Email or SMS text messaging are NOT secure for two-factor authentication

So you have a bank account that you manage online, and, of course, you want to make the online access as secure as possible (who wouldn't). You've learned that enabling the 2FA (two-factor authentication) for the account would increase the security (it would!) so you register your mobile phone with the bank. Now, if someone attempts to login to your bank account, the bank would send a text message to your phone with a code that the intruder would need to enter before they would be allowed to access your account. You now feel pretty secure and can sleep well at night, right?

Stock image of a smart phone and a security app

Well, we have some not so good news for you (sorry for disturbing your sleep): if someone steals both your bank card and your mobile phone, they can bypass the 2FA even if they can't unlock your phone. That's exactly what someone is doing in the UK, by stealing cards and phones External link from the lockers at a local gym.

How does the thief break the 2FA? Surprisingly easy: first, they look at your card and see which bank issued it. They search for that bank's app in the app store and install it on their own phone. They open the app and attempt to register your card number with it. Now the bank sends an SMS to the owner's phone, and even though the phone is locked, the text message is flashed on the locked screen, briefly, but long enough for the thief to take note of the passcode. They enter that passcode on their own phone, and that gives them access to the victim's account.

Note that this kind of an attack would probably work if you had set up your bank account to send you the verification codes by email instead of SMS: many email apps display the snipplets of the incoming emails on the lock screen, too.

What should you do to stop this kind of a break-in? As the very minimum, see if the notification settings for your messaging or email app can be changed so that they would not flash the incoming messages on the lock screen.

A better solution is not to use the email or SMS for verification at all, and switch to using an authorization app such as Authy External link . The problem is, not all banks support such methods, but if they do, it would make your 2FA authorization much more secure: the thief would not have access to the authorization app if the phone is locked. Besides, you could have a separate PIN set up for the authorization app, so even if the thief would be able to unlock your phone somehow, they would still be prevented from using the authorization app.

As a bonus, the authentication app would make you able to provide the secure code should you happen to be in a place without cell phone coverage. For example, you travel abroad to a country outside of your cell service area. You have wi-fi in your hotel, and you want to access your bank account, but you can't get a SMS because you are not in the data service area. With an authentication app you would not be stuck in such a situation, because it does not require access to the Internet or data service in order to provide you with an authorization code.

Happy travels!

If you want to link to this article, you can use this HTML code: <a href="">Email or SMS text messaging are NOT secure for two-factor authentication</a>

Read more