Google appears finally ready to deprecate using SMS codes for multi-factor authentication (MFA) in Gmail, according to insiders at the search giant.
On 23 February, Forbes reported internal sources at Google had revealed the firm made the decision to do away with SMS codes for authentication, with QR codes set to replace them.
A Google spokesperson said that much like its effort to replace passwords with passkeys, it's looking to move away from SMS authentication in light of a global torrent of cyber attacks abusing SMS-based MFA processes.
The primary weakness of SMS code authentication is that attackers trigger the MFA process to intercept the one time passcode (OTP) and use this to compromise accounts.
This can be achieved by tricking victims into revealing their OTPs via social engineering scams, or by taking control of the victim’s phone number via a SIM swapping attack.
The spokesperson said SMS verification also plays a role in ensuring cyber criminals cannot abuse its services for malicious purposes, but has been exploited in some scams like SIM swapping and traffic pumping.
Rishi Bhargava, co-founder of Descope, said Google’s decision to finally do away with SMS code authentication as a pivotal moment in the security industry, but considering the process's weaknesses he labelled the move long overdue.
“Google's decision to abandon SMS authentication is a watershed moment in security, but it's unsurprising, given that SMS has been the weakest link in MFA for years,” he noted.
Bhargava highlighted that Google also cited traffic pumping, which involves criminals tricking service providers into sending OTPs to premium lines they control thus generating profit each time an SMS verification was generated.
“While SMS codes are better than no authentication, they are vulnerable to phishing, SIM swapping, and real-time interception attacks that bypass traditional MFA. What's particularly telling is Google citing 'traffic pumping' scams as a key driver - where fraudsters exploit SMS infrastructure for financial gain.”
Google’s QR code switch set for the ‘near future’, but fears remain
Moving forward, when verifying phone numbers Google will be transitioning to using a QR code that the user can scan using their mobile device.
Firstly, this will significantly reduce an attacker’s ability to trick users into sharing their verification codes as it's far more difficult to share a QR code than a simple six digit number.
The new verification system will also remove the network providers who can be manipulated in SIM swapping and traffic pumping.
QR codes are not without their own weaknesses when it comes to cybersecurity. QR code phishing, or ‘qishing’, is an increasingly prevalent attack vector employed by threat actors.
RELATED WHITEPAPER
After Google transitions to QR code verification, cyber attackers may take advantage of the increased usage of the tool and tailor their phishing attack chains to mirror this process.
In one campaign observed by Trend Micro, threat actors were found distributing a malicious QR code disguised as a two-factor authentication method for ‘documents’ being sent to victims.
A senior researcher at Trend Micro told ITPro that QR code-based attacks pose a considerable threat as phones often lack many of the security protections that PCs are equipped with and are an easier target to compromise for attackers.
Google has not given a specific timeframe in which the transition will be made for Google account holders, but added that users should look out for updates from the firm in the ‘near future’.
MORE FROM ITPRO
- INSERT CONTENT
-
How to implement a four-day week in techIn-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businessesIn-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victimsNews Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
Hackers are using Microsoft 365 features to bombard enterprises with phishing emails – and they’ve already hit more than 70 organizationsNews A new phishing campaign uncovered by researchers at Varonis shows threat actors are abusing Microsoft 365's Direct Send feature to launch phishing attacks.
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
Employee phishing training is working – but don’t get complacent
News Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Healthcare organizations are turning a blind eye to phishing attacks
News A survey reveals that most attacks go unreported, putting patient data at risk
