Multi-factor authentication is your first line of defense in protecting your applications, websites, and data by requiring a second or more ‘factors’ to prove your identity, in order to grant access. Many use SMS as a second factor by sending a text with a login verification code. Understanding multi-factor authentication and how to best implement it is critical. Not all ‘factors’ are created equal.
A recent hack suggests that the method of presenting a second factor for authentication can be nearly as important as requiring multi-factor in the first place. Syniverse, a company you most likely never heard of, but likely unknowingly used, was compromised. Syniverse, quietly mentioned the breach in a couple of paragraphs of their 333-page SEC filing. Here is an excerpt from the filing:
“May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization (the “May 2021 Incident”)…the unauthorized access began in May 2016…individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers.”
In short, Syniverse was compromised for five years and affected 235 customers. And according to the company, the compromises had no impact on day-to-day operations. No harm, no foul. Again, who cares? 235 customers is not many; however, it includes all major US carriers, servicing more than 340 million Americans. Syniverse’s global customers are the largest mobile carriers (think AT&T, China Mobile, Vodafone) and through Syniverse’s inter-connection services, they reach seven billion mobile devices and process four billion transactions daily. SMS, MMS and information like call records (‘to’, ‘from’, location) and billing particulars may have been exposed.
If you use SMS for multi-factor authentication, it may have been compromised through this 3rd party. So sure, Syniverse’s day-to-day operations were not impacted and their customers were notified, but what about their customers’ customers?
The Syniverse May 2021 Incident is troubling: a third party may have exposed your private information and they only felt the need to mention it because of a corporate transaction. This example highlights the vulnerability of text messaging as a factor of authentication.
SMS is a popular choice as a second factor; it’s accessible by everyone, but consequently it is the least secure choice. There are many reasons why you should not choose SMS as a second factor. For starters, it is not encrypted. But it is better than nothing at all. We may never know the extent and nature of the Syniverse breach but it’s likely not as benign as implied in the filing. However, turning on multi-factor authentication is a must.