Renewed attacks have begun on SMS services around the globe, making SMS 2-Factor Authentication an unsuitable option for authentication.
For $16 USD, an individual can sign up for a service that will intercept a target phone number’s SMS messages and send the messages to the number of their choice – as long as the individual is willing to provide a signed “Letter of Authority” in which they promise to be the owner of the said phone number.
Platforms such as Sakari are actively being used to breach online accounts containing sensitive information, such as banking and health data.
In previous years, attacks targeting Ultra-High Net Worth and Highly-Visible individuals have greatly increased. In July 2020, Graham Ivan Clark brazenly hacked into social media accounts belonging to President Joe Biden, former President Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffet, Floyd Mayweather, Kim Kardashian, Apple, Uber, and other companies.
These new SMS attacks will make these events far more successful with plenty of available online options to bypass SMS authentication measures.
Critical Path Security recommends that individuals and organizations quickly migrate from SMS-based authentication to Multi-Factor Authentication applications, such as DUO, Google Authenticator, OKTA, Yubico, and Microsoft Authenticator.
Additionally, we advise individuals and organizations to remove phone numbers from online accounts wherever they can and avoid selecting SMS or phone calls for second factor or one-time codes. Phone numbers were never designed for the use of authentication. It's time to move on and harden the defenses against these attacks.
If you need any assistance in this process, please do not hesitate in reaching out to the Critical Path Security team.