Security experts advise against using SMS messages for two-factor authentication codes due to their vulnerability to interception or compromise. Recently, a security researcher discovered an unsecured database on the internet containing millions of such codes, which could be easily accessed by anyone.
The internal database, discovered by security researcher Anurag Sen, was left unprotected without a password despite being internet-facing. Anyone who knew the database’s IP address would be able to access it using nothing more sophisticated than a bog-standard web browser.
Although it wasn’t immediately clear as to the ownership of the exposed database.
The guilty party was found to be YX International, an Asian company that provides SMS text message routing, among other services. YX International secured the database after TechCrunch contacted the company.
According to Forbes, with a daily flow of as many as 5 million SMS messages, the YX International database was a treasure trove of sensitive information.
Information including password reset links and 2FA codes for companies such as Google, WhatsApp, Facebook and TikTok.
Do Google, WhatsApp And TikTok Users Have Cause For Concern?
With logs dating back as far as July 2023, the lack of a password to protect this database is shocking, but is it a security risk? From the perspective of the 2FA codes I would have to say not very much. After all, such codes expire very quickly and a threat actor would have to be monitoring both the additions to the database and the actions of a target. In the scheme of things, this is very unlikely indeed.
Does This Mean You Shouldn’t Use SMS For 2FA Security Codes?
According to researchers “one time passwords via SMS are a far safer option than relying on a password alone but when threats are now multi layered themselves, accounts need the strongest multi layer protection themselves to stay secure.”
Passkeys, authenticator apps and physical security keys all offer even more secure protection. “So, when setting up security is now easier than ever,” Moore continues “anyone left relying on passwords alone or using SMS 2FA codes might want to reconsider their original choice.”
Although users don’t need to be too concerned that 2FA codes were included in the misconfigured and unprotected database in question, that doesn’t mean it’s not a lesson to be learned. If anything, it just adds weight to the argument against using SMS if there are other options available, as it illustrates how such text message codes can be compromised. “Text messages use outdated technology and it’s good practice to keep up with the latest account protection on offer,” Moore concludes, “But when convenience and security match each other in perfectly equal measures, it really is a no brainer to opt for another option other than SMS.”