In cybersecurity, there is a word that is bandied around a lot which is of utmost important to you: 2FA.
2FA stands for Two-factor authentication. Many of you may be familiar with it. Stay with me.
If you are reading this and don’t know what it’s about, then pay attention, this is important.
Two-factor authentication is a means of additional protection to your online accounts to safeguard against cyber-attacks.
Cyber-attacks are a big big deal. Global cybercrime is expected to inflict a total of $6 trillion in damages in 2021. For perspective, the entire economy of Africa is $2.5 trillion.
According to BusinessDay, Nigerians banks lost N3.5 billion between July and September 2020 to electronic fraud-related incidences. This figure represents a 534% increase from the same period in 2019 when it was 552 million.
The Nigerian Deposit Insurance Commission (NDIC) said in 2018 that Nigerian banks lost over N5.5 billion to fraud.
More alarming, every 32 seconds, a hacker attacks someone online.
And this is exactly why experts say 2FA is a must for everyone who uses the internet. Two-factor because apart from your usual factor which is a password that is standard for any account, you are required to verify that you are the individual using your account through a code that is retrieved from your phone. I find it quite inconveniencing but I take it as a small price I pay for added protection.
Unfortunately, an overwhelming number of people who implement 2FA use the text message-based confirmation codes. The website you are trying to log in sends a SMS message containing a 4 to 8-digit code to the phone number you have added to their database. Once seen, you enter the time-limited passcode on a separate screen opened before gaining access to your account.
Like I said, it’s inconveniencing but you can’t argue that it’s not simple. Problem is that out of the many 2FA methods available, text messaging is about the most insecure method of authentication around.
There is a myriad of ways in which hackers can get access to your codes and use them, but one common one is bribing and deceiving telecommunication workers a trick known as SIM swapping. The information on your SIM is transferred from your SIM card to another one. Once your phone number is assigned to a new SIM, all of your incoming calls and text messages will be routed to whatever phone the new SIM card is in. This was done in 2016 to the then Chief Technologist of the US Federal Trade Commission. TC, also had her phone’s SIM card hijacked using social engineering. Similar strategies were used by hackers to steak millions of dollars’ worth of bitcoin in the same year.
There are several other ways to game SMS-based 2FA include targeting vulnerabilities in SS7. A technical explanation would be needed to fully understand this, but just know that because of the way global phone network is (flawfully) engineered it is possible to route your SMS messages directly to their phones. Right now, there is an Israeli company you can pay to spy on (almost) any phone in the world and remote record their text messages.
There is also the exposure to malware/keyloggers, phishing, and MITM attacks.
Do you know that it’s possible for workers of MTN (or other telecoms) to read your messages? They don’t have end-to-end encryption.
It should be abundantly clear at this point that using SMS for anything is strongly advised against.
Your best bet is to use app-generated codes or just plain old physical keys (remember tokens?).
So what apps do I advise? Authy is a good. It is Twilio-owned and allows you manage accounts and backups across multiple devices. Strangely enough, I use the Google Authenticator app for my Facebook account. But Authy is known as the best multi-device solution.
So go ahead, stop being so vulnerable to hackers. Secure your online accounts.
You are welcome!