I just ‘WannaCry’ at SMS Two-Factor Auth

Pay up or lose your data
Courtesy of http://now.avg.com/

Of course, the big security and tech news last weekend was the WannaCry ransomware cyber attack that hit multiple countries and infected thousands of PCs. For those uninitiated with the idea of ransomware, it is a form of malware that encrypts personal files on your PC and then demands payment – or ransom – in order for your files to be decrypted and recoverable. Often times ransomware, such as WannaCry, will warn users that if payment is not done after a certain amount of time, all the affected files will be deleted. Often users will pay because they don’t have a backup of those files available, unfortunately.

WannaCry became such a big media frenzy that I didn’t really want to touch on it too much. It was worth mentioning only because if you’re in security, you can’t really ignore it.

I did want to touch on more about the insecurities of SMS “two-factor” authentication. Two words: it’s bad. My bank uses SMS authentication; many of my social media accounts use SMS authentication; many of the services I use only offer SMS authentication. It’s a false security blanket as the protocol used for sending and receiving text messages can be easily intercepted by determined cyber crooks. Ultimately, it really isn’t “two-factor” at all since phone numbers can be spoofed to match a user’s existing phone number. Whereas Google Authenticator and other similar services are far more secure because they generate unique, time-based codes that aren’t going to get incepted like SMS text messages. It’s just for some reason SMS became the default because it’s “easy.” Again, it’s always a balance between convenience and security for users and often convenience tips the balance far too much on its side.

So, I just ‘Wannacry’ at the “two-factor” authentication most users have at their disposal. Then again, how do you tell grandma to use Google Authenticator? Nowadays, it’s not just teaching grandma how to use her phone, but how to keep the data on her phone from getting stolen and being exploited.

Maybe we just need to have a chain of “five-factor” authentication methods like this to be truly secure.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s