Stop using SMS as 2FA method!

I remember Google Mail (Gmail) was the first website where I need two-step verification to login. I thought that was a very important security layer to access personal email. I am no famous and also it is not financial but imagine losing the email access. Since email is the “backbone” for any services we have in the internet. Facebook requires our email to login, Twitter, Instagram, even Blackberry messenger (sorry what’s that?).

More stories of Mat Honan in The Wired, The Wired YouTube. And also losing $50K twiiter username

Two-step verification is Google term of 2 factor authentication which is derived from multi factor authentication. It only requires 2 factors as the minimum things to grant access the login action or access to some information. They are something you know (password, PIN) and something you have (token, biometric).

Some internet banking and mobile banking in Indonesia have implemented 2FA to perform transactions. Bank BCA and Bank Mandiri have long time record for requiring customers to input key from the physical token (hard token) that connected to their account. On the other hand, Bank CIMB Niaga has implemented slight different way of delivering token to the customer, they send the token via text message (soft token). Recently Bank Mandiri also implemented token via text message (SMS) since launching Mandiri Online.

Soft-token has made customer life easier since commonly they bring the phone everywhere every time, not the token device. But it has some risks that attacker could use some ways to break your account such as malware, phishing, sim-card swap, or social engineering. Beware!

Besides, attackers also could exploit[1][2][3] the SMS protocol (called SS7) without any contact with you to access the bank account.

SS7 protocol system has weakness and it is exploited by attackers to get your bank account. It stands for Signalling System No.7 and it helps cellphone providers across the world to enable person send message. It also helps people do continuously connected to phone call when traveling by bus or train.

Screen Shot 2017-05-21 at 14.08.01

Add/change SMS to other security layer

As I have mentioned previously, I have enabled 2FA to perform login into personal email. Actually it offers many ways to perform 2FA, including SMS, but I choose Google Prompt as the most secure way of 2FA (I think!). Beside that, it also offers 2FA via Google Authenticator (as long as you are connected to internet, even roaming mode, or changing phone number where we travel), backup codes (in case phone is offline or not located near to you), or even security key that attached into physical key.

Banks needs to change too!

Beside security aspect, SMS as 2FA has another problem in telco reliability. Some said they are not able to receive the text message with the token inside. It probably caused by weak signal or even insufficient balance on the number (yes, customer is charged for the text message). So I think it is a good moment and better for bank to change the way of offering 2FA to customers.

I have only 3 banks account so if you have other experience of other bank, please feel free to share below in comments.


One thought on “Stop using SMS as 2FA method!

Anything to be shared? Leave them below...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s