"How Hackers Can Use Message Mirroring Apps to See All Your SMS Texts — And Bypass 2FA Security"
The implementation of Two-Factor Authentication (2FA) has become a necessity as the use of usernames and passwords alone is not enough to securely access online services. 2FA provides an extra layer of security to the username/password system. Studies have shown that users, who enabled 2FA, ended up blocking nearly 99.9 percent of automated attacks. However, as with any cybersecurity solution, attackers have come up with ways to evade this authentication method. Through the one-time codes sent as an SMS to a user's smartphone, hackers can bypass 2FA. Although this has been proven possible, many critical online services still use SMS-based one-time codes. Microsoft and other major vendors have encouraged users to abandon solutions leveraging SMS and voice calls. SMS is known to have poor security that increases vulnerability to various attacks. In a SIM swapping attack, an attacker calls the victim's mobile service provider. The attacker impersonates the victim and requests to port-out the phone number to a different carrier or a new SIM card. When the port-out is complete, the phone number activates on the attacker's SIM card, allowing them to send and receive messages, and make calls as the victim. There are also readily available tools such as Modlishka that attackers can use to compromise SMS-based one-time codes. Modlishka can intercept communication between a genuine service and a victim, as well as track and record the victim's interactions with the service, including the login credentials they use. Researchers at Deakin University have also found additional vulnerabilities in SMS-based 2FA. One of their experiments revealed that an attacker could remotely access a user's SMS-based 2FA using a popular app designed to synchronize users' notifications across different devices. This article continues to discuss the problem with SMS-based 2FA methods, the need for more work on secure authentication methods, and the need to move methods beyond 2FA towards a Multi-Factor Authentication (MFA) environment.