Multi-factor authentication (“MFA”) is a technology which has seen widespread adoption across numerous platforms such as Facebook, Google and various Microsoft services. It requires users to have two or more factors prior to access being granted to their account. This is typically implemented through something known to the user, i.e. a password, and something they have, such as a phone or hardware token.
SMS based MFA is one of the most common methods of MFA implemented in applications, as it is simple for end users to enable, simply requiring them to enter their mobile number into the associated application. However, SMS based MFA is a weak form of MFA when compared to alternatives such as authenticator applications, and is vulnerable to various attacks including:
- Stealing the target’s mobile device. As most smartphones preview messages on the home screen, the code can be obtained without knowing the device’s pin code; and
- Unauthorised porting of a targets mobile number to a service under the control of an attacker.
The easiest which can be undertaken by anyone with little to no technical knowledge is porting the targets mobile number from their current service, to one that is under your control.
How easily could my number be ported to another service?
A customer’s name and date of birth are the only two pieces of information required by law for a telecommunications carrier (“telco”) to process a port request. Telcos are required to authenticate the customer prior to submitting a port request; however, the rigor with which this authentication is performed depends on the telco and the individual customer service representative.
Australian telcos do not promote any specific methods which customers can implement to directly prevent unauthorised port requests. Telstra have advised that users are required to provide a PIN prior to any changes being actioned on their account, and while this behaviour is similar to other major Australian telcos, it is not a mitigation technique that prevents unauthorised porting when requested by another carrier.
How do I know my number has been ported?
Pay attention to your mobile service. Signs of initial attempts at an unauthorised port may be unsolicited text messages, emails or letters from your provider. A successful port may occur without any prior warning, and will simply result in a complete loss of service.
If you notice your mobile device is unable to obtain network service where others around you can, contact your provider immediately and demand to speak to a representative in regards to an unauthorised porting request. These can typically be reversed if caught early enough.
What can I do to secure my accounts, and protect myself from unauthorised porting?
Further steps may be taken not only to protect your online account, but to prevent your service from being subject to unauthorised porting attempts:
- Disable SMS based MFA on all accounts in favour of an authenticator app or physical token.
- If you currently default to an authenticator app, review your account settings to ensure SMS based MFA is not listed as a backup method.
- Where services do not support hardware tokens or authenticator applications, consider purchasing a second mobile device to be used only for MFA authentication. This mobile number should not be associated with any accounts or shared publicly.
- Ensure all authentication factors are secure. Passwords should be unique for every online account and a a minimum of 12 characters long.
- Passphrases such as “iliketoenjoylongwalksonthebeachwithmydog” are far more secure and easier to remember than short passwords with common character substitutions.
- Consider using a reputable password manager application.
If the above information raises any concerns within your organisation or you would like to discuss any of the issues with someone from CQR please call 1300 277 001 or email firstname.lastname@example.org