Written by Deeba Ahmed – HackRead – November 16th, 2020

Microsoft wants users to opt for securer technologies citing multi-factor authentication (MFA) as the “least secure” method available nowadays.

Microsoft’s identity security director, Alex Weinert, wrote in a blog post that the time has come to ditch SMS and voice multi-factor authentication (MFA) tools in favor of modern technology.

Weinert explained that telephone networks have a poor security level, which is why such authentication tools are useless as voice calls and SMS can be intercepted easily. Since these are transmitted in clear text, it is also possible to exploit SMS codes through SIM swapping to perform phishing attacks.

“These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages,” explained Weinert.

Hackers can also intercept unencrypted voice and SMS MFA by deploying an SS7 intercept service or a software-defined-radio to access calls or messages before the user receives them.

It is worth noting that in 2016, research also demonstrated how a Signaling System Number 7, (SS7) vulnerability can be exploited to hack a Facebook account by just knowing the phone number associated with it.

Most of the PSTN systems are supported by customer service agents, who are vulnerable to bribery, coercion, or bribery. Through social engineering, hackers can gain access to the SMS or voice channel by manipulating customer support agents, leading to all kinds of attacks such as call forwarding or SIM jacking.

Moreover, Weinert stated that MFA tools have become so widespread that threat actors will try their best to identify vulnerabilities in them to render them ineffective. Given the incredible increment in SMS format spams, regulators introduce regulations that make it possible to identify codes, message content, transmit rates, send permissions, and message responses such as STOP.

However, these regulations’ inconsistent nature across different regions and the constant changes that these undergo can result in major delivery outages and can frustrate users.

Hence, security-savvy users need to switch to either Microsoft’s Authenticator MFA app or protect their devices through hardware security keys. The format of these tools is inadaptable; therefore, it will be a big challenge to update them regularly to enhance their reliability.