A client sent me a question recently asking whether two factor authentication or password resets using a cell phone is safe? My initial reaction was yes. Two factor means 1. something I own and 2. something I know, similar to an ATM card. But is your cell phone that secure?
Let’s go through some of the ways we’ve made our cell phones proof of our identity:
- Two factor: I receive a dialogue box on my cell phone and I either click approve or deny on the app.
- Password resets using cell phone text message and email
- Calling from your “approved” cell phone number to your bank
- Text messages to approve or not approve transactions include fraud prevention
Next let’s go over how we secure our phones:
In this blog, I’m going to take you through what I deem to be an industry-wide security failure. Please comment your thoughts below.
There are a few scenarios in which this system falls apart.
1- A friend mentioned to me that they passed by an accident and as they were providing first aid, they pressed the injured and unconscious person’s fingers on the phone sensor to unlock the phone and call a relative from their contact lists.
2- What if the hacker was able to slam your number by finding your bill in the trash? By the time you figure out what has happened and get your number back, the hacker would have been able to receive all the text messages needed to complete the crime.
3- We use our google and iCloud accounts for personal reasons but those services are the same ones that are used to unlock our devices. If those passwords are compromised, then our phone security measures are useless and if that person acquires our phone and changes those passwords online, we’re locked out. Think about that, a breach of your personal identity suddenly becomes the pathway to breach your corporate resources. Yikes!
I’m sure there are many more scenarios, but they all boil down to this: we can no longer consider our cell phones to be a large part of our online identity, and we need to be careful architecting security systems around cell phone technologies.
Please click on the link below to comment!
President and Enterprise Architect