How many times did you log in to a digital account today? It probably was more than once. Some people access digital sites via computer or tablet, but many others rely on their phones. Deloitte recently reported the essentials of life have expanded and now encompass air, water, food, and smartphones.
No matter what device they choose, in order to access an account, users must prove their identity. Typically, proving who you are requires one or more pieces of information. These may include:
Something you know, like a PIN, password, or pattern;
Something you have, like a code-generating phone or hardware token; or
Something you are, as proved by fingerprints, voice recognition, or eye scans.
Before data breaches became an all-too-common occurrence, a lot of people relied on single factor authentication (SFA) to protect digital accounts. For example, a username plus a password. The single factor in this instance is your password.
The rise of two-factor authentication
Today, more and more people are relying on two-factor authentication (2FA) to protect their accounts. With 2FA, you enter a username, a password, and a second factor. Often, the second factor is a temporary code that is sent to your mobile phone via text message (a.k.a. Short Message Service or SMS) or voice mail. This form of 2FA is remarkably convenient, but it may not provide the level of security you want to have.
In July 2016, the U.S. Department of Commerce, National Institute of Standards and Technology recommended account providers – banks, retailers, financial companies, lenders, social media sites, messaging app providers, and so on – offer alternative ways to authenticate accounts, “Due to the risk that SMS messages or voice calls may be intercepted or redirected…”
Hackers have targeted the 2FA vulnerability
Forbes recently reported hackers have found ways to hijack SMS codes and steal millions. One victim “…was notified the passwords had been reset on two of his email addresses. He tried to set up new passwords himself by prompting the email service to send him text messages containing a code – but they never arrived. ‘So I called the company to make sure I hadn’t forgotten to pay my phone bill, and they said, you don’t have a phone with us. You transferred your phone away to another company,’ [the victim] says. A hacker had faked his identity and transferred his phone number from [one phone provider] to a carrier…that was linked to a…[voice] account in the hacker’s possession.”
The hacker received all of the victim’s phone calls and messages and subsequently used them to reset passwords for email addresses and accounts by having the SMS codes sent to the victim’s (and now the hacker’s) phone number. It took just a few minutes for the victim to be locked out and the hacker to gain access to 30 accounts, including bank and payment processing accounts.
There are 2FA options that provide greater security
While it is a good idea to change your security choices for accounts that are currently sending codes via text or voice mail, there is no need to panic. Wired pointed out:
“…attacks aren’t exactly easy to pull off, and likely require the attacker to figure out the user’s cell phone number in addition to the password that they’ve stolen, guessed, or reused after being compromised in a data breach from another hacked service. But for anyone who might be a target of sophisticated hackers, all of those techniques mean SMS should be avoided when possible for anything login-related.”
Fortunately, there are other 2FA options that provide an improved level of security. Wired suggested using authentication applications or tokens that generate one-time codes. Both are more secure than SMS options.
Keeping data secure online is a significant issue and the primary reason people continue to avoid accessing sensitive accounts electronically, according to the Federal Reserve. Staying up-to-date about security vulnerabilities and protections is critical if digital communication is an integral part of your life.
Securities offered through LPL, Member FINRA/SIPC. Investment advice offered through Private Advisor Group, a registered investment advisor. Private Advisor Group and Antoine Williams & Associates Financial Services are separate entities from LPL Financial. This material was prepared by Peak Advisor Alliance. Peak Advisor Alliance is not affiliated with the named broker/dealer.