Multi Factor Authentication (MFA, 2FA) is great, and it is universally recommended that if a service supports multi factor authentication, it should be enabled. It’s so effective that Microsoft has found that Multi Factor Authentication can thwart 99.9% of attacks on your accounts. But what about that 0.1%?
The most common way of working with Multi Factor Authentication is by using an SMS text message that is sent to your phone number. This is where the vulnerability lies. Security is only as strong as its weakest link and in this case, the weakest link is your cellular carrier.
There are two basic types of attack that involve your cellular phone/account. SIM Cloning/Swapping attacks and Port Out attacks.
Sim cloning happens when a person is able to make a copy of the SIM card in your phone leaving them able to put that into a device of their own and make the carrier think that their phone is now tied to your number. Another variation of this attack involves the attacker convincing the carrier or an employee at the carrier to change the SIM tied to your phone number to a different SIM that they have. At this point they have full control over your phone number and can do as they please with it, meaning they can potentially initiate password resets and log into any account tied to that phone number.
Port out attacks occur when someone initializes a port or transfer of your number from one cellular account or carrier to another. This gives that person control of your phone number and can, at this point, get every Multi Factor Code sent to your phone. Think about how many accounts can be reset or logged into just by getting a code sent to your phone this person can now either log into or reset the password for any account tied to this number.
Protecting yourself from these types of attacks involves two key parts.
By following the steps above and working with your wireless provider’s built-in security options you will be able to greatly increase the security of ALL of your accounts that are tied to your phone number and make a possible security disaster a worry of the past.