Security codes sent by SMS to your mobile phone for logging on to websites such as online banking have proven to be so unsecure that the US National Institute of Standards and Technology (NIST) has now moved to ban their use.
Two-factor authentication using SMS codes is extremely widespread, and BankVault has long argued two factor solutions are not enough.
The glaring security weakness of mobile voice and text messages was magnificently highlighted by 60 Minutes in mid-2015, when hackers working from Berlin (with permission) were able to easily access and record the mobile phone conversations and text messages of Australian Senator Nick Xenaphon. The hackers were only provided with the Senator’s mobile number.
Senator Xenaphon said at the time, ‘This is actually quite shocking because it affects everyone. It means anyone with a mobile phone can be hacked, can be bugged, can be harassed.’
The 60 Minutes episode also went on to demonstrate how another approach using a device known as an IMSI Catcher – essentially a fake mobile phone tower, can be used to intercept mobile connections to the phone tower, forcing down the connection from 3 or 4G, to the far weaker encryption of 2G which is easily cracked.
The program even shows that suspected IMSI Catchers were actively in operation around Sydney’s eastern suburbs and stock exchange.
In both hacking examples, SMS and voice messaging are completely vulnerable, yet people’s livelihoods, businesses and finances utterly depend on them. An IMSI Catcher can be purchased online from sites such as Alibaba for just AU$1-2000.
The vulnerability of SMS-based authentication isn’t new, but the move by NIST raises the stakes dramatically. NIST also recommends the use of alternative solutions, in fact, one of its recommendations specifies the benefits of physical USB devices—just like BankVault Business.
BankVault offers a secure solution for logging on, and much more. Revelations like these highlight how BankVault is leading the world with the safest and most secure approach possible.
How safe do you feel with SMS security codes to protect your bank accounts? Share how you feel about the NIST recommendations on the BankVault Facebook page, and follow us there to keep up with the latest hacking news from around Australia and the world.