paserbyp

TWO-FACTOR authentication (2FA) is becoming ever more popular as companies deal with growing concerns over cyber-insecurity. With 2FA, account-holders validate their identity online by entering a password and then adding a countersign that is generated by something to which they have physical access. This “second factor” is not fool-proof, though. DeRay Mckesson, an activist with Black Lives Matter, had his 2FA-protected Twitter account hacked last year. Banking customers in Germany had their 2FA accounts hijacked in May. And in August a bitcoin entrepreneur had the equivalent of $150,000 drained from his virtual wallet. How did a second factor fail them?

The flaw lies largely with the weakest link: the phone system and the humans who run it. Mr Mckesson and the bitcoin victim, for example, suffered at the hands of attackers who fooled phone-company employees into re-routing the victim’s phone number to a device in the attacker’s possession. Such a move should require either private, personal details or the customer’s PIN. But even if a customer-service rep ignores the scammer’s entreaties, the scammer will just try calling again, to another rep, and may eventually succeed. Another flaw, used in the German attack, is found in a system known as Signalling System 7 (SS7), which routes calls on networks worldwide and dates back to 1975. Vulnerabilities abound, and though mobile operators claim to be monitoring for abuses, access to an SS7 system allows hackers to intercept voice calls and SMS messages.