Google appears finally ready to deprecate using SMS codes for multi-factor authentication (MFA) in Gmail, according to insiders at the search giant.
On 23 February, Forbes reported internal sources at Google had revealed the firm made the decision to do away with SMS codes for authentication, with QR codes set to replace them.
A Google spokesperson said that much like its effort to replace passwords with passkeys, it's looking to move away from SMS authentication in light of a global torrent of cyber attacks abusing SMS-based MFA processes.
The primary weakness of SMS code authentication is that attackers trigger the MFA process to intercept the one time passcode (OTP) and use this to compromise accounts.
This can be achieved by tricking victims into revealing their OTPs via social engineering scams, or by taking control of the victim’s phone number via a SIM swapping attack.
The spokesperson said SMS verification also plays a role in ensuring cyber criminals cannot abuse its services for malicious purposes, but has been exploited in some scams like SIM swapping and traffic pumping.
Rishi Bhargava, co-founder of Descope, said Google’s decision to finally do away with SMS code authentication as a pivotal moment in the security industry, but considering the process's weaknesses he labelled the move long overdue.
“Google's decision to abandon SMS authentication is a watershed moment in security, but it's unsurprising, given that SMS has been the weakest link in MFA for years,” he noted.
Bhargava highlighted that Google also cited traffic pumping, which involves criminals tricking service providers into sending OTPs to premium lines they control thus generating profit each time an SMS verification was generated.
“While SMS codes are better than no authentication, they are vulnerable to phishing, SIM swapping, and real-time interception attacks that bypass traditional MFA. What's particularly telling is Google citing 'traffic pumping' scams as a key driver - where fraudsters exploit SMS infrastructure for financial gain.”
Google’s QR code switch set for the ‘near future’, but fears remain
Moving forward, when verifying phone numbers Google will be transitioning to using a QR code that the user can scan using their mobile device.
Firstly, this will significantly reduce an attacker’s ability to trick users into sharing their verification codes as it's far more difficult to share a QR code than a simple six digit number.
The new verification system will also remove the network providers who can be manipulated in SIM swapping and traffic pumping.
QR codes are not without their own weaknesses when it comes to cybersecurity. QR code phishing, or ‘qishing’, is an increasingly prevalent attack vector employed by threat actors.
RELATED WHITEPAPER
After Google transitions to QR code verification, cyber attackers may take advantage of the increased usage of the tool and tailor their phishing attack chains to mirror this process.
In one campaign observed by Trend Micro, threat actors were found distributing a malicious QR code disguised as a two-factor authentication method for ‘documents’ being sent to victims.
A senior researcher at Trend Micro told ITPro that QR code-based attacks pose a considerable threat as phones often lack many of the security protections that PCs are equipped with and are an easier target to compromise for attackers.
Google has not given a specific timeframe in which the transition will be made for Google account holders, but added that users should look out for updates from the firm in the ‘near future’.
MORE FROM ITPRO
- INSERT CONTENT
-
The Race Is On for Higher Ed to Adapt: Equity in Hyflex Learning -
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threatsNews Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
-
Healthcare organizations need to shake up email security practicesNews Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
-
Why ‘malware as a service’ is becoming a serious problemNews Researchers have issued a warning over the rise of 'malware as a service' platforms amid a surge in attacks over the last year.
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
Threat actors are leaning on trusted services more than everNews Cyber threats are increasingly incorporating legitimate services in their attack chain, researchers warn.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
