2 Factor Authentication - Is It Enough?
Even if you're new to the crypto-sphere, you're probably familiar with 2 Factor Authentication (2FA) offered on various platforms, including crypto-currency exchanges, used to help identify account owners. After your password, 2FA provides an additional layer of protection to verify if you are indeed who you say you are. On crypto-exchanges, 2FA is commonly required to initiated any transactions relating to your assets. This gives users a greater sense of security and confidence in managing their accounts.
But is this a false sense of security?
Before answering the question, let's first define 2FA .
2 Factor Authentication
Many of the world's most popular websites already use some form of 2FA security, however, it may go by another name. Twitter (login verification), Facebook (login approvals) and Google (2-step verification). Regardless of what it's called, 2FA is an accessible way to strengthen account security without having to get too technical.
According to the Electronic Frontier Foundation (EFF), 2FA comes in several forms:
A one-time verification code sent to you via SMS text message
A time-based one-time password (TOTP) generated by a dedicated app, like Google Authenticator and Authy
A download-able, print-able, hard-copy backup code
A hardware token, like a Yubikey
Google Authenticator is widely used throughout the internet providing users quick and easy 2FA services. Bittrex, Changelly and Coinbase are just a few examples of crypto-exchanges that provide users with the option to enable Google Authenticator 2FA.
While the EFF certainly advocates for the use of 2FA (in combination with a strong password), it also cautions that 2FA is not infallible and can be vulnerable to attack. For example, when receiving 2FA in SNS form it is possible that the texts, and the codes they contain, can be intercepted by telecom and by third parties.
In a recent article titled Here's How Hackers can Hijack Your Online Bitcoin Wallet, the Hacker News reports that a long suspected 'critical issue' regarding Signal System 7 (SS7) may allow hackers to eavesdrop on phone conversations and intercept and view text messages which could be exploited on a large scale even with high level encryption on cellular networks.
Despite fixes being available for years, the global cellular networks have consistently been ignoring this serious issue, saying that the exploitation of the SS7 weaknesses requires significant technical and financial investment, so is a very low risk for people.
However, earlier this year we saw a real-world attacks, hackers utilised this designing flaw in SS7 to drain victims' bank accounts by intercepting two-factor authentication code (one-time passcode, or OTP) sent by banks to their customers and redirecting it to themselves.
In addition to demonstrating the vulnerability of the telecom networks, white hat hackers also demonstrated how the SS7 exploit could be used to take control over online bitcoin wallets and drain them of their assets.
While demonstrating the attack, the Positive [white hat] researchers first obtained Gmail address and phone number of the target, and then initiated a password reset request for the account, which involved sending a one-time authorization token to be sent to the target's phone number.
Just like in previous SS7 hacks, the Positive [white hat] researchers were able to intercept the SMS messages containing the 2FA code by exploiting known designing flaws in SS7 and gain access to the Gmail inbox.
From there, the researchers went straight to the Coinbase account that was registered with the compromised Gmail account and initiated another password reset, this time, for the victim's Coinbase wallet. They then logged into the wallet and emptied it of crypto-cash.
Thankfully, these hacks were not executed by cyber-criminals but by white hat hackers who wanted to demonstrate the vulnerability of SS7 and 2FA, especially to raise awareness for crypto-currency investors and enthusiasts.
Aside form the SS7 issue, there are further weaknesses related to phones in general. Phone numbers are a weak point if a cyber-criminal obtains your number along with a few personal details.
All an attacker has to do is call your cell phone company’s customer service department and pretend to be you.
These are the kinds of details — for example, credit card number, last four digits of an SSN, and others — that regularly leak in big databases and are used for identity theft. The attacker can try to get your phone number moved to their phone.
A hacker can than disable 2FA or simply have the 2FA authenticator code sent to their phone via SMS or voice calls.
Similarly, 'account recovery' remains a difficult conundrum as websites/accounts desire to maintain customer satisfaction and do not wish to have customers locked out of their accounts. If said hacker knows enough about you and your habits it is possible for them to gain access to your accounts through 'account recovery', providing they have enough personal information. New passwords can be generated and sent by email, ultimately bypassing 2FA.
In light of the fact that 2FA could potentially be bypassed by exploiting the critical issues with SS7, there's not much that can be done to completely eliminate the threat at the individual level as the telecom industry needs to address these vulnerabilities in their networks. Unfortunately, it seems unlikely that that will happen as it would require a significant financial coordinated effort and financial burden to the network providers.
Last year, the researchers from Positive Technologies also gave demonstrations on the WhatsApp, Telegram, and Facebook hacks using the same designing flaws in SS7 to bypass two-factor authentication used by those services.
As a precaution suggested by The Hacker News:
Avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor.
If there's a silver lining here for my fellow Steemians, it is that Steem Wallets are some of the most secure funds in the crypto landscape and STEEM and SBD do not depend on 2FA and instead require the use of permission keys.
Tip: Do not keep your private keys on your computer, store them offline where they cannot be hacked.
Tip2: Use your Posting Key to log into Steemit. This allows you to Vote, Post and Comment but does not give access to wallet transactions.
Furthermore, it seems logical that as the adoption 2FA becomes more mainstream, so too will there be an increase in attacks against the system. Some suggest that the next level of protection may come from 'biometrics', but for myself, I would prefer to put my trust in crypto-currency hardware wallets such as Trezor and Ledger Nano.
Of course, if you're accessing an exchange there is always going to be some risk involved but hopefully being aware of some of the ways in which your accounts can be compromised will allow you to make better decisions going forward.