Chaos Computer Club: Use 2-factor authentication, but please not via SMS
The CCC was able to view around 200 million text messages with 2FA codes. In the wrong hands, this could cause a lot of trouble.
(Image: Tero Vesalainen/Shutterstock.com)
The Chaos Computer Club (CCC) computer security association warns against using two-factor authentication (2FA) via SMS. In addition to known attacks to intercept messages with one-time passwords, they have now highlighted another attack scenario.
To effectively secure online accounts, 2FA should be activated wherever possible. This additional layer of protection means that, in addition to the password, you also need a code to log in, which is sent to the account holder via text message or authentication app, for example. Accordingly, a leaked password is not enough for attackers to compromise an online account.
However, SIM swapping or attacks on the SS7 telecommunications standard allow attackers to intercept SMS messages and view the codes. With SIM swapping, the attackers try to take over the SIM and thus the phone number and identity of a victim. In a report, the CCC now shows another method of why SMS is an insecure way of using 2FA one-time passwords.
2FA codes available online
Many companies that offer 2FA to their customers rely on a service provider to send SMS messages. According to the security researchers, they have now been able to view almost 200 million 2FA codes from the SMS service provider IdentifyMobile. According to their own information, they were "in the right place at the right time".
Because the SMS sender shares the 2FA codes in real time on the Internet, they were able to view the one-time passwords and even phone numbers and sender names by guessing a subdomain ("idmdatastore"). In this case, the service provider was obviously grossly negligent and did not adequately protect sensitive customer data.
The CCC states that more than 200 companies such as Amazon, DHL and Facebook work with IdentifyMobile. It is currently unclear whether criminals were also able to access their data.
Conclusion
2FA undeniably provides more security, but account holders should deactivate the sending of 2FA codes via SMS and instead use an app such as Google Authenticator, which generates the codes locally on a device. Alternatively, you can also use a passkey for more account security.
(des)
