Cybersecurity
Robert Logan
Multi-Factor is still the answer, but YOU are ...
Multi-Factor is still the answer, but YOU are the real target.
Tech Pointers, Consulting
Robert Logan
Work From Home Tips
Work From Home Tips

SMS / Text messages aren't going to keep hackers out of your accounts.

There’ve been a few articles pop through my feed that prompted me to write this blog Hacker got my texts for $16 and Coinbase slammed for terrible customer service after hackers drain their accounts

One headline does a better job of highlighting the problem (hint it’s not the Coinbase one :-)) Either way I just want to raise awareness of the security risk you’re accepting if you’re using text messages to your cell phone to lock down your cloud/online accounts.

Why you should avoid 2fa

Yes having any form of two-factor (2fa) authentication is more desirable than just a password, but especially for your more valuables accounts (email, bank, stock trading, etc) hackers are targeting YOU specifically. As I’ve written about before, cybercriminals aren’t sending the obvious “I’m a Nigerian prince” emails anymore to phish for your credentials. These days they can just look through your LinkedIn profile, google your #, cross-reference database dumps on the darkweb, or call your receptionist to get more info about you or your vendors/customers. Their end goal is to get your credentials, so they’ll send you an email that is more likely to get you to click it. It could be:

  • An email posing as an actual customer of yours w/ “documents you asked for”

  • An invoice from your vendor you use frequently

  • A Request for Proposal (RFP) from an agency you typically do business with

I’ve seen all of these used to get your Microsoft 365 credentials for instance, and if you’re only using your cell phone # for two-factor then they can essentially grab control of your phone number w/ sim swapping or using a 3rd party service highlighted in the articles long enough for to get access to your accounts and maybe before you even realize it happened.

MFA all the things

Ok, great now what do I do? Well…use Multi-Factor Authentication instead. You might have used Google Authenticator, Microsoft Authenticator, or even an old RSA keyfob in the past. These have software “tokens” that rotate every 30 seconds, so when you login to a cloud app it will prompt you for the current code. Some of these also do “push” notifications to wherever the apps are installed, and then there are hardware keys (YubiKey) you can put on your keyring you plugin or tap when prompted.

You might be thinking “I thought you said they could hack my phone, so wouldn’t having an app on my phone defeat the purpose?” It’s actually your # that they are getting access to, not your phone itself. It’s actually tying together something you “know” (password) w/ something you “have” that makes it very difficult for hackers to gain access to whatever account is locked down in this way.

I can’t use MFA, are there other options?

Well it depends.

  • “My cloud service vendor doesn’t have that option”:

    In this case I’d press them hard on why in 2021 they don’t have this as an option. For me it’s likely a deal breaker, and I’ll look for alternatives.

  • “My vendor only has text message / 2fa as an option, and I have no other chose of vendor”:

    If you MUST use texts, then setup a 3rd party text/SMS service for your authorization codes. Google Voice is a great option, or there’s companies like Twilio available as well. Either way keep this number out of the public eye, and ONLY use it for authentication purposes. make sure you still voice your frustration with the vendor, and when they implement MFA switch :-)

  • “I don’t want to use my personal cell phone for anything work related”:

    You can use hardware keys like YubiKeys, or utilize a password manager that can store MFA TOTP codes. Also, cell phones now have “work profiles” that not only visually separate personal from work they are virtually separated so work can’t access personal and vice-versa.

Final thoughts

Yes MFA seems a bit daunting at first, but once you’re setup with the right solution it becomes second nature. Here’s a few parting tips to help with your implementation:

  • You’ll want to take extra care for your email and financial accounts.

  • When setting up MFA the cloud service you’re logging into will usually supply some backup codes in case you lose access to the “something you have”. Print these up and store them somewhere safe preferably a “safe” :-)

  • If you’re getting a new phone, make sure you setup the MFA apps (ie Google/MS Authenticator) on the new phone before deleting info from the old phone. You’re going to need to transfer the tokens over.

  • Make sure you’re utilizing a password manager as well. There are great options out there: LastPass, Keeper, etc. Proper password hygiene is a great additional layer of defense:

    • not sharing the same password across multiple cloud apps

    • don’t have more than one person sharing the same account. Everyone should have their own account.

    • minimum of 14 character passwords. Use randomly generated passwords or “passphrases”

Need assistance?

Of course if you need guidance or help implementing other layers of security for your business Contact Us or check out our other Services

providing it support in everett, wa and surrounding areas: monroe, arlington, mukilteo, marysville, Woodinville, Bothell, Lake Stevens, and snohomish.