In today’s HikWire blog, Hikvision Senior Director of Cybersecurity Chuck Davis writes about trending security concerns. His focus is on a Microsoft’s recent recommendation that discourages the use of SMS and voice MFA (multi-factor authentication). And, he covers a new mobile smishing attack.
Microsoft Discourages Use of SMS and Voice MFA
MFA, also known as two-factor authentication (2FA), is used to better secure user accounts from password attacks. MFA adds two or more pieces of verifiable evidence or factors to the authentication process to greatly reduce security concerns by lowering the chances of an account being accessed by the wrong person.
This week, Microsoft’s Alex Weinert wrote in his blog, “Today, I want to do what I can to convince you that it’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.”
This is a call for websites and apps to phase out SMS MFA in favor of stronger options such as a smartphone authenticator app. It is also a call for end users to choose stronger methods of MFA when they are available.
The weaknesses of SMS for MFA have been known for a long time. There have been numerous cybersecurity conference talks on the topic and Krebs On Security reported on in the 2016 article, “The Limits of SMS for 2-Factor Authentication.”
While SMS is arguably the weakest form of MFA, it is still better than just using a username and password. Bitdefender wrote, “even vulnerable SMS-based MFA is better than no MFA at all.”
Mobile Payment Smishing Attack
We covered smishing attacks in the HikWire blog earlier this year, which you can find at this link. Smishing (SMS phishing) attacks are on the rise and we are all vulnerable targets.
The term smishing is a portmanteau that combines the term SMS (text messaging) and the word phishing: SMS + phishing = smishing. As you may have guessed, smishing is phishing that uses SMS and similar types of text messaging.
According to Naked Security, one of the latest smishing campaigns has the attackers sending victims an SMS text message, pretending to be from the victim’s mobile provider. The message states, “We haven’t received your recent bill payment, please update your details at [malicious URL] to avoid additional fees.”
If the victim clicks on the link, they are presented with a login screen that attempts to trick the victim into unwittingly providing their login credentials to the attacker.
To learn more about smishing read this Hikvision article.
For more insights into these types of security concerns, check out Hikvision’s full cybersecurity blog catalog.