Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys. Microsoft said that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts. They added that users should stay away from telephone-based MFA as there are several known issues with the state of the art telephone networks today.
Both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.
SMS-based one-time codes are also phishable via open source and readily available phishing tools like Modlishka, CredSniper, or Evilginx. Phone network employees can be tricked into transferring phone numbers to a threat actor’s SIM card — in attacks known as SIM swapping, allowing attackers to receive MFA one-time codes on behalf of their victims. All of these make SMS and call-based MFA “the least secure of the MFA methods available today.
As MFA adoption increases overall, with more users adopting MFA for their accounts, attackers will also become more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to its large adoption.
What to do?
- Enable stronger MFA mechanisms such as Microsoft’s Authentication MFA app.
- The best solution is to upgrade to a hardware security key.
This shouldn’t mean that users should disable SMS or voice-based MFA for their accounts. SMS MFA is still way better than no MFA
What can you do to when this happens to you?
- If you find your network breached immediately shut down and identify the source for the breach.
- Determine if any data has been corrupted and/or exfiltrated. If data has been lost notify those effected immediately.
- Notify your local law enforcement cybercrimes division and the FBI.
- Restore the network from a known clean backup