Multi-factor authentication (MFA) is an important security measure for protecting user accounts and data from unauthorized access. While calls and SMS were previously considered as reliable forms of MFA, they are now becoming less secure due to a variety of factors. One reason why companies should avoid using calls and SMS as MFA is that they are susceptible to various types of attacks, such as SIM swapping, where an attacker can hijack a victim’s phone number and intercept their MFA messages. Additionally, SMS messages can be intercepted through a technique called SMS sniffing, where attackers use software to intercept and read messages sent over the air.
Here’s an example of a SIM-Swap attack:
1. The attacker gathers information about the target, such as their phone number, email address, and potentially other personal details, through various means, such as social engineering, data breaches, or online research.
2. The attacker contacts the victim’s mobile network operator, pretending to be the victim or using social engineering techniques to convince the customer support representative to assist them. They claim to have lost their phone or SIM card and request the number to be transferred to a new SIM card under their control.
3. The mobile network operator, unaware of the attacker’s true intentions, proceeds with the SIM card transfer, believing they are helping the legitimate account holder.
4. Once the attacker gains control of the victim’s phone number, they can receive calls, messages, and authentication codes that are intended for the victim. They can then use this access to bypass two-factor authentication (2FA) measures on the victim’s online accounts.
5. With the ability to receive the victim’s calls and messages, the attacker can now proceed to gain unauthorized access to the victim’s accounts, such as email, social media, or financial accounts, by using the intercepted authentication codes.
6. The attacker can exploit this access to carry out various malicious activities, including account takeovers, unauthorized transactions, identity theft, or even blackmail.
Another reason to avoid using calls and SMS as MFA is that they are less convenient than newer MFA methods, such as mobile authenticator apps or physical security keys. Calls and SMS require a phone signal or internet connection, which can be unreliable or unavailable in certain situations. Furthermore, SMS messages can be delayed or not delivered at all, causing frustration for users and making them less likely to use MFA in the future.
In summary, companies should avoid using calls and SMS as MFA because they are less secure and less convenient than newer MFA methods. It is recommended to use more secure and reliable methods, such as mobile authenticator apps or physical security keys, for better protection of user accounts and data.