SecureMac, Inc.

Checklist 265: Strengthening 2FA and Guarding Our Hearts

February 4, 2022

Security issues with SMS-based 2FA; Apple introduces domain-bound codes; avoiding Valentine’s Day scams this year.

Checklist 265: Strengthening 2FA and Guarding Our Hearts

On this week’s Checklist:

The problem with SMS for 2FA

Using two-factor authentication that sends security codes via SMS is far better than nothing. But it’s not ideal. There are several security issues with SMS-based 2FA, but the main one is that it can easily be subverted in a SIM-swapping attack.

SIM swapping is when bad actors call a cellular provider and try to persuade them to reassign a phone number to a new SIM card: a SIM card in a device that they control. If the attackers succeed, incoming SMS messages for that phone number will be sent to their phone instead of to the legitimate owner’s —including SMS messages with the victim’s 2FA codes. Unfortunately, this isn’t just theoretical: a study conducted by Princeton University researchers in 2020 found that it was easy — ridiculously easy — to pull off a SIM-swapping attack.

For this reason, it’s far safer to use an authenticator app for 2FA instead of relying on SMS messages. But that’s not always possible. For one thing, app-based 2FA isn’t supported by every website. In addition, many people are reluctant to use authenticator apps because of the perceived complexity. They stick with SMS because it’s quick, it’s simple, and it’s what they know.

Apple autofill and 2FA SMS safety

2FA using SMS definitely isn’t perfect. But in many cases, it’s what we’re stuck with. Here’s some good news: Apple has just made using SMS messages for two-factor authentication a little bit safer. 

If you’ve ever used SMS for 2FA on a Mac or an iPhone, you know that Safari, iOS, and various apps can autofill 2FA codes for you. That’s very convenient, but there’s a potential security issue here. 

Credential phishing websites are set up to steal your username and password. If they’re successful, they will relay the stolen credentials to the website that they’re impersonating and attempt to log in as you. In theory, 2FA should protect you. You try to log in to the fake website, the attackers send your login details to the real website, but then the real website sends a 2FA code to your phone: a code that the attackers don’t have.

A sophisticated attacker, however, might set up a phishing site that accepts 2FA verification codes in addition to login credentials, and abuse Apple’s autofill feature in order to make the attack more likely to succeed. After all, a target who has already been tricked into entering their username and password on a fake website would most likely also autofill any 2FA code that was generated because of the attackers’ login attempt — thus giving the bad guys the 2FA code required to complete the login!

Domain-bound 2FA codes to the rescue

For this reason, Apple has introduced something called domain-bound codes for 2FA. Developers can use Apple’s domain-bound codes to enhance the security of the SMS codes that they send to their users. They do this by attaching website domain information to the 2FA codes that they send out.

The format looks like this:

Your SomeApp Code is [123456]. Don’t share it with anyone. @[SomeApp] #[123456] %[SomeApp.com]

That extra domain information at the end is crucial. If there’s a mismatch between the domain in the 2FA SMS message and the domain of the website where you’re trying to enter the 2FA code, Apple’s autofill feature won’t function. If that happens to you, be careful! You could be on a phishing website without knowing it. Proceed with extreme caution.

Lastly, bear in mind that all of this only works if two conditions are met:

1.) The developers of the app or website you’re using have implemented domain-bound codes for 2FA

2.) You’re running iOS 15, iPadOS 15, or macOS 11 Big Sur or newer.

Avoiding scams this Valentine’s Day

It’s almost Valentine’s Day! You know what that means: flowers, candy, bad poetry on greeting cards … and scams.

Each year the bad guys come out to take advantage of Valentine’s Day. It’s pretty predictable, but the scams do vary a bit from year to year. Here’s what to watch out for in 2022:

Romance scams and older folks

Romance scams are always a danger around Valentine’s Day, but law enforcement agencies say that the elderly are now being targeted with greater frequency. 

If you have an older friend or relative, and they have a mysterious new “online friend”, take a moment to ask some questions and learn more. If you spot the signs of a romance scam, it’s time for an awkward but necessary conversation. (For advice on how best to do this, check out Checklist 68: Scams That Target the Elderly).

Phishing, delivery, and shopping scams

Whenever lots of people are shopping at the same time, scammers try to take advantage. The scams run the gamut: fake coupons that take you to phishing sites, emailed “advertisements” containing malware, package delivery scams, brand impersonation, and good old-fashioned consumer fraud.

If you’ve followed The Checklist for a while now, you may already be familiar with some of these issues, and with the best practices for staying safe. But if you want a refresher, here are a few past shows that can help:

To ask us a question about security and privacy, send us an email.

Get the latest security news and deals