Skip to main content

Back to Blog

Cracking Multi-Factor Authentication on the Cheap

Over the last few years, Multi-Factor Authentication (MFA) use has become more common across industries. Having MFA associated with your phone number feels comforting, but it’s also plagued by hackers looking for new methods of attack.  

If you are holding your phone, is it safe to get a text with a confirmation code sent to your device? Hackers have ways of exploiting this type of verification, especially through SIM jacking and SS7 attacks, and these methods undermine MFA.

Unfortunately, recent information has revealed that SMS-related hacking might be even easier and more prevalent than we realize. Cybersecurity columnist Joseph Cox, a contributor to Vice, recently published an article detailing an experiment related to the security of SMS-based authentication.

In his venture, Cox paid a hacker under the account name Lucky225 to try to gain access to his identity without having his physical device. It turned out to be a startlingly easy task, using a more straightforward method than SIM jacking.

Lucky225 was able to log in to Cox’s accounts using the common text message two-factor authentication method. The hacker was able to do all of this while Cox’s phone was still on and in his possession. As Cox writes, “my phone seemed normal. Except I never received the messages intended for me, but he did.” 

So, what happened? It sounds like the hacker was able to gain access to Cox’s phone, without a single red flag popping up. No security alert on his device, no ‘Was this you?’ email.

It turns out that Lucky225 made this possible by using a commercial messaging service designed for mass messaging, business messaging, and rich text messaging and by submitting a phony Letter of Authorization indicating that they were the owner Cox’s phone number.

The cost of this service was sixteen dollars. That was the sum cost for Lucky225 to re-route all of Cox’s incoming text messages to different hardware, without any alerts being sent to Cox. None of his connected accounts showed any signs of tampering.

It isn’t difficult to see how this attack method has the potential for dramatic ramifications. If criminals can essentially steal a phone number without the user realizing it, and access personal accounts without any indication, they may be able to compromise privacy, drain bank accounts, and even steal complete identities.

The serious nature of this situation is compounded rapidly by the occurrence of password reuse. This common habit where many users choose slight variations on the same password across accounts and devices makes it easy for hackers to guess additional account credentials once they have a foot in the door.

Stories like Cox’s can make professionals and device users feel as though they are fighting a hydra: when one proverbial head is chopped off, seven grow up from the same place. So, what can we do to keep authentication secure? 

To start, we can remember that the value of MFA lies in the strength of multiple layers. Each layer must be hardened. In other words, to take full advantage of Multi-Factor Authentication, all of the layers must be secured to the greatest extent possible.

One of the easiest things for both individuals and companies to do is to harden the password layer. Employees can help themselves by choosing strong, unique passwords, but enterprises and companies can help everyone at once by instituting continuous password monitoring. Good password filtering removes the need for overly complex passwords, and thereby, relieves user frustration.

As criminals spook us with new hacking methods, the lesson should not be to look for the next silver bullet. It’s crucial to remember cybersecurity best practices that harden each of the layers we use.