Simpler attacks focus on SIM-swapping, where networks are tricked into issuing duplicate SIM cards or phishing sites that entice users into entering their credentials-which are then entered behind the scenes into the real site-and then the MFA code when it’s received. What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device.”Ī relatively sophisticated attack can intercept SMS messages within the network or deploy malware on smartphones to harvest codes as they’re received, along with usernames and passwords. From a practical usability perspective, we can’t overlay encryption onto these protocols because users would be unable to read them (there are other reasons too, like message bloat, which have prevented these from taking hold over the existing protocols). “When SMS and voice protocols were developed,” Weinert explains, “they were designed without encryption. In reality, this new warning from Microsoft presents all the reasons we should be moving away from SMS for any of our communications. When you send an SMS, it might be secure between your phone and your network, but once there it can bounces in plain text form between various SMS message centers inside various carriers en route from sender to recipient. The problem with SMS is that it’s built on an archaic architecture that sits inside the many cellular networks around the world. There are no viable alternatives that match its ubiquity and ease of use for the majority of us. But the simplicity of SMS passcodes that can be received by any phone has proven impossible to beat. The new SMS security warning came from Alex Weinert, Microsoft’s Director of Identity Security, who wrote in a blogpost that “I want to do what I can to convince you that it’s time to start your move away from SMS and voice Multi-Factor Authentication (MFA) mechanisms.” SMS messages are open to compromise in a way that other forms of MFA are not. federal agency was ‘pwned’ the entire attack could have been mitigated.” As Cyjax CISO Ian Thornton-Trump points out, no SMS MFA on Office 365, “is how even a U.S. The biggest issue with MFA isn’t woeful SMS security, it’s take-up. Earlier this year, it confirmed that only 11% of its own enterprise accounts have multifactor authentication (MFA) enabled, that a million of those accounts are compromised monthly, and that any form of MFA-SMS included-would prevent 99% of those attacks. Microsoft’s warning is potentially dangerous and certainly ironic.
0 kommentar(er)
