SMS: Texting numeric strings is the best holiday gift to cyberthieves

For years, enterprise IT and security operations have been told they need to advance beyond texting short numeric strings in plain text and calling it meaningful Multi-Factor Authentication (MFA) or even just Two-Factor Authentication (2FA). It is stunning how many enterprises still cling to that entry-level security sham, even knowing how subject it is to man-in-the-middle attacks.

As for the oft-cited defense that, “it’s better than having no MFA at all,” I am not so sure. It provides false comfort to enterprise users that they have meaningful security. That prevents companies from quickly deploying truly robust security, such as an MFA that uses several authentication layers, including voice-recognition, facial- or finger-ID courtesy of the ubiquitous smartphone and almost any of the mobile encrypted authentication apps. (Don’t forget that Signal can work well, too.)

Microsoft recently opted to state the obvious and then undermined its own credibility by really making it all about Microsoft Authenticator and Windows Hello. There’s nothing like laying out a coherent argument and then ruining it by saying “Therefore, you should download my app,” or “Send me your money.”

That said, if you ignore the blatant and self-serving sales pitch, Microsoft’s director of identity security, Alex Weinert, makes a good argument.

Weinert stressed the weaknesses of the publicly switched telephone networks (PSTN) and then argued that it’s frighteningly used in many places.

“It’s worth noting that every mechanism to exploit a credential can be used on PSTN – OTP. Phish? Check. Social? Check. Account takeover? Check. Device theft? Check. Your PSTN account has all the vulnerabilities of every other authenticator and a host of other issues specific to PSTN,” Weinert wrote. “Because so many devices rely on receiving PSTN messages, the format of the messages is limited.

Copyright © 2020 IDG Communications, Inc.

Source link