Column | ‘Text authentication’ is more dangerous than traditional knowledge


The practice of authenticating by sending numbers via text message is key to security. Many security professionals including myself have been giving priority to training IT departments since ancient times. Now Great article from Wise This made it clear that the texting situation was worse than expected. Cyber ​​security vulnerabilities are not just about text messages. The entire telecommunications sector, including text messaging infrastructure, is the worst.

During the White Hacker attack performed by Wise, all of the victim’s text messages were intercepted and re-transmitted. It’s not even a technical takeover. The white hacker (asked to examine his text messages from the Vice Reporter) paid the legal SMS marketing and large message delivery company Sakari only a small ($ 16). The white hacker had to lie that he had user rights, but he did not have to provide meaningful evidence.

Wise wrote in the article: “If the (attacker) is able to send back the text message of the target, they can easily hack other accounts associated with the phone number. In this case (the attacker) sent a login request to Bumble, WhatsApp and Postmats and gave easy access to my account. ”

From an IT security standpoint, this article draws attention by showing just how confusing the entire telecom world is when it comes to protecting text messaging communications. This clearly shows that text messages cannot be trusted for authentication or other purposes.

Some articles are as follows. “According to a copy of the Sakari Letter of Authorization (LOA) obtained from the motherboard, Sakari will be given the ability to control text message retransmissions from a company called Bandwidth. The Net number owns and maintains the Owned Centralized Database Override Service Registry (OSR) used. ”

Long ago, reliance on checking text messages was the main problem, and still, the possibility of mid-range attacks. However, stealing text messages is much easier if you can examine the infrastructure for text messages.

There are many common applications that make text authentication more secure, such as Google Authenticator, Symantec’s VIP Access, Adobe Authenticator, and Signal. Do you really need to risk using unencrypted and easily stolen text messages?

Let’s see how easy and inexpensive it is to switch to a more secure version of text message authentication. Also, do not think about the compliance and operational risks of allowing account access to be granted through unencrypted text messages.

What about the risks and compliance implications of providing third-party access through unencrypted text message authentication? Let’s look at the following of Wise’s articles

“(Attacker) sent login requests to Bumble, WhatsApp and Postmats and gave me easy access to my account.”

When a villain controls a customer’s text messages, it can create a wide-ranging domino effect and access many services properly. An attorney from one of these companies may argue against your company:

“Unless (your company) triggers an insecure chain reaction by insisting on using unencrypted text messages as authentication, my clients will not feel safe about it. So (your company) must compensate for our losses. ”

Does this seem absurd? Not so. Most companies will give and accept a portion of the request to increase the IT budget next year before filing a lawsuit.

And you can get backfire from your installed base and potential customers (finance, brand awareness, horrible comments on social media, less new customers, etc.) and you can sue them.

So what about compliance? When arguing against such bad-advised behavior before regulatory authorities, there are usually two arguments.

First: “This is industry practice. You can give evidence that 80% of our competitors did so. ”
Second: “At the time, we had no reason to believe that the security of unencrypted text messages was not so good.”

In the case of the first argument (industry practice), the defense quickly disappears. This could be a feasible claim by 2020. But by this summer most companies will start moving.

In the case of the second argument (who knows?), Wise’s horse and the reaction to it neutralize its defenses.

Let’s hope this is not the last company in the industry to abandon the use of unencrypted characters for authentication. Unless you want to pay the price.

* Evan Schumann is the founding editor of the retail technology site ‘Storefront BackTalk’.


Source by [ciokorea]

Re Writted By [Baji Infotech]

Leave a Comment