Two Factor Authentication has become pretty standard practice for signing into accounts online. But is 2FA safe, really? People have become complacent about their security and trust 2FA more than they should.
Today I want to look at ways hackers can hijack your accounts using 2FA SMS texts in particular. I’ll discuss how Two Factor Authentication and One Time Pass Codes are not the same thing. Then I’ll explain how hackers can intercept your 2FA codes and gain access to your online accounts.
Lastly I’ll cover ways to protect yourself from this kind of hacking. Don’t worry I won’t get too technical.
What Is 2FA Two Factor Authentication?
Two factor authentication (2FA) is simply a method of authentication that relies on more than one set of credentials. For example, you may have two factor identification to log onto your computer, providing your password and an ID number.
In most cases today, 2FA involves sending a SMS text to your mobile. You then enter that code to complete your login. This code is actually called a One Time Passcode (OPT Code). Whilst not technically correct most people use the two terms to mean the same thing.
2FA is the simple idea that you need validate your identity when logging into your Facebook or Bank account. They send you a OTP code via SMS text and this validates your identity to gain access to your account.
Turning on two factor authentication (2FA) can add another layer of security in addition to your existing security protocols like the one mentioned above with your ID number and password.
Mobile security is a big concern among the general public as technology continues to advance. Hackers have been known to hijack users accounts through a variety of means, including social engineering, phishing or by simply guessing their password.
These hackers use that user’s information for various purposes from gaining access to bank accounts to taking control of social media accounts.
I cover quite a bit about online security on this website so be sure to have a good look around that section. I write about different hacking methods especially regarding hacking mobile phones using spy software. I also discuss ways to see if your phone is hacked. Check those out when you get a chance for more information.
How Does SMS 2FA Work?
2FA security codes (OTP Codes) are delivered as a text message (SMS) or sometimes as an automated phone call via the mobile carrier. When an account user uses their username and password to log into their online bank or social media account, an SMS 2FA code will be sent to their mobile phone. They then enter that code to gain access to their account.
What are the Security Risks with 2FA Codes?
Too many people have trust in the 2FA setup. The fact is that these can be vulnerable to several types of hack. The fact that we trust them could mean we are less vigilant. Here are the main ways your OTP codes could be hacked.
Phishing Attacks
Phishing attacks are an attempt by hackers to acquire your sensitive information through emails, texts or websites that appear to be authentic. They are using this information for fraudulent purposes.
SMS 2FA can be vulnerable to phishing attacks resulting in the SMS message being diverted to the wrong recipient. The hacker will then change the code and use it against the victim. SMS Phishing is also called Smishing – you have to love these terms, who comes up with them? Vishing is another one – can you tell what it means?
By gaining access to their accounts, hackers can use their victims’ information for further illicit activities including data breaches.
Phishing techniques are not new to the world of technology. And if users continue to get emails or calls attempting to get them to click links or give out personal information through online Webpages, why should SMS 2FA be any different?
Hackers are continuously finding new ways to get their target’s information. And while this is a difficult task, it’s not impossible.
Social Engineering Attacks
Social Engineering Attacks occur when a hacker or social engineer uses psychological manipulation and reasoning to get people to reveal information that should otherwise be withheld.
This form of hacking focuses on using the psychology of individuals to gain access to your accounts by calling an individual and impersonating someone they should trust like their bank, credit card company or even mobile phone provider.
If the targeted individual is not willing to verify who they are, the social engineer will usually try other psychological tactics until they gain access to their target’s sensitive information.
Hackers can also use other personas such as a small business owner or an IT professional calling up their target, all with the same goal of getting them to divulge their password, username and even their SMS 2FA codes.
Phishing and Social Engineering can both be used in conjunction with each other to gain access to an account. This approach works by combining psychological manipulative tactics along with social engineering or phishing techniques to get your personal information.
Fake Cell tower and a Man-in-the-Middle Attack
Hackers can intercept communication between cell towers and devices by using a device that is often referred to as a “fake cell tower.” This allows them to access information through what is known as a “Man-in-the-Middle” attack.
An example of such an attack would be using an IMSI Catcher device (such as a Stingray) that can impersonate a legitimate tower for a target’s mobile device. This allows the hacker to gain access to data sent between the towers and systems as well as the ability to provide an SMS 2FA code.
SIM Swapping
SIM Swapping is a form of identity theft that hackers use to gain access to a target’s phone number and account. It is used as part of social engineering attacks to acquire information such as passwords, usernames and SMS 2FA codes.
Here’s how it works: The hacker will call your mobile provider and impersonate you, telling them that your SIM card has been lost or stolen. They will then ask for a new SIM card to be sent to a different address.
Once they have your new SIM card, they will be able to hijack your cellular account and receive all your 2FA codes. This gives them access to many of your personal accounts.
There are other ways hackers can intercept your 2FA Codes or OTP Codes but these are the most common at the moment.
Now that you know what hackers are using to gain access to accounts, here are some tips on how you can protect yourself.
How to Protect Your 2FA from Hackers
When it comes to protecting your digital assets, there are many things you can do to keep hackers at bay. Here are some simple security measures that can protect your accounts – even when using 2FA:
Update Your Systems Regularly
By keeping your devices updated with the latest security patches, you can reduce your chances of being hacked.
Keep Your Information Private
The more people know about you and your private information, the easier it will be for criminals to get a hold of your sensitive data like passwords or 2FA codes. Make sure that only trusted friends and family know about your personal details and passwords to other accounts.
Change Your Passwords Often
Even if hackers do manage to gain access to your password or 2FA, changing it often will give them less time to do anything with it before you notice and change the compromised account again.
Use a Unique Password for Every Account
Using different passwords for each of your accounts will ensure that if one of them falls into the wrong hands, they won’t be able to get access to all of your devices easily. Having a different password for each account is best but even having a slightly similar one for multiple accounts can work just as well.
Use Password Managers
Plaintext passwords are easier to remember but they are not good for security. Using a password manager that generates strong passwords and stores them all safely is better than using simple words, even if you have to resort to writing the password down on a piece of paper.
Alert your Financial Institutions
Inform financial institutions about potential phishing attempts or any other forms of suspicious activity so that they can take the necessary precautions to prevent criminals from gaining access to your accounts.
Be Careful with Public Wi-Fi
Using public Wi-Fi is fine but you should be careful where you do so. Criminals often use public Wi-Fi to intercept data or gain access to accounts through man-in-the-middle attacks. Staying logged into social media sites or doing personal tasks on public Wi-Fi can give hackers access to sensitive information.
Be Aware of Phishing Attempts
The first step of protecting yourself against phishing is knowing what it looks like. Don’t let your guard down because you think you know how to protect yourself on the internet. Hackers often change their methods and try new ways to trick people into giving away their information.
Keep Your Phone Safe from Hacks
Aside from being wary of hackers, you should also protect the phone itself from hacks. Setting a strong PIN or passcode on your device can prevent anyone from getting access to it if they get a hold of it – even if they have physical access to the device.
Learn About Spy Apps
Spy apps are one of the most common ways that individuals are targeted for personal hacking. Most involve the hacker getting physical access to your phone and installing a hidden spy app.
I have several guides on how to find spy apps on your phone, how to know if your phone is hacked and ways to remove a hacker from your cell phone. Lots more useful information in those guides.
I also have a Premium Spy App Security Ebook if you think you are a victim of spy software apps. You should have a look for more details below:
Stay Safe Even When Using 2FA
So, is 2FA safe? I hope you have taken away one major point of this article. Just because your accounts use 2FA or OTP codes, it doesn’t mean you are safe from hackers. They certainly add another layer of security, but don’t let your guard down and become complacent.
Always keep your online security under review and be aware of emerging threats. We do so much online now that the stakes have become higher. A simple phone hack can prove devastating if you don’t protect yourself.