Security experts advise against SMS messages for two-factor authentication codes due to their vulnerability to interception or compromise. Recently, a security researcher discovered an insecure database on the Internet containing millions of such codes, available to everyone.
Updates from 06/03 below. This article was originally published on March 4.
The internal database, discovered by security researcher Anurag Sen, was unprotected and passwordless, despite being available on the internet. Anyone who knows the IP address of the database can access it without being more complicated than a popular internet. browser.
While the ownership of the exposed database was not immediately clear, after contacting TechCrunch reporters, the culprit turned out to be YX International, an Asian company that provides, among other services, SMS text message routing. YX International secured the database after TechCrunch contacted the company. .
With five million SMS messages daily, YX International’s database was a treasure trove of sensitive information. Information that added links to reset passwords and 2FA codes for companies such as Google, WhatsApp, Facebook, and TikTok.
I reached out to YX International, Google, Meta, and TikTok for comment.
I spoke with the researcher who discovered the database, Anurag Sen, who told me that they “stumbled upon the database during a routine test I was doing. “Sen says they’ve been doing this to verify cloud-based databases for the past five years. years. ” Many corporations are migrating their production servers to the cloud, but they still have critical authentication and encryption in place,” Sen says. The exposed database shows, Sen says, that “the 2FA storage and processing approach deserves to be more physically powerful and secure. “
With records dating back to July 2023, the lack of a password to protect this database is shocking, but is it a security risk?From a 2FA code perspective, I wouldn’t have much to say. After all, those codes expire very quickly. and a malicious actor monitors a target’s database additions and movements. In the current situation, this is highly unlikely.
Jake Moore, Global Cybersecurity Advisor at ESET, told me that “SMS one-time passwords are a much more secure option than relying solely on a password; However, when threats are now multi-layered, the accounts themselves want the most powerful multi-layered solution. “coverage to stay safe. ” Access keys, authenticator apps, and physical security keys offer even more secure coverage. “So, while setting up security is now less difficult than ever,” Moore continues, “anyone who relies solely on passwords or uses 2FA SMS codes may want to reconsider their original choice. “
While users don’t have to worry too much about the inclusion of 2FA codes in the misconfigured and unprotected database in question, that doesn’t mean it’s not a lesson to be learned. On the contrary, it only adds weight to the argument against employment. SMS if there are other features available as it illustrates how those text message codes can be compromised. “Texting uses superseded generation and it’s smart practice to stay up-to-date with the newer account protections on offer,” Moore concludes, “But when convenience and security are paired equally, it’s a no-brainer to opt for something other than SMS.
Update 06/03: Passkeys are cited as a more secure replacement for 2FA, although they really deserve to be considered as an approach to combining 2FA with something more secure than a password. While it is unlikely that the 2FA codes leaked during the YX International database exposure were exploited via an attacker for the reasons already discussed, the fact that they were added to the database within the timeframe for them to be valid remains a concern. So, is there any security or password considerations?I posed this question to Trevor Hilligoss, vice president of SpyCloud Labs, who says that “passwords are much less vulnerable to classic threats, such as poor hygiene practices, than passwords,” but “they don’t deserve to be thought about. “as the ultimate security solution. ” Hackers can use strategies such as query hijacking to bypass authentication processes, add passwords, 2FA, and passkeys.
“The main culprit behind this circumvention approach is malware,” says Hilligoss. “The Infostealer malware is designed to exfiltrate data, adding files stored on your computer’s hard drive, as well as browser-based data, by adding query cookies, which are assigned over the Internet. sites after you log in and be stored through your browser. These cookies make it easier to navigate and stop at a site without going through the authentication procedure every time and are a must-have component to a savvy user’s browsing experience. a site that requires login. However, those cookies are also commonly sold on criminal marketplaces and can then be used in conjunction with “anonymous browsers” to trick sites into believing that the query has already been authenticated. “Criminals who gain access to accounts through query hijacking can impersonate valid users of the site,” Hilligoss warns, “by giving them full access to all the data and permissions that the original user had. “
Then there’s multi-factor authentication that some passwords also require for stronger security, although it’s actually usually some sort of password that acts as an authentication layer. This means, says Hilligoss, that “most passwordless authentication strategies require a password in some way. “
As security features evolve, criminal tactics continue to evolve at the same time, and it’s vital that security groups are aware of this and prepare with a multi-layered technique to combat all threats. Hilligoss recommends that you take steps to restrict the threat related to query cookies, even if they are compromised. “Revoking permissions for devices or apps you don’t use, restricting the amount of time a query is active, and not checking the Remember me on new sites on the internet boxes can decrease the threat of long-term exposure,” says Hilligoss. “Also, whenever possible, use secure MFA features, such as app- or hardware-based tokens, rather than less secure strategies, such as email-based MFA or SMS. “