SMS-Based Multi-Factor Authentication: What Could Go Wrong? Plenty

pcmag.com:

Multi-factor authentication is chic these days. All the websites are asking you to turn it on, and with good reason. When a data breach exposes the fact that your password is "password," malefactors still won’t get into your account because they don’t have the other authentication factor. Typically that’s a code either texted to your phone or sent through an authenticator app.

Those two methods seem similar, but the former turns out to be a big security risk. In an engaging tag-team presentation at Black Hat, Thomas Olofsson and Mikael Byström, CTO and head of OSINT at FYEO, respectively, demonstrated a technique they call smishmash to prove that using text messaging for your second factor is very risky.

According to its website, FYEO is “Cybersecurity for Web 3.0”, meaning it promotes a decentralized internet, along with decentralized finance and security. FYEO is also used by some to mean For Your Eyes Only—shades of James Bond!

As for OSINT, that’s short for open-source intelligence, and the term was much in evidence at Black Hat. It means gathering and analysis of openly available information to develop useful intelligence. It’s amazing what a dedicated researcher can come up with based on information that’s not hidden in any way.

You've heard of phishing—that technique where clever fraudsters trick you into logging into a replica of a bank site or other secure site, thereby stealing your login credentials. Phishing links typically come through emails, but SMS messages are sometimes the carrier. In that case, we use the lovely term smishing.

“We call it smishmash because it’s a mashup of techniques,” explains Olofsson. “SMS for two-factor authentication [2FA] is broken. This is not news; it’s been broken since the