With so much of your life being on the Internet your security there is more important than ever. We’ve recently profiled the rise of Multi-Factor Authentication (MFA) and how it has helped to take a bite out of crime but it seems that criminals have found a way to break it. It just highlights how difficult it is to keep ahead of criminals and keep your information safe online.
MFA
Multi-Factor Authentication relies not only on a traditional password but something else to authenticate that a user is who they say they are. This can be as simple as answering a secret question or sending a user a one-time code on their phone to enter in to authenticate themselves. With the latter method it is assumed that the only person who has access to that phone number is the right person but as always criminals have found a way around that.
Porting Or Splitting
SIM-porting or SIM-splitting is of course not new. It’s most famous use was when someone was able to take control of Twitter CEO Jack Dorsey’s account for a few moments by using this method earlier this year. It allows someone to take control of your phone number and have any communications sent to them and not you. That means that as long as that person knows your number they can receive that code to overcome new security measures.
Little That A Consumer Can Do
The worst part for the average consumer is that there is nothing that they can do about this. Only the carriers can prevent something like this from happening as it requires someone on the inside to be able to do the work. The scammer may have personal information acquired over the Internet and trick someone into making the change or an employee could be the crook themselves.
It will also take time for the victim to notice that something has happened giving the thief valuable time. Additional time is lost as the victim may have to wait on hold to get through to a real human being with their carrier to take care of the problem, much less contact the financial institutions that they deal with. That is plenty of time to clean out a bank account, hijack a social media account and do plenty more.
Is A Phone Number More Valuable Than A Social Security Number?
It is possible that the most valuable piece of information that you have is not your social security number or any other number issued to you by the government. It could be your phone number and yet you put your number out into the public on your website, on a business social media page, on your business card and much more. It seems like it is something that is far too vulnerable to use for something important like this.
The problem is of course that there is nothing out there that is as feasible as using a person’s phone number for this type of security. Biometric security would be a major upgrade and the technology is already in use with many smartphones but it is not found with every device yet. For Multi-Factor Authentication to truly work biometric security measures need to be developed and made available to the public. At the same time an alternative to an SMS code should be offered and some already exist like Authy, Google Authenticator and Duo Security but not everyone is able to access these.
No Easy Fixes
Phone companies are in a bind with this. There are many people who legitimately are changing carriers or who lost their phone and need a new SIM card. To simply stop this allowing this is not possible for them. In a recent article from Market Watch they do suggest a measure that the public can take to make this tougher for a criminal to do and that is to have your carrier add a PIN to your account and to require this before a number would be ported out or a new SIM card issued.
This underscores how vulnerable we all are and how important it is to keep our information safe online, not only by yourself but also by the companies that we do business with. We are all in this together and unfortunately it is hard to stay ahead of the criminals. We are dealing with issues that we could not have imagined only 20 years ago but fortunately we are all becoming more aware of these issues and are hopefully taking better precautions. So, if you are presented with Multi-Factor Authentication options don’t just take the phone option, you might want to pick another one if offered.