Those ‘verification codes’ (for two-factor authentication) sent to your mobile phone via text messaging are vulnerable……….

Posted on August 28, 2016 by Don

There are known vulnerabilities in mobile phone networks that enable eavesdropping of voice and SMS (text) communications. What has changed: NIST issued a DRAFT publication that is now explicitly warning of this vulnerability (NIST Pub 800-63B, Sec. 5.1.3.2. Out of Band Verifiers). Also, an ‘exploit kit’ is available on the ‘Dark Web’ for a few hundred dollars enabling an attacker with minimal technical skill to ‘hack’ your mobile phone (BBC did a great piece with a layman’s description how this works). Consequently, two-factor authentication using ‘verification codes’ via text should not be considered secure.

About Don

Former C-Level Exec of NASDAQ company InfoSec Certifications: CISSP, CISO (Carnegie Mellon CIO Institute) / Founding member of several 'startups' / Georgetown University, Masters, Technology Management / InfoSec Certifications: CISSP, CISO (Carnegie Mellon CIO Institute)

View all posts by Don →

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Google+ account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

%d bloggers like this: