What's wrong with SMS authentication and how to protect yourself from SIM card theft

[Carding 4 Carders]

SMS authentication is not the best method for multi-factor authentication. This method is used by many web services: social networks, email clients, and payment systems. In addition, the phone number is used as a login: for registering on Facebook, Vkontakte, in Telegram, and so on.

If the SIM card is stolen and the SMS is intercepted, the consequences will be disastrous. Many users correspond in instant messengers with colleagues and partners, so not only personal data, but also corporate data will be at risk. If your company does not use the corporate infrastructure for communication, then unprotected employee accounts endanger the business. So you should take care of security in advance.

In this article, we will take a few popular services and replace SMS authentication with more secure methods. At the same time, we'll figure out how to additionally protect your accounts from theft and sleep well.

Why get RID of SMS authentication?
Attackers can receive text MESSAGES and log in to someone else's account in several ways at once:

1. If they can get a phone with a SIM card inside.
2. If the SIM card is reissued based on forged documents. Fraudsters buy merged passport data and forge a power of attorney or even the passport itself. Whether the operator sends documents for verification to the security service depends on the human factor.
3. If the SIM card is stolen in collusion with the operator's employees.
4. If SMS messages are intercepted using vulnerabilities in the SIM card itself or in the phone.

The second and third methods are the most popular ones. The danger is that the victim will not immediately understand that the SIM card was stolen. The fraudster has every chance to cash in before you realize the problem and have time to restore access to your SIM card.

By what signs is it clear that the SIM card was stolen:

• The operator sends a TEXT message about replacing the SIM card.
• The operator's network disappears on the phone, and rebooting doesn't help.
• I receive emails about attempts to reset my password in various services.
• Your Apple ID or Google account starts requiring you to enter your password.
• We receive messages about linking your account to a new device.
• If push messages are used for two-factor authentication somewhere, then codes from different services will start coming.

How to prevent SIM card theft

• Do not upload scans and numbers of personal documents to the Internet, including on online disks, social networks, instant messengers, or image exchangers (there are no exceptions).
• Go to the office of your mobile operator and write a statement that prohibits the reissue of the SIM card by proxy. The service is called "Prohibition of actions based on a notarized power of attorney".
• Make it harder to access your smartphone with a strong password and fingerprint/Face ID authentication.
• Buy a separate mobile phone and issue a SIM card, the number of which is not known to anyone. This will be your "secret number" for SMS codes, if some service does not allow you to protect your account in any other way. Prohibit re-issuing your SIM card by proxy.

What should I do if it was stolen after all
If the SIM card has already been stolen, you will have no more than a day to block it. Therefore, you need to keep a quick lock script handy.:

• think of a way to call the operator if you lost your phone, for example, from a laptop or tablet. For example, install Skype or Viber there;
• top up your call balances;
• find the number of your mobile operator and write it down in the Skype or Viber log;
• practice losing your phone: pull out your SIM card and try calling the operator using the selected methods.

How to get RID of SMS authentication and protect your accounts
Our General recommendation is to opt out of SMS authentication wherever you can. Let's see how to do this for popular web services.

First, let's look at those that use SMS authentication. And then we will protect those where the service itself is linked to the phone number.

Google account

1. Log in to your Google account and go to the "Security" tab.
2. Under" Sign in to your Google account", enable two-step authentication. Re-authenticate in the pop-up window.
3. Select the second authentication factor.

Let's see what is best to choose.

• TEXT message or voice confirmation: you should opt out of this method completely.
• Backup codes: one of the best ways to back up your login, especially if you use it with the utmost care.
  Write them down on paper, make several copies, and put them away in several safe places. This way they will be safe from online attacks.
• Google authenticator: a fairly common authentication method, but in light of some developments, trusting it is a personal matter.
• Google notification: sends a push notification to your trusted device.
• Electronic key: an identifier on a physical medium. This is either a separate device that needs to be inserted into the computer's USB port when you log in to your Google account, or a key built into your smartphone that is transmitted via Bluetooth from your phone to your computer when you log in to your Google account. The technology is not without its disadvantages, but it allows you to provide a high level of security, especially if you use a separate device, and not a smartphone. This allows you to separate all factors into independent entities and not "put all your eggs in one basket".

Different methods of multi-factor authentication and tasks that can be solved using them.

Select a backup method in case the primary method is unavailable. Keep in mind that you should not share push notifications, voice confirmations, and SMS messages on the same mobile device (if you still haven't opted out of them altogether).

Next in the list is a selection of reliable devices: for them, the second factor is not required. You need to check whether all trusted devices are protected. Or clear the entire list and add the ones you really need again.

Let's go back to https://myaccount.google.com/security and let's go through all the points:

• Password: make sure that your password is strong and unique. For example, you can use the recommendations for creating complex passwords.
• App passwords: check and leave only the ones you need
• Ways to verify your identity – phone number: Remove your phone number. You can restore access to your account through another factor, if necessary.
• Ways to verify your identity – backup email address: remove the backup address.
• Your devices: remove all unnecessary ones.
• Third-party apps with access to your account: delete all apps that you don't use.
• Sign in with your Google account: delete everything you don't use.
• Access to linked accounts: if an account is hijacked, you can make it easier for an attacker to access other sites. Delete everything.
• Password Manager: move your passwords to a separate Password Manager. Disable auto-save passwords.

Yandex
You can't enable two-factor authentication in your Yandex account without linking your phone number. Therefore, we will use the "secret number" and include additional factors in other places.

1. Log in to your Yandex account and scroll to "Passwords and authorization".
   • Password: check your password for reliability and uniqueness (see above)
   • Security question: choose the most difficult and non-obvious answer for a potential attacker. Use non-standard ways of recording the response and mnemonic memorization techniques.
   • Enable app passwords: individual apps can connect to your Yandex account. Disable this feature if you don't use it.
   • Set up two-factor authentication: use a "secret number".
   
   Go back to "Login and device history". Select "log Out on all devices".
   Go to "Mailboxes and phone numbers". Remove the recovery addresses.
   Go to the "password" tab in Yandex Money settings. Here we will go through all three buttons.
   • Issue emergency codes: rewrite and save the emergency codes just as you did for your Google account.
   • Go to passwords in the app: select "app with passwords" and sync with one of the apps.
   • Click "Always ask for a password".
   
   Now use the same methods to protect all services that can use SMS authentication.
   If possible, replace it or link it to a "secret number" and add a fingerprint login.
   Here is a checklist of services in order of priority:
   • Banking and payment services.
   • Public services: state Services, the Federal tax service, etc.
   • Password managers: LastPass, 1Password, etc.
   • Cloud storage: iCloud, Dropbox, OneDrive, etc.
   • Email: Mail.ru etc.
   • Facebook, instagram, LinkedIn, Medium, etc. social networks: Vk, Facebook, Twitter, Instagram, etc.
   • Instant messengers: iMessage, Skype, Slack, Facebook Messenger, etc.
   • Photo hosting sites: iCloud, Google Photos, etc.
   • Notes: Evernote, Scribd, etc.
   • Source code repositories: Github, Bitbucket, Gitlab, etc.
   • Hosting services and platforms for websites: Parking, Wordpress, AWS, Microsoft Azure, Digital Ocean, etc.
   • Forums: Reddit, Stackoverflow, etc.
   • Task trackers, CRM, and other work platforms: Jira, Mailchimp, Trello, etc.
   • Online stores and commercial services, etc.
   
   Telegram
   The messenger account is linked to a phone number, so in addition to two-factor authentication, we'll set up additional security.
   1. Set a password and sign in with your fingerprint: go to security settings and select passcode & touch id.
   2. Hide your phone number: in the security settings, find Privacy and set "nobody" for the phone number. You can also ban phone calls here. Add exceptions only for people you trust.
   3. Enable two-factor password authentication. Do not use your primary email address for recovery.
   4. Go to devices and close all active sessions that seem suspicious.
   All these measures will not completely protect you from stealing SIM cards, but they will not allow you to give the jackpot to scammers. If users work remotely using personal devices and public web services, this will protect both personal data and that of colleagues.