Part of this is the theory if one is compromised the other is less likely.
Think of this, a data breach exposed emails and passwords, they then know how to log in to that platform. A lot of people use a common password so that person could be more likely to get into that email with the same password.
If the 2FA is by another system, SMS, that would require the physical phone, much less likeky to intercept without more info.
2FA means you need to authenticate with two factors, generally something you know (your password) and something you have (ideally, an authenticator app, but in this case SMS). Generally speaking, 2FA is something you have to turn on in your account settings, and, as a hacker this isn’t something you would do unless you were trying to lock the true owner out of their account. At this point the theft has already happened and 2FA doesn’t even matter anymore. Such that you need to turn on 2FA, generally, that means you also are registering your second factor of authentication (phone number or authenticator app). Your phone is something you would have, and thusly receiving a text to a number you registered somewhat satisfies that requirement.
There are ways to intercept these messages as a malicious actor, but targeting an individual isn’t likely, especially if they already have 2FA turned on. It’s much more likely that they would attack a password storage provider like Lastpass to gain access to many more credentials they store. 2FA kicks in here because if in if they could decrypt the passwords they’ve stolen, they couldn’t also log in without your phone, which is simply something most hackers aren’t going to bother trying to steal, unless of course you are a notable person and targeting you would bear rewards making that additional risk possible. If you’re on reddit, you’re probably not one of those people.
Companies still use it as it is less technically challenging for them and for many users. I disable 2FA via SMS whenever I have a more secure option. Though as mentioned it is better than nothing.
The funny thing, many bank services have worse security options compared to a lot of other services like gaming (twitch, Xbox, etc), and social media (Reddit, Facebook).
Your statement “SMS is not encrypted” isn’t actually true. SMS is *mostly* encrypted. However… the message is encrypted in “hops”. The intermediate agents (Telecommunications Operators) decrypt the message, then re-encrypt it again when they pass it on.
The message between one mobile phone and another goes in four steps.
a) The message IS encrypted when it leaves your phone and travels as a radio wave to your telecommunications operator Telco A.
b) The Telco A decrypts the message when it arrives at their internal computer which handles messages — the SMSC (Short Message Service Centre).
c) The Telco A passes the message unencrypted over a private channel to the telecommunications operator Telco B which is the telco for the recipient.
d) Telco B passes the message encrypted over the radio waves.
In the case where the sender is a bank, then step (a) and (b) become…
(a/b) The bank sends the message to their telecommunications service provider Telco A over a channel which typically is encrypted via SSL.
Latest Answers