[ad_1]
Microsoft has urged organizations to move away from voice and text-based multi-factor authentication (MFA), saying systems built on telephone networks are increasingly constrained, inflexible and insecure.
Identity Security Director Alex Weinert explained that while multi-factor authentication is essential to protecting user accounts, all of the mechanisms used to exploit credentials – including phishing, Account Takeover and One-Time Passwords – can be deployed over Public Switched Telephone Networks (PSTNs). .
They are also prone to unique issues due to the fact that SMS and voice protocols were designed without encryption.
“From a practical usability perspective, we cannot overlay encryption on these protocols because users would be unable to read them. This means that signals can be intercepted by anyone who can access the switching network or within radio range of a device, ”Weinert continued.
“An attacker can deploy a software-defined radio to intercept messages, or a nearby FEMTO, or use an SS7 intercept service to listen for phone traffic. This is a substantial and unique vulnerability in PSTN systems that is accessible to determined attackers. “
Social engineering attacks against mobile operator customer support agents are another potential avenue for compromise, leading to SIM swapping, call forwarding and message interception attacks, he said. added.
In March, Europol announced the arrest of two dozen individuals suspected of stealing millions through mobile account hijacking by exchanging SIM cards.
Due to mobile operator performance issues and ever-changing regulations, downtime is not uncommon and it can be difficult for the MFA provider to alert the user to warn of difficulties.
Basically, SMS and voice formats are not adaptable, which means new innovations and security enhancements cannot be layered. This is why Weinert recommended encrypted authentication apps like Microsoft Authenticator, Google Authenticator, or LastPass Authenticator.
[ad_2]
Source link