From Tech Republic:
Recently, my PayPal account was hacked, and it’s not the first or second time it’s happened. Fortunately, I have enough alerts set up to catch these things fairly quickly and act on them, but that doesn’t mean all is well. It’s not. I know it’s only a matter of time before another account is hacked.
At this point, you’re probably thinking: “Why doesn’t he use a strong password and two-factor authentication on those accounts?” My answer: I do. All of my accounts are protected by passwords I couldn’t even think about memorizing, generated by a random password generator. Every account I use has 2FA enabled.
But not all 2FA setups are built the same. Let me explain: Of all the accounts I have — and, like you, they are many — only one configuration ever gets hacked. That configuration is 2FA sent over SMS. The accounts using 2FA via a password app like Authy or Google’s Authenticator have never had any problems.
But those SMS 2FA accounts have been nothing but problems. Why is this an issue? Simply put, when those 2FA codes are submitted via SMS text, they can be intercepted by the wrong people. If they already have your login credentials, the SMS text is the missing piece. Once they can intercept that code, they have the keys to the kingdom and lay waste to all that awaits them.
2FA via an authenticator app isn’t nearly as simple to crack. The problem is that a lot of institutions — especially banks — fail to see this vulnerability and continue going about the business of using an inferior security mechanism.
Believe it or not, I get it. Many organizations understand that getting users to enable 2FA is already a losing proposition. Most consumers don’t want to have to deal with the fiddly bits of requesting a code, waiting and then typing it. These are the same people still using “password123” for their login because they want everything to be as simple as possible.
. . . .
The thing is, these organizations are in a rather interesting and important position. Say, for example, that Bank X decides it’s had enough of accounts being hacked and put in place two things: Strong password requirements and authenticator app-style 2FA. Any customer of that bank would have to implement those two things immediately. Yes, there would be a kerfuffle over the change, but eventually, everyone would accept it and move on with the improved security. Soon enough, the ritual of logging in to an account would become second nature and the complaints would cease.
Bank X would have successfully helped its customers understand that a couple of extra steps are worth the added security. By leveraging auth apps over SMS codes, the bank heightens the security of their organization and hopefully slows down the number of hacks that occur.
Link to the rest at Tech Republic
For the record, PG has had problems with some, but not all 2-factor apps. As a general proposition, he tries to avoid more than a few of them, especially if the app is protecting the company, but not its customers.
It’s not 2FA if the company uses it as password recovery, (which, AFAIK, just about all of them do). Adding SMS 2FA to a password would improve security. Making SMS a password bypass/reset mechanism makes it a giant vulnerability.
It’s not 2FA if it’s subject to a MITM (man-in-the-middle) attack, or relies upon a “thing” instead of a “response with knowledge.” All SMS systems are inherently vulnerable to MITM attacks (it’s designed that way for Reasons that I’m prohibited from discussing, and the particular design was… inept, but extremely cheap to implement). And it gets even worse when one know the addresses of the terminating and originating communication nodes in advance… such as “I know the victim’s phone number and Paypal’s/Zelle’s/the bank’s verification node.”
Unfortunately, most of the app-based systems are worse because — thanks in large part to the IT industry’s meme that no user can chew on both sides of the mouth at the same time, let alone walk (or type) and chew gum at the same time — they build in so many extra connectivity hooks that they’re vulnerable to attack via the same methodology as the international-calling phone system in the 1970s. That’s a step up from an overt MITM attack in sophistication, but only one step. Then, too, one must trust both the apps and the operating system of whatever device they’re operating on to maintain data integrity while not misusing the fact of a particular connection to profile the user (which can, in turn, fatally compromise any non-knowledge-based security system)… darn it, there goes a significant revenue stream for the makers of both major phone OSs and all of the major carriers…