It’s the end of the month and you’ve got bills to pay. But instead of waiting in long queues at a nearby bank, you simply logon to your banking portal, receive a 2 Factor Authentication code and pay bills using online banking. But just how safe and secure is it? Let’s discuss it in more details.
While COVID19 forced people working from home, it also dramatically skyrocketed adaptation of digital banking. And that’s got the attention from cybercriminals.
Most individuals, financial institutions, and organizations all over the world use two-factor authentication (2FA) as a security measure against hackers. In fact, it is the most popular security measure.
Institutions such as banks normally send a short one-time password through SMS text messages to customers seeking to log into their accounts for transaction approval.
However, SMS messages are one of the weakest links in 2FA security measures. It’s because text messages can quite easily be intercepted by anyone with the right equipment and skills.
For example, Metro Bank in the UK confirmed that some of its customers had fallen victim to 2FA SMS text hacking. The same thing happened back in 2017 to customers of the Süddeutsche Zeitung bank in Germany.
How Do Criminals Intercept 2FA Text Messages?
There are many ways hackers can intercept and use 2FA text messages and exploit an organization’s security. One of the ways they can do this is by exploiting SS7 flaws. SS7 is a protocol that most telecommunications companies use to coordinate calls and text messages.
The problem with SS7 networks is that it will provide sensitive data to anyone who requests a 2FA text message or call.
If a criminal obtains your online banking details such as username and password, they can access your bank account and even request a money transfer. By the time you know where your money went, they’d be gone to another bank.
Whenever you want to make an online funds transfer, banks usually send a confirmation in the form of a code to verify that your ownership. If this code is sent as a text message, hackers can exploit the SS7 flaw and hack your account.
The bank would then accept the transfer as legitimate because of your password and one-time code. That’s how people lose money through SS7 attacks and flaws in 2FA text authentication.
What is a better option then?
2FA text messages might not be enough to stop ransomware and hacking attempts. Text messages cannot provide 100% security and could easily result in a ransomware incident. Authy or Authenticator can be used as better alternatives.
Apps such as Authenticator and Authy are securer than SMS in 2FA because they generate a Time-Based One-time Passcode (TOTP) directly on the device or app that has sent the request.
This means that even when hackers manage to tweak your telephone service provider, they will not be able to get your codes. The data used to generate code doesn’t reside in SIM card but in the physical device.
Banks should develop and use their own authentication apps, similar to Google and Facebook Authenticator. When logging in, the digital banking app should popup a notification. Since this communication overrides SMS text messages and relies on mobile data or WiFi, it is much securer than the former. Once authenticated, the customer can then login to their bank accounts with little risk of being compromised.
Companies which decide to use 2FA to access their workspaces are wise in doing so. However, it is imperative you still do not provide your login credentials to anyone. Use strong passwords with capital, lower case, number and special characters. Never perform transactions in an open WiFi hotspot at cafes and restaurants. Utilize mobile data or a secure WiFi network and immediately log off once your transaction’s completed.