Reacting to Unsolicited Two-Factor Authentication Codes

Originally published at: Reacting to Unsolicited Two-Factor Authentication Codes - TidBITS

We’re all accustomed to receiving two-factor authentication codes via SMS, but if you ever get one that you didn’t request, don’t ignore it because it might indicate that the credentials to one of your accounts have been compromised.

5 Likes

@ace offers excellent advice here.

His article once again reminded me of this issue:

The most common problem with SMS is an attack called SIM swapping. An attacker poses as the victim and convinces the carrier to port a phone number to a new device, effectively taking over the victim’s communications.

It boggles my mind that not all carriers — at least as an option — offer a possibility to completely lock this down. It’s not like I port my number all the time so why does this have to be made so quick and easy? If lazy people want this to be easy and are willing to take the risk, fine, but I don’t. I’d love an option to say that until I show up in their store (or at their contracted service provider) with at least one piece of government photo ID in hand willing to sign and leave prints etc. my number will NOT be ported. Ever. And certainly not over the phone using bogus “security questions” that are comprised of public knowledge elements.

I thought T-mobile was pretty good at this with their porting protection option (forget the name they use for it), until I recently called to have it lifted when I left them. There was no additional check at all. No password entry, no questions, no nothing. There wasn’t even a challenge text — I guess perhaps because they assume if it’s my cell phone no. that’s calling, it must be me. The only saving grace was the port PIN. That was set and revealed on my user account with its separate authentication. No idea if I would have also been able to just get that over the phone too.

1 Like

A few relevant comments:

I’ve seen a few sites that no longer ask for passwords. You provide your user ID, and the site immediately sends a code to you by SMS or e-mail (I guess that’s now 1FA). If you respond (click the link or enter the code), you’re logged in. You can click a link on the login page to request a password-entry screen, but usually not until after the code is sent.

On a site like this, getting a code means nothing - it means someone entered your user name or e-mail address (which might be a typo, depending on what it is), but nobody has your password.

I personally don’t like this system at all, but I’ve seen it on several sites these days, including Expedia and Home Depot. I don’t like it, but it seems that this is becoming popular these days.

Personally, I think web sites should do this:

  • Always send a 2FA code for verificiation, whether or not the provided password matches.
  • If either one fails, reject the login without saying which failed.
  • This way, someone who is guessing passwords won’t get any information about whether or not they guessed right.
  • And, of course, after too many failures, lock the account. Either for a significant amount of time (an hour should be enough) or until you call customer service. This will prevent bots from rapidly trying things.

It does mean that you may see more 2FA requests if someone’s trying to hack your account, but they won’t mean anything.

WRT SIM swapping, you’d like to think that the carriers have learned their lesson, but apparently not.

FWIW, when I (and my daughter) legitimately needed our SIM cards swapped (about a year or so ago) due to card failure, we went in person to a Verizon company store. They asked to see a photo ID. And for my daughter, they wanted mine as well, since I’m the person paying the bills on the family plan.

3 Likes

Just to add that I have a PIN set on my Verizon account and they asked for that as well as the government ID.

Another explanation for unsolicited two-factor authentication codes: you’re using an aggregator service to pull together accounts. For example: Fidelity Full View, Mint, Yodlee, Personal Capital (now Empower), or even Quicken.

The way these work is you give them the userid and password used for online access to your account. In some cases (like Citi Card) the financial institution has a special API for such access, but in others they’re effectively “screen scraping” the accounts web page.

The aggregator doesn’t actually save the password. They just pass it through to the site, and save the authentication cookie provided – the same as when you use Safari and choose an option to stay logged in.

But some sites won’t provide such cookies, or they don’t last very long. Then when the aggregator tries to access the site, it triggers an authentication request – but there’s no way for you to respond to it.

So when my bank sends me an unsolicited authentication code, I know I’m not being hacked. It is just that my bank is user hostile.

3 Likes

For me, this has always been the reason for surprising 2FA codes being sent. I think this should be mentioned in the main article (which is nonetheless very helpful).

1 Like

I think a lot of SIM swapping attacks are carried out with the help of corrupt or compromised retail store and call center employees. So while taking as many precautions, such as setting up PINs and 2FA, as possible is important, there isn’t much end users can do to defend themselves from “inside job” SIM swaps.

1 Like

Interesting! We have several financial sites that rely on Yodlee for access to our bank accounts, and while we’ve had plenty of problems with keeping those logins working, I don’t think I’ve ever gotten an unsolicited 2FA code from them. They certainly require 2FA codes when you first link the accounts, so I wonder how they get around that on a regular basis?

If Yodlee needed a 2FA code every time they connected to our bank accounts, we’d be getting unsolicited codes daily.

Dang, I’ve gotten a few but just junked them. Will have to await more attempts and then go to those and change the password.
I found pawned and the 1Password option has its own issues like saying I have a lot of duplicates, but I do not or, the password is too weak but, I cannot make it better because the site limits me to a low character password, etc.
But the thing I AM MUCH MORE WORRIED ABOUT is this “My voice is my identity” system that all the major brokerage firms and maybe some major banks use as the two factor for calling in about an account like a 401k or brokerage. With AI voice cloning nearly perfect, this is a problem.

1 Like

This makes Full View, Empower and other aggregators kind a pain to use sometimes.
But sometimes, this will not work on a less secure, pension/state, or smaller financial web site. They are just not as up to date. So you manually updated the data every few months. In an odd way, that less secure one may be more secure because of them being less security tech hip.

That’s why it frustrates me when text messaging is the only 2fa method offered. I recently had my medical insurance provider “turn off” my authenticator app 2fa because they no longer support it and revert back to text messaging. :angry:

It really frustrates me when a business (I’m looking at you, Chase) decides to stop using email “because it isn’t secure” and instead requires SMS for 2FA.

2 Likes