Breaking News

Facebook crash leaves an important lesson: SMS does not serve as a two-step authentication system

533 million users were “naked”. The latest outrageous data breach from Facebook users is the umpteenth demonstration of how a negligent business puts not only our privacy at risk, but our security and even our savings .

The leaked data now exposes millions of users to spoofing and other targeted cyber attacks. The danger is enormous, and this new Facebook crash is the latest warning on a sensitive topic: SMS is not a good two-step authentication method .

To fear. Very scared.

Our dependence on the digital world is growing, and while the benefits of the mobile revolution are obvious, they also leave some nasty side effects .

Until recently, one-time protection (username / password) seemed to suffice, but massive password theft and bad practices by users (using and reusing ‘123456’ as a password is an atrocious idea) has made two-step authentication (2FA) much more recommendable when it comes to protecting accounts in all types of services.

It was no longer worth the trouble of just entering the username and password. From now on, you also have to verify your identity with a password, usually a PIN code which was sent to you by text message on your mobile .

The idea was fantastic… at least that is what it seemed. Only we are (theoretically) in the power of our mobile, so the PIN code This could only reach us, right?

No.

In leaks like the one that happened with Facebook, the data is no longer just email lists and associated passwords. In this data the full names come, the cell phone numbers —You want to delete it—, but also the gender and the location of these users. The threat posed by this data is absolutely enormous.

Facebook’s response to theft has been astounding, as its philosophy is one of inaction. They do not intend to notify affected users , who can still find out if they are part of the leak thanks to the reputable HaveIBeenPwned service. A recent change to this service not only lets us know if our email has been leaked, but also if our mobile number and the rest of the data associated with those settings has.

What can the “bad guys” do with the data leaked by Facebook?

That’s because all of this data gives cybercriminals a golden opportunity to carry out all kinds of targeted attacks, so much phishing (with emails that someone we know sends us, “hey, now I can trust ”) as identity theft .

It is not difficult to imagine that this data could be used by a criminal to usurp our identity and make, for example, a duplicate of our SIM card . The disturbing SIM card change is the order of the day, and if we are victims of such an attack we will be in a real dead end, because suddenly our mobile will stop working and the attacker will take the opportunity to be able to do all kinds of things. things. operations using this mobile.

He’ll be the one who receives the PIN to make that bank transfer or make that purchase on Amazon , not you, but you will be the one paying the duck (and the bill).

The dangerous consequences of a data theft like this are unfathomable and can also lead to other social engineering attacks that allow other people to collect even more data from us or convince us to send them our. ID (don’t even think about it), and again, the consequences of these mistakes can be fatal.

Say goodbye to SMS as a two-step authentication method

I’m a bit heavy on this. I said it five years ago and repeated it the following year. Protecting your accounts with two-step authentication is a great idea, but doing it with SMS isn’t so much .

Fido

For sure SMS is better than nothing . It really is. The problem is, this latest disaster that we saw on Facebook highlights that these mobile numbers are not as secure anymore (which we have known for a long time already), and that there are much better alternatives when implementing. 2FA systems.

Who? To begin with, specific mobile applications for this purpose. There are several popular ones – Google Authenticator, Microsoft Authenticator, Authy… – but they are joined by other even more secure methods such as physical authentication devices, often in the form of “USB keys”.

Cyber ​​security experts and even organizations like Amnesty International recommend these “physical tokens”. The best known they are probably from Yubikey But there are many other alternatives, including those from Titan that Google developed a long time ago.

The solutions are there, but the industry is still anchored in SMS

We know what the problem is and we know there are solutions to (at least) alleviate it, so what’s going on? Why are these types of alternatives not successful in the market?

Ing

In the first place, for the condemnation of comfort and convenience . SMS is already old knowledge that promotes accessibility to these two-step authentication systems. This technology is part of our mobiles, the user does not have to do anything to benefit from it and also, he knows it and trusts it (although perhaps he should not do the same).

Using safer methods like the ones mentioned requires change and effort, something that humans don’t like very much . It does not matter if the benefit is clear: we resist change, and having to install a new mobile application and use it on our devices “with the quality of SMS” becomes difficult.

But in reality the real problem is with the industry, which is still absolutely entrenched in SMS . Except for some specific services, there are many scenarios where support for apps like Google Authenticator (not to mention Yubikey-style security keys) is anathema to businesses.

The clearest and most delicate example are banks: I wish you good luck in trying to find one that works with one of the alternatives mentioned, because (at least as far as I know) there are none. has not. They know these types of systems exist, but go from there to implement them in a half world.

The tech greats are those who gradually start to integrate these systems into their services . The FIDO Alliance’s FIDO2 / WebAuthn project and the U2F (Universal 2nd Factor) protocol that promote solutions such as those offered by Yubikey are gradually being supported by more and more services, and although many are interesting because of their role potential intermediaries for a massive expansion of these technologies, the truth is that SMS is ruling our world right now.

Be careful there.

Leave a Reply

Your email address will not be published. Required fields are marked *