Email or SMS text messaging are NOT secure for two-factor authentication
So you have a bank account that you manage online, and, of course, you want to make the online access as secure as possible (who wouldn't). You've learned that enabling the 2FA (two-factor authentication) for the account would increase the security (it would!) so you register your mobile phone with the bank. Now, if someone attempts to login to your bank account, the bank would send a text message to your phone with a code that the intruder would need to enter before they would be allowed to access your account. You now feel pretty secure and can sleep well at night, right?
Well, we have some not so good news for you (sorry for disturbing your sleep): if someone steals both your bank card and your mobile phone, they can bypass the 2FA even if they can't unlock your phone. That's exactly what someone is doing in the UK, by stealing cards and phones from the lockers at a local gym.
How does the thief break the 2FA? Surprisingly easy: first, they look at your card and see which bank issued it. They search for that bank's app in the app store and install it on their own phone. They open the app and attempt to register your card number with it. Now the bank sends an SMS to the owner's phone, and even though the phone is locked, the text message is flashed on the locked screen, briefly, but long enough for the thief to take note of the passcode. They enter that passcode on their own phone, and that gives them access to the victim's account.
Note that this kind of an attack would probably work if you had set up your bank account to send you the verification codes by email instead of SMS: many email apps display the snipplets of the incoming emails on the lock screen, too.
What should you do to stop this kind of a break-in? As the very minimum, see if the notification settings for your messaging or email app can be changed so that they would not flash the incoming messages on the lock screen.
A better solution is not to use the email or SMS for verification at all, and switch to using an authorization app such as Authy . The problem is, not all banks support such methods, but if they do, it would make your 2FA authorization much more secure: the thief would not have access to the authorization app if the phone is locked. Besides, you could have a separate PIN set up for the authorization app, so even if the thief would be able to unlock your phone somehow, they would still be prevented from using the authorization app.
As a bonus, the authentication app would make you able to provide the secure code should you happen to be in a place without cell phone coverage. For example, you travel abroad to a country outside of your cell service area. You have wi-fi in your hotel, and you want to access your bank account, but you can't get a SMS because you are not in the data service area. With an authentication app you would not be stuck in such a situation, because it does not require access to the Internet or data service in order to provide you with an authorization code.
Happy travels!
If you want to link to this article, you can use this HTML code: <a href="https://www.winability.com/email-sms-text-message-not-secure-for-2fa-two-factor-authentication/">Email or SMS text messaging are NOT secure for two-factor authentication</a>
Read more
- How to disable Adobe's ability to scan all of your organization's documents for generative AI.
- How to send sensitive files using Password.File app.
- [SOLVED] How to disable Taskbar Thumbnail Preview in Windows 11.
- How to restrict access to Microsoft Store app with Folder Guard.
- Tired of the Your password has expired and must be changed prompts? Here is how to stop them.
- How to move Pictures and other folders to Virtual Encrypted Disk.
- How to disable Fast Startup if you use encryption software.
- How to restore Videos, Pictures, and other folders in This PC in Windows 11.
- How to create a local user account in Windows 11 or Windows 10.
- How to enable or disable test signing mode in Windows.
- Email or SMS text messaging are NOT secure for two-factor authentication.
- Estimate how much you could save on electric bill with ActiveExit software.
- How to delete partition on Windows 11 or Windows 10.
- Forget VeraCrypt password? Here is how to recover it.
- Why do my desktop icons keep moving?
- How to create a private folder in Windows 11 and 10.
- How to restrict access to Windows Settings with Folder Guard.
- Suspending all contact with fascist Russia
- How to keep desktop icons from moving by running Icon Shepherd from command line.
- How to restrict access to Task Manager with Folder Guard.
- Take ownership of your files after access denied due to NTFS permissions.
- How to reprogram or disable CAPS LOCK key.
- Encryptability vs Folder Guard: which one to choose?
- Troubleshooting software removal problems using MSI files.
- Encryptability: Compare Personal and Business Licenses.
- How to add Group Policy and Local Security Policy to Windows 11 and 10 Home edition.
- [SOLVED] File is too large for the destination file system.
- Forget your WI-FI password? Find it in Windows 11 and 10 settings.
- What is FAT32 maximum file size limit?
- How to create a secret folder in Windows 11 and 10.
- How to easily password-protect Windows Linux folders with Folder Guard.
- Force DISKPART to delete EFI system partition in Windows 11 and 10.
- How to make Windows 11 and 10 recognize a cloned hard drive again.
- How to stop Windows 11 and 10 from using thumbnail preview icons for folders.
- How to hide pictures from the Photos app in Windows 11 and 10.
- How to save Windows Spotlight photos to your computer.
- How to move the OneDrive folder to an encrypted drive.
- Windows 10 fails to upgrade? Here is how to fix it.
- How to stop Microsoft Edge from opening PDF files.
- Preventing installations of specific programs with Folder Guard.
- Folder Guard licensing explained.
- Speed up the updates of the network folders.
- Make your Windows laptop work as a Wi-Fi access point.
- How to stop automatic Windows Update in Windows 10 and 11.
- [SOLVED] Windows cannot connect to the printer. Access is denied.
- Migrating encrypted data from TrueCrypt to USBCrypt.
- “The Microsoft account service is unavailable right now. Try again later.”
- Using DiffMerge as the external tool of AB Commander to compare plain text files.
- How to repair the icon cache and/or thumbnail cache in Windows 11 and 10.
- Transferring images between your PC and an Android device: Part 2.
- Transferring images between your PC and an Android device: Part 1.
- Case study: Using SoftDetective to suppress Corel Guide sign-in prompt.
- Using junction points to change the iTunes backup folder location.
- How to tell if my Windows computer is 32- or 64-bit?
- How do I stop Windows from rearranging my desktop icons?
- Organize your photo library with the Rename tool of AB Commander.
- Windows does not offer the NTFS format option? Here is how to bring it back.
- How to encrypt Firefox profile, bookmarks, and cookies.
- Restarting Windows 11, 10, and Windows 8 in the safe mode.
- Integrating AB Commander with Universal Viewer.
- How to delete a protected EFI system partition with Windows 11,10, 8, or 7.
- Using Folder Guard to protect from the social engineering attacks.
- How to erase Windows login password if you forget it.
- How to unhide a folder hidden with Folder Guard.
- How to repair Windows desktop icons with AB Commander.
- Slow network in Windows 7 Virtual PC? Speed it up!
- How to show drive letters first in AB Commander and Windows Explorer.
- What is my IP address?
- Why can’t I copy large files over 4GB to my USB flash drive or SD card?
- Test the strength of your password with USBCrypt.
- How to set up an external text editor for AB Commander.
- How to restrict Internet Explorer from downloading programs from the Internet.
- Personal vs business license for USBCrypt.
- Use Folder Guard to restrict access to Control Panel.
- Compare MySecretFolder and Folder Guard.
- Hide folders and make files invisible with Folder Guard.
- WINEXIT vs ActiveExit: automatically log off users from Windows.
- How to protect folder with password in Windows 11 and 10.
- How to restrict access and lock external drives with Folder Guard.
- How to password-protect Dropbox folder with USBCrypt.
- How to set up Folder Guard to stop downloading from the Internet.
- Is (Wipe the content) the same as (Secure Delete)?
- How to encrypt and protect the system C: drive with USBCrypt.
- Make it easier to return your lost encrypted drive.
- USBCrypt for users of Microsoft Office.
- How to start programs elevated from a batch file.
- How to make elevated programs recognize network drives.
- How to disable or enable hibernation.
- Using names and labels to organize USBCrypt drives.
- How to password-protect a USB flash drive.
- Always have a backup of your important files.