One chestnut from my history in lottery game development:
While our security staff was incredibly tight and did a generally good job, oftentimes levels of paranoia were off the charts.
Once they went around hot gluing shut all of the “unnecessary” USB ports in our PCs under the premise of mitigating data theft via thumb drive, while ignoring that we were all Internet-connected and VPNs are a thing, also that every machine had a RW optical drive.
Care to elaborate “MFA via SMS only”? I’m not in tech and know MFA through text is widely used. Or do you mean alternatives like Microsoft Authenticator or YubiKey? Thanks!
Through a low tech social engineering attack referred to as SIM Jacking, an attacker can have your number moved to their SIM card, redirecting all SMS 2FA codes effectively making the whole thing useless as a security measure. Despite this, companies still implement it out of both laziness and to collect phone numbers (which is often why SMS MFA is forced)
TIL! thanks for the explanation.
To collect numbers, which they sell in bulk, to shadey organizations, that might SIM Jack you.
SMS 2FA is used because it’s better than nothing and it works for 98% of people. Not many people have Google Authenticator, let alone other varieties.
The major weak link in security is people, not technology. People can be convinced to give up the 2FA code regardless of whether it’s a text or code in an Authenticator app.
Sim swap is quite easy if you are convincing enough for support at an ISP doing phone plans.
Now imagine if I sim-swapped your 2FA codes :)
Exactly this. Instead you should use a phone app like Aegis or proprietary solutions like MS Authenticator to MFA your access because it’s encrypted.
Thenks! I really don’t want to be forced into an app, but it’s good to know the reason why.