A Worrying Security Gap
Two-factor authentication (2FA) has become an essential pillar of online security, offering users an extra layer of protection. Among the most common methods, sending codes by SMS stands out for its simplicity and accessibility. However, a recent discovery by researchers at the Chaos Computer Club (CCC) highlights a major vulnerability in this system.
A shock revelation: 200 million compromised text messages
CCC researchers were able to intercept more than 200 million text messages containing one-time passwords in real time. These messages came from more than 200 companies, including giants such as Google, Amazon, Facebook and Microsoft, as well as services such as Telegram, Airbnb, FedEx and DHL. This interception revealed a critical flaw in the 2FA code transmission process.
The Attack Method
The researchers exploited a vulnerability in IdentifyMobilea 2FA-SMS service provider. By guessing a specific sub-domain, they were able to access data in real time, including not only security codes, but also telephone numbers and other sensitive information. This vulnerability exposes companies and their users to significant risks, despite the security measures in place.
Potential Consequences
This breach would allow attackers to hijack WhatsApp accounts, carry out financial transactions or access various services without needing physical access to the victims' phone, provided they knew the password. Although the exploitation of these codes still requires knowledge of the master password, the massive leakage of data represents a serious threat.
An imperfect security solution
SMS authentication is not infallible. Techniques such as SIM swapping or the exploitation of SS7 vulnerabilities in mobile networks allow SMS messages to be intercepted. In addition, phishing attacks can trick users into revealing their one-time passwords. Despite these risks, SMS remains a widely used method for 2FA.
Recommended alternatives
Given this vulnerability, more secure alternatives are recommended:
- Authentication applications Applications such as Google Authenticator, Authy or Microsoft Authenticator generate codes directly on the device, without going through the mobile network.
- Hardware security keys : Schemes such as the YubiKey offer robust protection against attacks and are independent of the mobile network.
The CCC's position
The Chaos Computer Club points out that using one-time passwords generated by applications or hardware tokens is more secure than sending codes by SMS. They strongly recommend using these methods whenever possible.
Although two-factor authentication via SMS has its weaknesses, it is still a better option than no 2FA at all. However, for high-value accounts, it is crucial to adopt more secure methods to ensure sensitive data is protected. Companies need to assess their threat models and offer a range of authentication options tailored to the security needs of their users.
Leave feedback about this