CertiK spune că SMS-ul este „cea mai vulnerabilă” formă de 2FA utilizată

Utilizarea SMS-urilor ca formă de autentificare cu doi factori a fost întotdeauna populară printre entuziaștii cripto. La urma urmei, mulți utilizatori își tranzacționează deja cripto-urile sau gestionează paginile sociale de pe telefoanele lor, așa că de ce să nu folosești pur și simplu SMS-urile pentru a verifica atunci când accesează conținut financiar sensibil?

Din păcate, escrocii au prins în ultimul timp să exploateze bogăția îngropată sub acest strat de securitate prin schimbul SIM sau prin procesul de redirecționare a cartelei SIM a unei persoane către un telefon care este în posesia unui hacker. În multe jurisdicții din întreaga lume, angajații telecom nu vor cere un act de identitate guvernamental, de identificare facială sau numere de securitate socială pentru a gestiona o simplă cerere de portare.

Combined with a quick search for publicly available personal information (quite common for Web 3.0 stakeholders) and easy-to-guess recovery questions, impersonators can quickly port an account’s SMS 2FA to their phone and begin using it for nefarious means. Earlier this year, many crypto Youtubers fell victim to a SIM-swap attack where hackers posted scam videos on their channel with text directing viewers to send money to the hacker’s wallet. In June Solana NFT project Duppies had its official Twitter account breached via a SIM-Swap with hackers tweeting links to a fake stealth mint.

With regards to this matter, Cointelegraph spoke with CertiK’s security expert Jesse Leclere. Known as a leader in the blockchain security space, CertiK has helped over 3,600 projects secure $360 billion worth of digital assets and detected over 66,000 vulnerabilities since 2018. Here’s what Leclere had to say:

“SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use. Its appeal comes from its ease of use: most people are either on their phone or have it close at hand when they’re logging in to online platforms. But its vulnerability to SIM card swaps cannot be underestimated.”

Leclerc explained that dedicated authenticator apps, such as Google Authenticator, Authy, or Duo, offer nearly all the convenience of SMS 2FA while removing the risk of SIM-swapping. When asked if virtual or eSIM cards can hedge away the risk of SIM-swap-related phishing attacks, for Leclerc, the answer is a clear no:

„Trebuie să țineți cont de faptul că atacurile SIM-swap se bazează pe frauda de identitate și pe ingineria socială. Dacă un actor rău poate păcăli un angajat de la o firmă de telecomunicații să creadă că este proprietarul legitim al unui număr atașat la un SIM fizic, poate face acest lucru și pentru un eSIM.

Though it is possible to deter such attacks by locking the SIM card to one’s phone (Telecom companies can also unlock phones), Leclere nevertheless points to the gold standard of using physical security keys. “These keys plug into your computer’s USB port, and some are near-field communication (NFC) enabled for easier use with mobile devices,” explains Leclere. “An attacker would need to not only know your password but physically take possession of this key in order to get into your account.”

Leclere points out that after mandating the use of security keys for employees in 2017, Google has experienced zero successful phishing attacks. “However, they’re so effective that if you lose the one key that is tied to your account, you will most likely not be able to regain access to it. Keeping multiple keys in safe locations is important,” he added.

Finally Leclere sa that in addition to using an authenticator app or a security key, a good password manager makes it easy to create strong passwords without reusing them across multiple sites. “A strong, unique password paired with non-SMS 2FA is the best form of account security,” he stated.