Imagine that. It’s Friday morning. You wake up thinking that there is only one day left for the weekend, but suddenly you see a text message from your bank telling you that your balance is less than $ 100. You are shocked, but knowing that you have thousands of dollars in your account, you think it is a scam or a banking error.
Either way, you open the bank app on your mobile, log in and realize it wasn’t a mistake: your money is gone.
But how is this possible? You had no idea and had been careful enough when setting up two-factor authentication to prevent anyone from accessing your account.
The answer is in the SMS. Mobile verification is commonly used today by banks, Microsoft 365, and many other popular services. When you log into your account with your username, password and other credentials, a six-digit code is sent to you by text message and you can only access your account after you entered it.
In theory, only you can access your mobile, so no one can get the code and pretend to be you.
Unfortunately, that’s not the case: it’s worrying how easy it is for criminals to intercede these messages without your knowing it. Without trying or spending too much effort, they can access a system where they can type your phone number into a box, press “Enter” and redirect your text messages.
Once they have emptied your account, they disable this redirect and you only find out when you get a low balance alert from your bank.
Once they have your login credentials and phone number, all they need to do is use some method to redirect those SMS codes to a mobile that they control and they can enter your account.
It is not very relevant how the “bad guys” manage to intercept messages, but if you are particularly interested you can read this blog from KrebsonSecurity.
The important thing to know is that while using two-factor authentication is a good idea, SMS codes are the worst way because they are very insecure. As Krebs explains in this blog post, the ecosystem of businesses that anyone can use to silently intercept text messages from other mobile users is something that has only recently been discovered.
Use a two-factor authentication app
If your bank, email, or any other app or service that offers two-factor authentication, check if there is the option to choose where to receive it.
Ideally, you should be able to use a two-factor authenticator app. It is an individual application that works on your mobile and generates codes. Google and Microsoft have apps like this, but it’s up to the bank or department in question to decide what methods they offer.
Simply put, if your bank only offers SMS verification, something is something, but you might want to switch to a bank that uses an authenticator app, generate codes in the banking app itself. . online or use biometric authentication such as fingerprint or facial recognition.
What to do if your bank account is hacked
Unfortunately, the example we started this article with really happened, it wasn’t just a guess. Fortunately, the bank refunded the stolen money at the end of the day.
What you need to do is immediately call the bank and explain to them that you are not the one who spent the money: it is a fraud. In fact, it is a bank robbery, albeit in this case digital and not physical.
You should also change the security credentials associated with your account and, if possible, switch to an alternate two-step verification method.
Know how the Pirates taking over your login details and other personal information is much more difficult, but while it is true that you cannot change your name or address (so easily), you can make sure that no other account is using the same password.
You’ll want to change your phone number if other services you use use SMS two-factor authentication, and Brian Krebs recommends that your phone number no longer be associated with your email or any other service. online.
“Unfortunately, many email providers continue to let their users reset their account passwords via a link sent by text to the number associated with the account. So remove the phone number to protect your messaging and make sure you select a second stronger factor for all your account recovery options. “
Likewise, Simon Edwards of SE Labs advises to treat your email with much more respect. “Your email is one of the most important things you need to protect. Protect it with a strong password and enable two-factor authentication if available. Obviously, do not choose to receive the codes by SMS unless it is the only option, because something is something, ”he assured the Tech Advisor.
Another option that you can find in your banking app online, or through your bank’s website, is that they send you a notification when a payment is made over a certain amount. At the very least, this will alert you that there are unknown transfers or purchases in progress.
For added protection, you might be interested in our pick of the best password managers.
Original article published in Tech Advisor UK.
.
