Crypto enthusiasts have always loved the use of SMS for two-factor authentication. Many users already trade cryptos and manage social pages via their smartphones, so why not use SMS to verify sensitive financial content? Jesse Leclere, CertiK’s CEO, says that SMS security is inferior to physical security keys or authenticators.
Con artists are now able to take advantage of the security layer via SIM-swapping. This is the process of routing a person’s SIM to a phone owned by a hacker. To handle simple porting requests, telecom workers in many countries won’t need to be able to provide government ID, facial identification or social security numbers.
Hackers use SIM Swapping top beat SMS 2FA
Combining this with easy-to-guess recovery question and a quick search of publicly available information (which is quite common among Web3 stakeholders), impersonators can quickly transfer an account’s SMS2FA to their phone and use it for criminal purposes. Many crypto YouTubers were victim to a SIM-swap attack earlier this year.
Hackers posted fraudulent videos to their channel with text asking viewers to send money the hacker’s wallet. Duppies, a Solana non fungible token project (NFT), was compromised by hackers in June via a SIM-Swap. Hackers tweeted links to a fake stealth min.
Cointelegraph spoke to Jesse Leclere, CertiK’s security specialist. CertiK is a recognized leader in blockchain security. Since 2018, CertiK has helped more than 3,600 projects to secure digital assets worth $360 billion and identified over 66,000 vulnerabilities. Leclere’s thoughts:
Although SMS 2FA is better than none, it is still the most vulnerable type of 2FA currently available. Its appeal lies in its simplicity: People log in to online platforms using it either via their phones or by having it at their fingertips. Its vulnerability to SIM swaps cannot be understated.
Leclerc stated that dedicated authenticator apps such as Google Authenticator or Authy offer almost all of the conveniences of SMS 2FA without the danger of SIM-swapping. Leclerc was asked if virtual and eSIM cards could be used to hedge against the possibility of SIM-swap-related phishing attack.
SIM-swap attacks are based on identity fraud and social manipulation. A bad actor could trick employees at a telecom company into believing they are the true owner of a number attached on a physical SIM. They can also do it for an eSIM.
Although it is possible to prevent such attacks by locking one’s SIM card to your phone (Telecom companies also have the ability to unlock phones), Leclere still recommends the use of physical security keys as the best option. Leclere explains that these keys can be plugged into your computer’s USB port and some have near-field communication (NFC), which makes them easier to use with mobile devices. To gain access to your account, an attacker would need to know your password and physically possess the key.
Leclere noted that since 2017, Google has had zero successful phishing attacks after it mandated employees use security keys. They are so powerful that you won’t be able access your account if you lose one of the keys. He said that it is important to keep multiple keys safe.
Leclere also stated that, in addition to using an authentication app or a security code, a good password management program makes it simple to create strong passwords and not reuse them across different sites. He stated that a strong password and non-SMS2FA pairing is the best way to protect your account.