Security Holes Despite Multi-factor Authentication
In June, hackers managed to penetrate employee accounts on the Reddit social news platform. Users’ email addresses were stolen as well as a backup from 2007 that at times included masked passwords. Multi-factor Authentication (MFA) displayed vulnerabilities in the incident such that hackers were able to intercept an authentication code sent by SMS.
Vulnerabilities of Multi-factor Authentication?
The code sent is intended to ensure that the person logged in is in fact who they claim to be. TÜV AUSTRIA basically always recommends the use of multi-factor authentication (MFA). This prevents accounts from being taken over through just one factor being known, such as the password. “Nevertheless, this latest example reveals possible vulnerabilities in some forms of multi-factor authentication,” admitted TÜV AUSTRIA expert Hendrik Dettmer.
Complexity of Attacks Increases Significantly
Attackers could find out the numbers of specifically targeted cell phones so as to exploit them by means of particular attack methods.
“Hackers attempting to order a second SIM card, for example,” Dettmer said, describing the theoretical process, which, however, would sharply increase the complexity of an attack.
Multi-factor Authentication and Weighing Up Security Measures
“The Reddit case shows that the use of more than one factor means at least more involved for the attacker,” Hendrik Dettmer summed it up, stressing that MFA is therefore recommended for most applications. For critical applications at any rate, TÜV AUSTRIA advises that the protection of factors used should be weighed up by IT security experts.