Jack Wallen details a recent hack and why he believes one aspect of two-factor authentication (2FA) is part of the problem.
Original Article Courtesy of TechRepublic
Recently, my PayPal account was hacked, and it’s not the first or second time it’s happened. Fortunately, I have enough alerts set up to catch these things fairly quickly and act on them, but that doesn’t mean all is well. It’s not. I know it’s only a matter of time before another account is hacked.
At this point, you’re probably thinking: “Why doesn’t he use a strong password and two-factor authentication on those accounts?” My answer: I do. All of my accounts are protected by passwords I couldn’t even think about memorizing, generated by a random password generator. Every account I use has 2FA enabled.
But not all 2FA setups are built the same.
Let me explain: Of all the accounts I have — and, like you, they are many — only one configuration ever gets hacked. That configuration is 2FA sent over SMS. The accounts using 2FA via a password app like Authy or Google’s Authenticator have never had any problems.
But those SMS 2FA accounts have been nothing but problems. Why is this an issue? Simply put, when those 2FA codes are submitted via SMS text, they can be intercepted by the wrong people. If they already have your login credentials, the SMS text is the missing piece. Once they can intercept that code, they have the keys to the kingdom and lay waste to all that awaits them.
I understand: Life is already complicated enough without having to jump through even more hoops to do something that should be simple. But if you want to keep your data and money safe from those whose only task is to take it, strong passwords and added security are a must.
What you should do?
As far as consumers and users are concerned, if given the option between SMS and app-based 2FA, always go with the app-based option.
By going that route, you don’t have to worry that your time-based 2FA code will be transmitted across the ether for someone to snoop on and use against you.
This should be instituted across the board with zero exceptions — at least until someone comes up with a more reliable, secure form of multi-factor authentication. Otherwise, accounts are going to continue to be hacked at an increasingly alarming rate.
To learn more about 2FA and how it will help protect you and your business, contact our team.