Two-step SMS verification not secure, OfReg warns

| 12/06/2018 | 11 Comments

(CNS): Getting a security code sent to a cell phone via a text message is one of the least secure means of verifying and protecting people’s online accounts, the Utility Regulation and Competition Office (OfReg) has warned. The regulator is urging banks and large corporations to consider the dangers of using this common two-step SMS verification as the current weaknesses in mobile telecom systems allows attackers to spy on phones and intercept text messages. This method of verification has become the norm, but Alee Fa’amoe, OfReg deputy CEO and executive director ICT, said the system “is susceptible to phishing attempts by cybercriminals”.

SMS verification is typically found in any provider of an online account, such as banking, email, airline reservations, and social media, OfReg explained in a release. The system requires users to first log in with a user name and password. A text message is then sent to the individual, prompting them to enter a unique passcode as a form of verification that he or she is the authorised user.

However, according to information published by OfReg, this method of verification is increasingly becoming one of the least secure systems available.

By tricking mobile carriers into moving a phone number to a new device, hackers are able to spy on unaware victims in what is known as a SIM swap. Hackers can spy on phones and malware also leaves users’ SMS messages vulnerable to interception, while fake mobile sites are set up to trick users, the release stated.

“Any service provider who uses SMS text messages as part of an authentication process for their customers’ online accounts could be at risk to a vulnerability that comes, not from their own systems, but from the telecommunications networks,” Fa’amoe warned. “We urge everyone to stay informed and be aware of the risks associated with SMS and its related technologies.”

Corporations like Google and Microsoft have already begun pushing users to switch from SMS verification to a system where prompts are received via a trusted app, also known as an authentication app, the regulator added.

“It is imperative that cyber security continues to evolve,” Fa’amoe stated. “With the ever-changing nature of technology, the world is faced with an ongoing struggle to combat cybercrime. Unfortunately there is no easy fix for these kinds of vulnerabilities. We can only recommend that Cayman’s organisations carefully review their processes for authorising digital transactions; doing so in a way that avoids SMS text messages.”

See OfReg’s full report on the risks of two-step SMS authentication here.

Print Friendly, PDF & Email

Tags: , , ,

Category: Local News

Comments (11)

Trackback URL | Comments RSS Feed

  1. Anonymous says:

    OfReg, it is gravely disappointing that the public is getting notices like this from your office.

    How about doing something to tackle the ripoff prices consumers are paying for internet service? The cost/bandwidth ratio in Cayman is among the worst in the world.

    What about the investigation into the rates being paid in the solar farm deal?

    Mobile phone rates are still too high.

    What about proper bandwidth and fiber in the eastern districts? Let me guess, soon come?

    There are far more important issues that you should be directing your resources to rather than regurgitating the most recent article that someone has read in an industry magazine while sitting in business class on the flight back from the latest conference.

    The public deserves better.

    • Victor goes to Spoil says:

      100% on point. I too read same articles as you know who. Shame, I had high hopes. Sigh.

  2. Anonymous says:

    Does anyone take ofreg seriously? This is old news. Incidentally ofreg needs to pay attention to their own service and try answer the phone amd emails.

  3. Norbert says:

    Oh no……they can see my wife’s sexy pics she sends me?

  4. Anonymous says:

    OfReg actually exist? come on give the consumer something better than this, a joke

  5. Anonymous says:

    This is precisely why the ultimate solution will eventually be presented.

    All personal security solutions up until now have been found to be flawed.

    I have spent over 30 years in this business and I understand the end result perfectly.

    We are moving away from democracy to technocracy. In the brave New World, A.I. (Artificial Intelligence) will tell us what is best and we will gladly surrender our individuality to a collective hive mind that promises freedom, but will ultimately deliver bondage.

    You people who call yourselves Christians were warned of the subcutaneous chip implant over 2000 years ago. Either, someone got lucky or they had a genuine glimpse of the future. Anyway, it is alluded to in the book that you refer to as Revelation. (Rev 13: 16-18.)

    Has anyone read the latest encyclical by Pope Francis? Those of you that have will quickly realize that his agenda is to tax all of humanity to offset our carbon footprint.

    The method of Carbon Tax payment will be universal.

    Those who refuse the crypto-implant will be known as haters and hunted down.

    I have spent over 40 years studying this. I am amazed that today we stand on the brink.

    Before you make your silly jokes about tin-foil hats and conspiracy theories, just have a look at the evidence I have presented. Do your own research and draw your own conclusions.

    Be smart, not dumb.
    Let your lights shine in the darkness.

    • Anonymous says:

      Thanks you Morpheus. Be sure to tell Neo that the Matrix is upon us.

    • Anonymous says:

      Where’s the “evidence” you “presented” ? Saying things isn’t evidence as a means. Let’s see some hard facts backed up by studies, not rumor and conjecture.

  6. A Noni Mouse says:

    This is exactly why I recommend people use a good VPN service. Anything going through Compromised & Worthless servers is bound to SLOW you down and leave a sour LIME taste in your mouth.

  7. Anonymous says:

    and be aware of caller ID spoofing. A spoof caller ID tricks a person into thinking somebody local, possibly even someone they know, is calling. They use technology to modify what phone numbers appear on caller ID, impersonating phone numbers.

    Here are a few tips to help identify and handle “neighbor spoofing” phone calls:

    > Avoid answering calls from phone numbers you don’t recognize, even if they appear to be local. If it’s important, the caller will leave a message.
    > If your own phone number is used in a caller ID spoof call, you may receive calls and messages from people asking why you called them in the first place. This can lead to a lot of confusion between the two parties, but knowing your own number can be used by scammers may help explain the situation.
    > Be aware that phone numbers of local businesses, including doctor’s offices and/or insurance agents, may appear to be calling you. If you’re not certain whether the call is legitimate or a spoof, hang up and dial the known phone number for the contact to verify the communication, especially if personal and/or financial information is being requested.
    > There are call blocking apps that may help decrease the amount of spam calls, including those using a spoof caller ID. Your phone carrier may also provide a similar service or offer advice.

  8. SecureCayNow says:

    This suggests that they would have the 1st stage login and pw already. If that’s the case they most likely would have the person’s mobile # and be able to login normally.

    Doesn’t take away from SMS diversion.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.