Security researcher and forensics expert, Jonathan Zdziarski has told press that “SMS is just not the best way to do [two-factor authentication].”, following a scam brought to light which helps steal a user's 2fa code.
Zdziarski told Wired.com: “It's depending on your mobile phone as a means of authentication [in a way] that can be socially engineered out of your control.”
Zdziarski goes so far as to argue that: “Two-factor authentication using SMS text messages isn't technically two-factor at all. The idea of two-factor authentication, is to test someone's identity based on something they know (like a password) and something they have (like their phone or another device.)”
These comments were made in light of the attack exposed earlier in the month by Alex MacCaw, cofounder of data API company Clearbit. MacCaw shared a screenshot of a text attempting to trick its way past two-factor authentication (2FA) on a Google account:
Be warned, there's a nasty Google 2 factor auth attack going around. pic.twitter.com/c9b9Fxc0ZC— Alex MacCaw (@maccaw) June 4, 2016
The attack works by sending the target a text message pretending to be a company the target has an account with. Upon detecting ‘suspicious activity' on the account, the criminal sends the target a text requesting the 2fa code which the criminal requested from the system in order to stop the account being locked. The target sends it back, and gives away access to the account.
This could be considered the evolution of the age-old scam of simply asking people for their login details, made even more possible by the recent high profile data breaches.
SOPHOS recently pointed out in a blog post that the Two Factor Auth List, is a website which lists a lot of commonly-used websites and whether or not 2FA is available there. And if your site of choice doesn't have 2FA yet, the list has a handy button to tweet at the site to encourage them!