������ý

A security measure recommended by many websites and apps is easily hackable, potentially putting millions of people at risk, researchers have claimed.

Two-factor authentication (2FA) involves sending text message confirmation codes to your phone when you attempt to login to an online service. But if someone can compromise your phone, that will also give them access to your online accounts.

“SIM swapping” attacks do just that, allowing hackers to port phone numbers to new SIM cards. Mobile phone networks should have security measures in place to prevent this happening, but Kevin Lee at Princeton University and his colleagues .

Once a hacker has control of your phone number, they can reset passwords on online accounts by redirecting the 2FA confirmation texts.

“A stolen phone number goes beyond just defeating a victim’s two-factor authentication settings – it allows the attacker to impersonate as well as deny cellular service to the victim,” says Lee.

The team also analysed 140 different websites for their vulnerability to SIM swapping. They found 17 large websites – whose names have been redacted for safety – were “doubly insecure”, meaning didn’t ever need a user to insert their password to gain access to accounts, merely requiring a phone number.

The team presented its findings to the networks involved: AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless, making 10 recommendations to improve security, such as preventing customer support representatives from accessing information before the customer authenticates their ownership of the account. Only one firm, T-Mobile, responded to the researchers, saying it would review how it authenticates customers.

Separately, New ������ý contacted all five companies. T-Mobile confirmed that it had changed its authentication process. US Mobile said less than 1 per cent of its SIM swap requests are made over the phone and it is unlikely to fall victim to this kind of attack.

AT&T and Verizon directed New ������ý to CITA, the US trade association that represents the wireless communication industry. “We all have a role to play in fighting fraud and we encourage consumers to use the many tools highlighted in this study to safeguard their personal information,” says Nick Ludlum at CITA.  Tracfone didn’t respond.

Victoria Baines at the University of Oxford’s Oxford Internet Institute supports the paper’s findings and methods, and the team’s recommendations, but her opinion is that the researchers should disclose which sites were most vulnerable. “These are the services we should all know the identities of,” she says.

“Most of these redacted websites with doubly insecure configurations have hundreds of millions of users, some even billions,” says Lee, so it wouldn’t be responsible to reveal their names, he says.

But if users were thinking of turning off 2FA, the authors suggest that they think again. “At the end of the day, it’s still better than nothing,” says Lee.