SMS Password Recovery: nopls
Allowing SMS password recovery on your applications has now become a horrible means of password recovery. Read on to find out why.
Join the DZone community and get the full member experience.Join For Free
Allowing SMS password recovery on your applications and etc has now become a horrible means of password recovery. Recent hacks (i.e. LinusTechTips) show an upcoming trend in hacking via social engineering.
The best thing ever, but often incorrectly implemented: two-factor authentication.
Two-factor authentication is great, but if people are able to get access to your cell phone number, how secure is it really? While you may just be the average joe, with nothing extremely important tied to your name, such as an entire company and social media accounts with millions of followers, this issue comes with the default methods that many services choose to implement two-factor authentication alongside password recovery.
This attack was done by either in person, or over the phone, someone calling Bell Canada, and pretending to be Linus Sebastian, being able to convince them to activate a new account, allowing them to reset passwords through SMS.
This “hack,” which has been performed on many, was targeted at Linus Media Group, the media company formed by Linus Sebastian to promote the growth of and protect his company which many have worked extremely hard to produce such successful results. Props to the team at Linus Media Group.
However, this brings a bigger issue than just as Linus’ mother-in-law says, “Did they place any long distance phone calls?,” but more so the issue of insecurity on the mobile operator's behalf. For example, Authy, an alternative to Google Authenticator, allows you to sync your keys for mobile authentication “encrypted” through their website. A weak password and your cell phone number is all it takes for ALL of your authentication to be vulnerable. Remember, once they have your email, they typically have everything. If you consider the implications this may have on your jobs, and also your personal life, potentially you could lose all your money, as well as your job, for insecurity which you’d theoretically be liable for.
If you use two-factor authentication, great! Just make sure that your phone is definitely not a SINGLE factor for password recovery, because until the carriers check themselves and become more secure, you’re vulnerable to exactly what happened to Linus Media Group. Don’t be caught with your pants down.
How do you feel about password recovery via SMS? Your feedback is appreciated in the comments section.
Published at DZone with permission of Adam Jones, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.