[Reading time: 32 seconds]

All animals are equal but some animals are more equal than others” is a famous line in George Orwell’s novel, Animal Farm.

What has this got to do with cyber security?

If George was alive today, I’m sure he would use a similar line when speaking about multi-factor authentication (MFA)*.

All MFA methods are equal in the sense that any one of them is more secure than just a username and password. Any type of MFA makes it tougher for a cyber criminal to get into one of your accounts.

However, some MFA methods are more equal than others.

And SMS is the runt of the litter.

Why?

Just ask the SEC (The US Security and Exchange Commission).

It announced a few days ago that its Twitter / X account had been taken over by criminals**.

In response, Twitter / X initially implied that the breach occurred because the SEC’s account was only protected with SMS-based MFA***.

This made it easier for the criminals to gain access to the account.

How?

It is called a SIM Swap fraud.

If it ever happens to you, it usually means a criminal has contacted your phone company pretending to be you, and fooled the phone company into switching your phone number and account to them. They then receive all of your calls and SMS messages, including any security codes sent via SMS.

So what?

1 – Use Multi-Factor Authentication wherever it is available, but especially on higher-value accounts (e.g. email accounts, social media accounts, cloud storage accounts, bank accounts).

2 – Avoid using SMS-based MFA wherever possible. Authenticator apps are more secure and free – e.g. Authy; Google Authenticator.

Need more help?

If you work for yourself and you are responsible for the security of your laptop, phone, e-mail account, and other cloud accounts, get specific advice on the reasonable steps that you can and must take, by registering for my free online workshop. It takes place today (and next Tuesday).

You can learn more at https://codeinmotion.ie/zero-to-hero

 

*MFA means that you need more than just a username and password to log into an account. The additional “factor(s)” could include a security code sent to your phone via SMS, or generated by an authenticator app on your phone. There are many others but let’s not get into that here.

** The criminals used their access to post tweets about cryptocurrency being a legitimate investment, so this is probably how the real world figured out the account had been hacked. And because this fake news caused market movements, it will need to be investigated by the relevant regulator. Who is the relevant regulator? The SEC!

*** Although they now seem to be suggesting that there was no MFA enabled on the account at all.