Back in 2016, there was a news based on NIST publication, that SMS based Second Factor Authentication (2FA) is no more secure as it can be intercepted and there is no way for the application owner to confirm if the OTP sent to the designated user was the actual user who passed it back to the app !
Refer: NIST Publication
Yes, the insecurity cannot be ignored as recently Reddit, the social media network got breached using the same vulnerability.
Attacker bypassed the SMS based OTP !
Reddit learned about the data breach on June 19 and said that the attacker compromised a few of the Reddit employee’s accounts with its cloud and source code hosting providers between June 14 and June 18.
The hack was accomplished by intercepting SMS messages that were meant to reach Reddit employees with one-time passcodes, eventually circumventing the two-factor authentication (2FA) Reddit had in place attacks.
SMS based 2FA/ OTP is not secure.
While almost all the bank transactions that we perform online in India are secured by SMS based OTP (2FA), we need to think twice if we are really relying on the best standards.
This is definitely a wake up call to all the service providers who depend on SMS based OTP for Security and need to move over to App based Push or Code Generation platforms. eg. Google Authenticator, Authy, Duo etc.
Watch out for 7 different OTP Code Generator and Push based 2FA Apps.
Share it on your Social Network !
Keep Defending !