A recent one cyber attack To the international company Global, a SMS service provider In Argentina, Chile and Uruguay, it highlighted one of the most serious weaknesses in current authentication systems: The use of text messages as a second authentication factor.
The attackers committed servers that handle the protocol SMPP (Short Message Peer-to-Peer) an application level protocol used to exchange Text messages (SMS) between applications and message centers (SMSCS).
In this way, the attackers managed to intercept in real time more than 30,000 messages, many of them containing codes of second authentication factor of the OTP type (One-Time-Password) sent by technology, banking companies, public services and social networks.
Among the affected platforms are Google, Apple, Telegram, Facebook, Instagram, WhatsApp, Mercado Libre, Microsoft And many more. These services usually send codes by SMS as a second authentication factor as part of their two -step authentication processes.
However, there are two factors that make this scheme especially vulnerable. The first is that the system architecture causes the text message (SMS) to cross multiple intermediaries before reaching the end user. The second, that the message is sent in flat text, that is, without encryption.
In the case of Global pollsthe attack was not only effective, but went unnoticed for weeks, PErecting the massive appropriation of accounts without the need for victims to click on links or install malware.
A group of specialized researchers even detected bots that automated the interception of these codes and facilitated access to personal accounts, especially telegram. The most worrying thing is that many of the victims applied good security practices: They had no infected devices or used weak passwords, demonstrating that the fault was in the communication channel itself.
In conclusion, it is clear that the use of SMS as a second authentication factor should be considered obsolete and dangerous. There are much more secure and easy methods to use, such as authentication applications (Google Authenticator, Microsoft Authenticator, IBM Verify, etc.), FIDO -type security devices or the use of passkeys based on biometry implemented on trust devices.
All these methods are based on a fundamental concept of which the SMS lacks, do not travel through the network, but are generated in the trusted device, usually the user’s cell phone. In this way it is impossible to intercept thousands of second factor passwords in a centralized way as happened with the attack on global polls.
In all cases, the message is the same: protecting accesses with a second factor remains fundamental, but the channel chosen for that second factor must be robust. Today, The SMS is clearly not.
Source: Ambito
David William is a talented author who has made a name for himself in the world of writing. He is a professional author who writes on a wide range of topics, from general interest to opinion news. David is currently working as a writer at 24 hours worlds where he brings his unique perspective and in-depth research to his articles, making them both informative and engaging.
