Multi-Factor Authentication: SMS, Probably Insecure – Linux Liaison

Multi-Factor Authentication: SMS, Probably Insecure

Multi-factor authentication has been around for ages. Between the sci-fi movies using not only your fingerprint, but also your retina to get into the lair of some of the most seething and abhorrent villains. It looks cool, and you seem super knowledgeable when you pull out your phone to enter a secret code sent from thousands of miles away. Or next door if you live in Silicon Valley.

One of the more popular methods of multi-factor authentication is via SMS( text message, or texting). It’s convenient, it’s multiplatform, and practically everyone with a cellphone with service has it. It’s no wonder that it was one of the first methods to hit the general public’s eye. But is the convenience what causes the risk? Not exactly.

Even though SMS is very popular, it’s not like software where you can sick a hundred hackers on it and find vulnerability in the code itself. It’s a legacy system that’s been hardened for decades. What’s needed is the type of people who know how to hack a human’s behaviour. It’s not that difficult, and we’re relying on other people to be gullible enough to hand over to us the keys to our target’s phone, or at least their phone’s service.

So this human hacker calls up your phone carrier (let’s say it’s a company called PCarrier), and asks for technical support. Because you give your business number out, they have that, so PCarrier knows what account the person is trying to access. Because you’re a little bit more public with your personal information, they know your birthday and they know that your mom never married. That checkpoint is passed and now full access to your PCarrier is available to the human hacker.

Once the hacker is granted this access, they can activate your phone number on any SIM card they wish, provided the phone can support PCarrier’s cell frequency. Now, popping the newly activated SIM card in their phone, the hacker uses a password they found on an old leak of your email provider’s username database to get in. But you have two-factor authentication right? That will stop them! Well…you see where this is going. Because the human hacker was able to fool the people at PCarrier into thinking they’re you, they’ve now got access to the SMS portion of your two-factor authentication.

Yes, it’s pedantic, paranoid, and poignant to think about these things; but it’s also possible that this would happen. It’s happened before and still happens.

I urge you to replace SMS-factor authentication with something more secure. When you rely on SMS-factor authentication you rely on the individuals at your cellphone carrier and their outdated security practices. Use something OTP where passwords are generated on the fly similar to SMS, but no data has to be sent over any sort of network. Read more on OTP here or on Wikipedia.

My blog is self-hosted on a VPS running Ubuntu nested in Digital Ocean’s VPS service. If you want to get a VPS from Digital Ocean, I’d like to ask you to graciously use this referral link: You’ll get $10 in free credit (2 months worth of the lowest tier VPS) and once you’ve spent $25 of your own money, I’ll receive $25 myself, meaning that you’ll be indirectly supporting my blog.

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.