ESG Report eBook: a Robust Study on Keeping Your Business Secure. HERE

Accelerate
Revenue Growth

Empower your business with Coro’s unmatched cybersecurity solutions and partner resources designed to maximize your revenue potential and drive exponential growth across global markets.
Partner With Us
Watch a Demo
Start a Trial 
Compliance Survey
Become a Partner
Contact Sales
Get Support

Watch a Demo

Explore our collection of recorded product demonstrations to witness Coro in action.

This field is hidden when viewing the form
Name
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is for validation purposes and should be left unchanged.
See how much time you could save with Coro guarding your business:
Instantly handle 95%+ of email threats
Monitor cloud app security from a single dashboard
Protect devices across the threat landscape
Prevent data loss with a deceivingly simple solution

Start a Free Trial

Try Coro for Free for the Next 30 Days

This field is hidden when viewing the form
Name
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is for validation purposes and should be left unchanged.
Coro Platform

Build Your Compliance Report

Does your business satisfy security regulations? Take the survey to learn how your industry, services, and location can impact your compliance posture.
Take the Compliance Survey

Become a partner today

Turn your cybersecurity business into a revenue center

This field is hidden when viewing the form
Name
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is for validation purposes and should be left unchanged.
Modules

Contact Sales

Receive comprehensive information about our product, pricing, and technical details straight from our specialists.

This field is hidden when viewing the form
Name
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is for validation purposes and should be left unchanged.
Modules

The End for SMS-Based Two Factor Authentication

Sep 19, 2016

3 MINUTE READ

For home users and enterprise professionals alike, SMS-based two-factor authentication (2FA) has become a relatively annoying fact of life. Type your password into your computer, wait while a text is sent to your phone, and then race to type in a second passcode before it expires. It’s a bit of a hassle, but for many it’s been the most important line of defense between hackers and confidential, SaaS applications, and financial information. Now, all of that may be about to change.

A new draft of the Digital Authentication Guideline issued by the U.S. National Institute for Standards and Technology (NIST) indicates that the days of SMS-based 2FA are numbered. The reasons are manifold. In short, new mobile snooping technology has made it easier for hackers to spy on the one-time passwords that are sent to mobile devices. With the use of this technology, hackers are able to bypass this once-foolproof protection mechanism.

How to Break Mobile 2FA

Two-factor authentication is necessary, in short, because passwords are bad. Many users—even people who should know better—often use the same password for more than one account. Thus, it’s both easy and quite possible for a hacker to steal a password from one account, and log into another. At the same time, it’s much harder for a hacker to steal a user’s phone. Where mobile 2FA is concerned, a user’s phone acts as a “token” which allows them to verify their identity in a way a hacker cannot.

As mobile technology has matured, however, there are now a number of ways that hackers can break into a user’s phone. Some of these methods involve redirecting the confirmation text message away from the victim’s phone, and into the attacker’s phone. This usually involves a social engineering attack, as was the case when a group of teenage hackers compromised the email accounts of CIA director John Brennan and other top intelligence officials late last year.

Another method involves mobile malware. Malware that specifically affects mobile devices isn’t too common yet, but its incidence has been steadily growing. Earlier this summer, security researchers discovered a sophisticated mobile malware package known as ‘Pegasus,’ targeted at iOS devices. Among other sinister capabilities, the malware had the ability to read text messages on an infected device. This would have allowed attackers to intercept SMS passwords in order to break mobile 2FA.

Lastly, there’s straight-up eavesdropping. You may have heard about something called a ‘Stingray’ device. This hardware essentially impersonates a cellphone tower, and forces nearby mobile devices to connect to it. Once they’re connected, the device captures cellphone metadata, and some versions can read SMS messages. Stingrays are usually used by state and federal law enforcement, but it is totally possible for garden-variety hackers to build and use them as well.

A Stronger Approach is Needed

There’s more than one way to hack mobile phones and break two-factor authentication. Social engineering, malware, and eavesdropping are just scratching the surface. A creative individual, not overly burdened with morals, has a plethora of choices if they decide to break into an account protected by mobile 2FA.

Fortunately, Coronet provides a robust buffer against individuals who wish to intercept two-factor authentication and break those solutions. Our service determines whether an attacker is present in the WiFi or cellular network your laptops and mobile devices are connected to, and prevents them from eavesdropping. 

crosschevron-down