' in order to break that 2nd factor of authentication. Don't believe me? Just watch this video. One way to avoid that would be to use an authenticator app, but the problem is, some sites like facebook don't allow you disable SMS codes even if you setup an authenticator app & some other sites like outlook provide optional 2nd factor authentication via SMS  even after an authentication app is setup. So, in short, SMS codes cannot be avoided as of this time. 

 

I was thinking of ways to mitigate this issue and one idea that came to me is the use of burner phone numbers. An app called Hushed can provide you a free phone number for 3 days, which you can extend by paying money. But, you don't have to, what I'm thinking is that, I use that burner phone number to replace my actual phone number on all of my online accounts where I have used my phone number, then I delete that burner phone number. Now, that phone number can no longer be used by anyone, including me.

 

One might ask the question, now since I have a fake phone number setup, how would I retrieve my account in case I lose my phone? Now this is where the user has to be responsible. SInce 2 step authentication requires a password and a code, you will need to back it up properly. For passwords, if you use an online password manager like lastpass, backing up passwords is not an issue, lastpass does it automatically. If you are using an offline password manager like keepass, you'll have to make regular backups of the keepass database to the cloud or another storage device. For authenticator codes, apps like Authy allow you to backup your database to the cloud, if you do not prefer using the cloud, on android, you can use apps like titanium backup to backup the authenticator app to the phone which you can copy somewhere else. This means, even if you lose your phone, you can use titanium backup to restore your authenticator app with all of its codes to another phone or an android emulator. If you have properly secured your password & authenticator app, there wouldn't be any need to use your actual phone number on an online account.

 

Now, I'm not sure about this, but there is a high probability that Hushed might recycle the phone number I used so that someone else can use it. Meaning, after I delete the burner phone number, it is assigned to someone else in the future so that Hushed doesn't run out of phone numbers. Even if that were to happen and that unknown person gets an authentication code for my account, well, all sites I have used so far don't send usernames along with the authentication code. Which means that person wouldn't know what account that authentication code is associated with, so he can't do anything with it. 

 

With that, previously where a hacker only needed my phone number(which he could find using any of my contacts) to break the 2nd factor of authentication will now have to find the burner phone number which I used on my online account, get access to that number somehow(Hushed doesn't allow you to enter a custom number) and only then would he be able to get access to my online account. 

 

In this manner, I have greatly reduced the chances of my account being hacked via a phone number compromise.

 

Thank you for reading, what are your thoughts about it?



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users