Not too long ago, my phone started to reboot every so often without warning. Eventually I said: “Ok, enough is enough; it’s time to get a new one.” I ordered a new phone from Amazon (next-day shipping rocks!) and figured I could simply move my SIM card from the existing phone to the new one.
As it turns out, there are standard, mini, micro, and nano SIM sizes. My old phone was micro and my new phone was nano. Not a good situation since I wanted this process to be as easy as possible. (It was the weekend and I was feeling lazy.)
I went to the local store for my carrier and told the teenager working there that I needed a SIM for my new phone. She went in the back, came out with the SIM, and asked for two things: my phone number and a photo ID.
After I stated my number and presented a driver’s license, the employee scanned the new SIM card, inserted it into my new phone, and handed it back to me to make sure I had my number and that everything was working properly.
What does this have to do with information security? This whole process raised a number of red flags for me. Specifically, I was thinking about two-factor authentication.
We all know (or should know) that having two-factor authentication is better than not having it. But there are still major weaknesses. Namely, people.
Think about my situation. Let’s say I’m a hacker who managed to guess or obtain the CFO’s password at a company I’m targeting. I manage to log in to the system, but get stuck when I’m asked for the verification code from a mobile app for two-factor auth.
So, as this hacker, what do I need to do?
- Buy a new phone
- Create or buy a quick fake ID
- Head to the store.
- Figure out the CFO’s cell phone number
- “Become” the CFO
At the store, pretending I’m the CFO, I hand the new phone to the teenage employee, show my shoddy driver’s license, and now I have his phone number. I then try to login again, tell the system to send me a text to verify that I am “me,” and voila, I’m in!
Ideally, the company I’m targeting would detect that I have never accessed the system from my current IP and geo-location, but we all know most companies aren’t looking at logins with that level of scrutiny.
As with most areas of security, people are still a massive vulnerability. In this case, it’s not even your people! It’s a teenager working at the local cell-phone store.
While two-factor authentication is great, I hope my new-phone experience reminds us that a layered defense posture is critical, as is continuous monitoring and having “eyes on glass.”