Authenticator Apps Can Protect You from SIM Swapping

We hate taking extra steps, especially if we think they’re complicated. But with the rise of SIM swapping, you might want to bite the bullet and get used to using an authenticator app.

The benefits of using an authenticator app for 2FA were illustrated by the problems of a new client who was victimized by a SIM swap of their phone number. The SIM swap caused untold problems, including untangling them based on hard-to-find phone records.

Again, just to recap from last month, SIM swaps happen when a bad actor is able to convince a carrier that they’re you and that you need to transfer your phone number to a new device. While the bad actor has your phone number hijacked, you lose your cellular service. You can’t make or receive phone calls or send or receive texts. If it happens for a short time and you’re not using your phone, you’ll never know it happened. If you’ve set up a form of 2FA that involves getting a code through a text message, you’ll never know about that, too.

An authenticator app is different. It uses a Time-Based One-Time Password (TOTP) algorithm to generate unique, time-sensitive codes for 2FA. The apps are set up on a mobile phone, and the process can be difficult for some. We suggest professional help to avoid untimely problems down the road.

When you type in a link from a computer or a phone to link the app to an online service, both the app and the service’s server use a shared secret key and the current time to independently generate the same time-sensitive codes. When a user logs in, they enter the code from the app, which the server verifies by comparing it to its own generated code. The verification code almost always comes in on your cell phone, and the authenticator app automatically regenerates the code every 30 seconds.

The key point here is that the authenticator app is tied to your device, not your phone number. So, if the bad actor tries to enter a website or app link that uses an authenticator app, they will not see the code. It will come to your device. If you don’t recognize the reason for that code being sent, it’s a big, bright flag that someone may have hijacked your phone number or breached your security in some way.

Of course, the website or online app being accessed must offer an authenticator app as a security measure. More of them are offering it as a security measure, and you should take advantage of it wherever you can. If you’re on your computer, you need to have your phone handy, and if you’re using your phone, it will take a little juggling. But it’s well worth the effort.

We can help you set up Microsoft Authenticator or any other authenticator app. Call us – 973-433-6676 – or email us to learn more about the app and get help setting it up.

It’s Time to be Authentic

Getting a text (SMS) code to verify your access to a website is becoming increasingly vulnerable because of SIM swapping. It’s essentially a way for a hacker to “borrow” your mobile phone number without you ever knowing it – until you suffer the consequences. It’s time to use a better authentication method.

One of our clients was victimized by SIM swapping. We suspected a problem when none of their cellular devices worked. They used a family member’s phone to call us about the problem. We told them to get to the Apple Store immediately to buy new devices and bring them directly to us – without opening any boxes. Using special tools, we were able to set up all their devices securely, but the damage had been done.

How does SIM swapping work? It requires a fraudster to convince a mobile carrier to transfer your phone number to a SIM card they control. With your phone number, the attacker can intercept one-time passcodes and two-factor authentication (2FA) codes sent via text message, allowing them to gain access to bank accounts, which they can quickly drain, and social media and other sensitive online services.

The SIM swappers usually get your information through phishing expeditions, which are designed to trick you into revealing details like birthdates, full names, and addresses. Then, they pretend to be the account holder and claim their SIM card is lost or damaged, and they request to have your number “ported” to a new SIM card, which they have in their phone. Conceivably, they can access your bank account if your 2FA is a text message, clean you out, and wipe the SIM from their phone. You’ll only notice it when your phone doesn’t work – at which point you’ll contact your carrier, who will issue you a new SIM card.

You can prevent SIM swapping by not using SMS or text as an authentication method. Our recommendation is to use an authenticator app, such as Microsoft Authenticator or Google Authenticator. If you are signing into a website from your computer, the authenticator will send a code to your phone, and you’ll enter the code from your computer.

This is one area we strongly urge you to avoid shortcuts. There are a lot of authenticator apps available, but Microsoft and Google have a lot at stake in your security. Both have huge customer bases and publish a lot of apps.

An alternative to an authenticator app is a biometric, such as facial recognition (iPhones and other Apple devices) or a thumbprint (Android phones). As with an authenticator app, these measures are device-specific.

We can help you set up both an authenticator app and biometric authentication to replace an SMS message. Call us – 973-433-6676 – or email us to talk about it.

Not All Cloud Storage is a Backup

We tend to use the terms data storage and data backup interchangeably. It can be a costly mistake.

Cloud storage is all about easy access to files. It’s not only your access, but also collaborative access that allows teams of people to work on projects together without the need to email various versions. Cloud storage servers such as Microsoft OneDrive, Google Drive, and Dropbox allow team members to be online at the same time and see changes to files in real time. They also allow a single user to access files from anywhere in the world where you can get an internet connection.

Stored files typically are not encrypted or protected with any special technology, and that makes them vulnerable to theft and ransomware attacks. If just one team member has lax security, such as an easily cracked password or uses an unsecured public network, all those stored files are exposed. Further, it could open someone up to SIM swapping.

How should you store your data? We like Microsoft’s Conditional Access, an access management solution that enforces security policies by bringing together real-time signals from users, devices, locations, and applications to block, allow, or require additional verification steps to access resources.

It works on a granular level. For example, you can set limits on which countries someone can log into your system. You can limit IP addresses. Steps like these can provide extremely useful insurance against worldwide hacker organizations that take advantage of local weaknesses in our global networks.

Installing and configuring the right access limits for your needs is not something you should attempt by yourself. There are myriad variables to the conditions that limit access, and if you make a mistake, you could lock out access to people who need it. If that happens, you’ll need an IT professional to undo the problems and reconfigure your system.

How should you back up your data? The short answer is to use specific backup technology. It makes a copy of files in storage and then encrypts them for protection. In the event of a cyberattack, a system outage or some other disaster, the encrypted files are used to restore the files to your system.

We can help you set up and configure both Microsoft Conditional Access and a backup program to keep you safely up and running. We can also provide the training needed to maintain both systems. Call us – 973-433-6676 – or email us to set up an appointment to design a coordinated plan that best meets your needs.

Secure Your Email

Email security continues to be the most vulnerable security link in your email chain. Ninety-six percent of all phishing attacks use email, and some three billion emails are launched daily. Phishing can cost businesses $26 billion annually. The more email accounts you have, the more vulnerable you are.

One of our clients had six email accounts, all of them created for a variety of legitimate reasons. The problem is that it meant they had to guard six doors against intruders. That’s worrisome enough, but if you use multiple email clients, such as Outlook and Gmail, you need to deploy your security measures in line with each client.

Google’s Gmail has a particular vulnerability. According to a report from Malwarebytes, Russian hackers were able to bypass Google’s multi-factor authentication (MFA) in Gmail to pull off targeted attacks. They did it by posing as US Department of State officials in advanced social engineering attacks, building a rapport with their target, and then persuading them to create app-specific passwords (app passwords). App passwords are special 16-digit codes that Google generates to allow certain apps or devices to access your Google Account securely, especially when you have MFA enabled.

Outlook faces several significant security challenges, including vulnerabilities that allow for remote code execution, phishing attacks, and the potential for credential theft. These vulnerabilities can lead to data breaches, unauthorized access, and the spread of malware.

Here’s how to strengthen your defenses.

  • Only use app passwords when absolutely necessary. Change to apps and devices that support more secure sign-in methods whenever you can.
  • Authenticator apps, such as Microsoft Authenticator, or hardware security keys (FIDO2/WebAuthn), are more resistant to attacks than SMS-based codes.
  • Stay up to date on phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords.
  • Keep an eye on unusual login attempts or suspicious behavior, such as logins from unfamiliar locations or devices. Limit those logins where possible.
  • Regularly update your operating system and the apps you use to patch security vulnerabilities.
  • Enable automatic updates whenever possible so you don’t have to remember them yourself.
  • Use security software that can block malicious domains and recognize scams.

When it comes to SMS-based codes, we want to emphasize one particular vulnerability: SIM swapping. It’s one of the internet security industry’s biggest worries.

It’s undetectable and it works like this:

  • A hacker puts your mobile phone number on a SIM card installed in their own phone.
  • Using their phone, they get your authentication code, which gives them access to a website or email account.

Despite this vulnerability, SMS-based codes are better than nothing. At a recent training seminar, we learned that many people don’t use any kind of 2FA or MFA methods at all. That is totally unacceptable.

We can help you – and your employees and family members – set up better security measures on all apps devices. Call us – 973-433-6676 – or email us to discuss your needs and develop an action plan.