In the classic scary movie “When A Stranger Calls,” a babysitter receives persistent phone calls from an anonymous man asking if she’s checked on the kids she’s watching. The kids are already asleep for the night, and when she sees that they’re still in bed, she tries to write the calls off as a prank. Yet, the calls escalate, and so does the danger. When the babysitter contacts the police to get the call traced the next time the man calls her, the police reveal that “the call is coming from inside the house.” It turns out that the man was hiding upstairs the whole time and had already killed the children. Caller ID wasn’t around yet when the 1979 film was made, but nowadays, we typically know who is calling us or at least the number they’re using. But do we always know the origin of our text messages? If you get an account authentication via text message from your bank — the type with a 4-digit or 6-digit passcode — it likely didn’t actually come from the bank. Instead, it probably came from a third party contracted by the bank. The security of those messages has now come into question.Multi-factor authentication that sends one-time passcodes via Short Messaging Service (SMS) text messages has been a common way to strengthen online security, but it’s not as secure as it may seem. Community financial institutions (CFIs) that encourage customers to use text message–based one-time codes for multi-factor authentication may want to reconsider.Security Concerns over SMS/Text One-Time PasscodesThe problem is that security codes sent via text/SMS are vulnerable to hacking. A bad actor who steals a username and has the one-time security code is able to gain access. Two-factor authentication typically relies on a password followed by a login code that is sent via text/SMS message, which enables messages over a cellular network. A user receives the log-in code (usually a series of numbers) in a text message and then types the code into a designated space. If the code matches, the user is admitted. The idea is that a user gets a new code at every login, so it should add safety to the process. Even if someone steals the password, they would still need the texted code to get in. Unfortunately, cyber crooks have figured out how to intercept SMS texts and steal login codes in real time. A financial account protected by two-factor authentication is suddenly nearly as vulnerable as it was before the extra layer of authentication was added.One weak point is that companies contract third-party service providers to send the codes over SMS, and those third-party firms can be compromised, according to Bloomberg and Lighthouse Reports. Financial institutions and tech firms use these third-party contractors to process account login authentication messages, and the report questioned how secure those messages really are.In addition, SMS messages are not encrypted, so they can be easily read once stolen. Hackers can use tricks like phishing to get access to phone numbers and texts and thus obtain texted security codes. Both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have warned about the security problems with SMS-based two-factor authentication and have recommended using alternatives. Steps CFIs Can Take To Protect Themselves and Their Customers If your CFI uses SMS-based authentication codes, now is the time to explore alternatives. A good place to start is to review this recent Mobile Best Practices Guide issued by CISA. The key is to avoid using unencrypted SMS texts as a means to verify account log-ins.Here are several steps for CFIs to consider:
- Wean yourself and your clients off SMS for two-factor authentication. Text message–based codes are vulnerable to interception and can be compromised more easily than other methods. Set a plan to gradually retire SMS for authentication and transition users to more secure options, such as authenticator apps.
- Consider an encrypted messaging app to replace SMS. These apps can be stored on a user’s phone. They enable a CFI to create encrypted messages that can be read by the corresponding app on the user’s phone. Thus, a login code that might be vulnerable when sent through SMS should be much more secure through one of these encrypted apps. WhatsApp is a popular encrypted messaging app.
- Look into passkeys for authentication. Passkeys are designed to be more secure than passwords and can be used in place of them. Passkeys use encryption and consist of two keys, one on the user’s device and the other held by the service provider, like a CFI. The user needs to provide identification before their passkey can be used, but the identification process is resident on the device and not transmitted, which prevents interception by hackers. Microsoft, Apple, and Google are among those that offer authenticator apps with passkeys.
- Adopt phishing-resistant multi-factor authentication. Protect against phishing attacks targeting multi-factor authentication by stepping it up a notch. Because the technology is a bit complicated to deploy, CISA advises using this method for highly valued targets in an organization who might have broad access. It may be worth exploring as a way to protect the accounts of select employees.
- Educate customers about one-time passcode vulnerabilities. Let customers know about the problems with two-factor authentication via SMS and the extra security of alternatives. Encourage the use of alternatives and provide help and coaching on implementing them.
Two-factor authentication using SMS has become vulnerable to fraud due to lack of encryption in the messages. This can allow bad actors to intercept the messages so they can gain access to bank accounts and steal assets. CFIs should start moving away from SMS-based one-time passcodes for authentication and switch to more secure alternatives, like passkeys and encrypted messaging apps, to help protect customers.
