Skip to main content
MFA

Asked and answered: How to avoid SMS multi-factor hacks

Consider pins, authenticator apps, and virtual phone numbers.
article cover

We Are/Getty Images

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Multi-factor authentication has frequently been described as a security trifecta: something you know (passwords), something you have (tokens), and something you are (fingerprints).

Increasingly, IT practitioners want to make sure one of the factors isn’t something you text. Hacking the unique numeric code inside an SMS message, after all, can be as easy as 81312.

“SMS text message is not a strong third factor, and we really want to try to move the industry away from using it,” said Jameeka Green Aaron, CISO at the authentication provider Okta, in September.

Some SMS weak spots:

  • Hackers can redirect (and receive for themselves) the two-factor codes and login links intended for a targeted user.
  • SIM swappers, who convince a mobile provider to move a target’s number to their new memory card, can then receive any SMS-based authentication prompts.
  • Malware, like Android code found in 2020, can extract two-factor authentication codes from SMS messages.
  • SMS communications can be intercepted and manipulated by “machine-in-the-middle” attacks or surveillance tools.

So, what’s the next move? How do you avoid the issue of compromised two-factor authentication due to SMS hacks?

IT Brew posed these questions to IT professionals, and received the following responses:

An obvious one, but don’t click! One of the best ways to avoid an SMS hack is to never open a message from an unknown sender, and to never hit the links. “You cannot be assured that they are the person whom they claim to be,” said Steve Wertheim, director of cybersecurity, MorganFranklin Consulting.

Use other authenticators—like, authenticators! An authenticator app, installed on a mobile device, generates a six- to eight-digit security key within a tight time window. QR codes often initiate the setup between authenticator and application. “The mobile devices these days make it easy to enroll in them to map to your organization…the users can effectively do the install themselves,” said Jason Stading, consulting manager at ISG.

Let’s put a pin in that for now. When stuck with SMS two-factor, work with a mobile provider to require a multi-digit PIN for any account changes, to prevent an attacker impersonating and SIM swapping, said Jason Rebholz, CISO at Corvus Insurance.

Call me (virtually). Hackers can trick customer-service reps into thinking their PIN got lost, or employees at the phone provider could be in on the scam, too. To take full control, Rebholz recommends registering for a virtual phone number through an option like Google Voice, which provides a (free) legitimate phone number and the ability to text.

“Use that number for that second factor, and then you are in control of who can access Google Voice because it’s protected behind your Google account,” Rebholz told IT Brew.—BH

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.