CertiK says SMS is the 'most vulnerable' form of 2FA in use

Published at: Sept. 28, 2022

Using SMS as a form of two-factor authentication has always been popular among crypto enthusiasts. After all, many users are already trading their cryptos or managing social pages on their phones, so why not simply use SMS to verify when accessing sensitive financial content?

Unfortunately, con artists have lately caught on to exploiting the wealth buried under this layer of security via SIM-swapping, or the process of rerouting a person's SIM card to a phone that is in possession of a hacker. In many jurisdictions worldwide, telecom employees won't ask for government ID, facial identification, or social security numbers to handle a simple porting request.

Combined with a quick search for publicly available personal information (quite common for Web 3.0 stakeholders) and easy-to-guess recovery questions, impersonators can quickly port an account's SMS 2FA to their phone and begin using it for nefarious means. Earlier this year, many crypto Youtubers fell victim to a SIM-swap attack where hackers posted scam videos on their channel with text directing viewers to send money to the hacker's wallet. In June Solana NFT project Duppies had its official Twitter account breached via a SIM-Swap with hackers tweeting links to a fake stealth mint.

With regards to this matter, Cointelegraph spoke with CertiK's security expert Jesse Leclere. Known as a leader in the blockchain security space, CertiK has helped over 3,600 projects secure $360 billion worth of digital assets and detected over 66,000 vulnerabilities since 2018. Here's what Leclere had to say:

"SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use. Its appeal comes from its ease of use: most people are either on their phone or have it close at hand when they're logging in to online platforms. But its vulnerability to SIM card swaps cannot be underestimated."

Leclerc explained that dedicated authenticator apps, such as Google Authenticator, Authy, or Duo, offer nearly all the convenience of SMS 2FA while removing the risk of SIM-swapping. When asked if virtual or eSIM cards can hedge away the risk of SIM-swap-related phishing attacks, for Leclerc, the answer is a clear no:

"One has to keep in mind that SIM-swap attacks rely on identity fraud and social engineering. If a bad actor can trick an employee at a telecom firm into thinking that they are the legitimate owner of a number attached to a physical SIM, they can do so for an eSIM as well.

Though it is possible to deter such attacks by locking the SIM card to one's phone (Telecom companies can also unlock phones), Leclere nevertheless points to the gold standard of using physical security keys. "These keys plug into your computer's USB port, and some are near-field communication (NFC) enabled for easier use with mobile devices," explains Leclere. "An attacker would need to not only know your password but physically take possession of this key in order to get into your account."

Leclere points out that after mandating the use of security keys for employees in 2017, Google has experienced zero successful phishing attacks. "However, they're so effective that if you lose the one key that is tied to your account, you will most likely not be able to regain access to it. Keeping multiple keys in safe locations is important," he added.

Finally Leclere sa that in addition to using an authenticator app or a security key, a good password manager makes it easy to create strong passwords without reusing them across multiple sites. "A strong, unique password paired with non-SMS 2FA is the best form of account security," he stated.

Tags
Blockchain
Business
Cryptocurrencies
Security
Related Posts
Pioneering hardware wallet brings enhanced staking to cold storage
Twelve months ago, the total value of cryptocurrency locked in staking programs was barely more than $1 billion. Today, there is $58 billion locked in decentralized finance, or DeFi. The adoption of DeFi has been a sea change that’s helped push the crypto industry into the mainstream, but it’s hardly the only one. Mainstream institutions including MicroStrategy and Tesla have poured billions of dollars into Bitcoin — and some have been buying the dip — while nonfungible tokens have evolved from CryptoKitties and CypherPunks to an artistic medium pulling in millions in bids for a new generation of digital artists …
Technology / June 8, 2021
The remaining steps to mainstream institutional investment
It has been said that you only get one chance to make a first impression. Perhaps the best example of this old adage is the cryptocurrency space. From exit scams and money laundering, to unaudited code and high carbon footprints, the crypto landscape has spent the better part of the past decade scrubbing itself of its infamous past. For many, the sanitizing of the decentralized ecosystem was inevitable — simply a matter of when, not if. This mindset hindered the sense of urgency that should have been on display and may have ultimately contributed to the skepticism exhibited by mainstream …
Adoption / May 29, 2021
Secure payments and identity app pushing into DeFi after funding round
Following a $1.25 million seed funding round, a cryptocurrency payments and identity management app is moving deeper into decentralized finance. Numio has partnered with zkSync to provide a trustless layer-two solution for payments that it says are instantaneous and as much as 100 times cheaper than transactions on the clogged and expensive Ethereum blockchain. Numio promises peer-to-peer scalability of 2,000 transactions per second. Led by HashKey Capital, the funding round will allow Numio to push into DeFi, including cryptocurrency trading, swaps, pooling, and staking on Ethereum's layer two. Also on the roadmap is support for e-commerce and point-of-sale capability, letting …
Technology / July 12, 2021
Binance upgrades Proof of Reserves verification to include zk-SNARKs
On Feb 10, Cryptocurrency exchange Binance announced a major upgrade to its Proof of Reserves Verification system to include zk-SNARKs — a cutting-edge technology that Binance says will allow it to verify its reserves in a more secure and transparent manner. 3. Product and Service. Plus transparency. The #Binance Proof of Reserve system has now integrated with zk-SNARK, a zero-knowledge verification method. It will also be made open source. We hope this would help the entire industry benefit. https://t.co/ijVVeF8iFT — CZ Binance (@cz_binance) February 10, 2023 After the FTX incident in 2022, Proof of Reserves Verification became a crucial aspect …
Technology / Feb. 10, 2023
'It would be absurd' for a US court to rule private NFTs as securities: Lawyer
Blockchain Association’s chief legal officer says “it would be absurd” for a United States court to rule that digital assets on private blockchains are securities, following a federal judge's decision to allow a lawsuit against Dapper Labs's NBA Top Shots NFTs to play out. U.S. attorney Jake Chervinsky made the comment after federal judge Victor Marreo denied a motion to dismiss a 2021 lawsuit that accused Dapper Labs of selling nonfungible tokens (NFTs) as unregistered securities. Chervinsky was among a host of lawyers on Twitter to reiterate that the judge’s denial of the motion does not mean a ruling has …
Adoption / Feb. 23, 2023