The Importance Of MFA Today
Cybersecurity threats are on the rise making it increasingly more important to keep your email as secure as possible. If a threat actor is able to gain access to your email, they can impersonate you and send new wiring instructions to vendors or encourage all of your employees to click on links they will further compromise the organization. Multifactor Authentication is now considered a must for several reasons.
1. Reduced Risk of Unauthorized Access: Even if someone cracks your password, they'd still need the second factor, making it much more difficult to breach the account.
2. Phishing Resistance: MFA can prevent attackers from gaining access even if they trick you into revealing your password. They would still need the second factor.
3. Compliance and Regulations: Some industries require MFA for compliance with regulations like HIPAA, PCI-DSS, or GDPR. It can save you from legal trouble and fines.
Now that we understand the importance of MFA for your email account, is it enough to just tie your codes to your cell phone number?
Different Types Of MFA
Multiple Factors can come in many different forms for authentication. Some will use a hard token which is a physical device that provides rotating codes. Other forms of authentication include various applications you can get on your phone including Google Authenticator, Microsoft Authenticator, or Duo. All of these methods are more secure than using your cell number and having codes texted. SMS texts are a popular method of authentication for users that don’t want yet another application added to their phone for work, however it can open holes from a security perspective.
SIM Cloning
Having MFA codes sent over via SMS text messages is one of the easiest ways to set up MFA, but it comes with drawbacks. A SIM card, or Subscriber Identity Module, is a small card inserted into mobile devices like phones and tablets. It stores data that identifies and authenticates the user on a cellular network, enabling access to voice, text, and data services. SIM cards can be swapped between devices, letting you keep your number and service when changing phones.
Unfortunately, these SIM cards can also be cloned or copied. When you give somebody physical access to your phone, they can take the SIM card out and copy it over to a blank card. At that point, people can read your text messages that are coming into your phone number. Any private data being shared via text can be read, including your MFA codes. At that point, an attacker would just need your email password to gain access to your account.
Other Ways Of Cloning Your Number
Gaining access to your phone is one way people will clone your SIM card, but there are other ways for people to gain access to your text messages. Phone providers such as T-Mobile and Sprint will allow many different devices to share the same number. This is convenient if you want to read text messages on your tablet, smartwatch, and phone. While the service was designed for end users to access their SMS messaging on a variety of devices, attackers can take advantage of this.
Who Is Being Added To Your Devices?
The large carriers have been forced to add more protections against SIM cloning. For an attacker to get added to your account, they will need to know your phone account password. Many of the carriers will allow you to also add a PIN on top of this, as well as a SIM card transfer freeze that needs to be removed before new devices are added.
Increasing Security With Conditional Access
If your company is concerned about SIM card cloning, contact a consultant today. In Microsoft Azure, your tenant has the ability to add Conditional Access. With this in place, all new users that are created are automatically forced to use MFA for their accounts. Not only that, you can restrict accounts further to make sure users are authorizing only with an MFA application or a hard token. Call a local security expert at 678-234-7783 today and we can guide you through setting up these safeguards for your users. We are happy to answer any questions you might have.