2FA is not enough – Especially when 26M codes are leaked

November 16, 2018

EXECUTIVE SUMMARY:

A database with millions of two-factor authentication codes (2FA), text messages, names, cellphone numbers, password-reset links, shipping details and other information was left unsecured.

Voxox, a communications company based in San Diego, is the company responsible for the exposed server.

To understand the context, it’s useful to look at how the 2FA process works. For example, when a user tries to log in to a bank account from a different browser or machine, the interface might detect the anomaly. When that happens, a verification step is activated to ensure the person is authorized to access the account and a two-factor authentication code is generated to send to the user. Businesses such as Voxox serve as a gateway, as TechCrunch explains, “converting those codes into text messages, to be passed on to the cell networks for delivery to the user’s phone.”

Sébastien Kaul, a Berlin-based security researcher, discovered the issue using Shodan, a search engine that scans the internet for publicly available devices and databases. What made the situation even worse, according to TechCrunch, was that the server was configured in a way that made it very easy to read, browse, and search based on names, phone numbers, and contents of text messages.

Reviewing the exposed data, TechCrunch found some alarmingly sensitive information. And, they noted, records were tagged and detailed to include “the recipient’s cell phone number, the message, the Voxox customer who sent the message and the shortcode they used.” More than 26 million text messages from this year were accessible.

As TechCrunch points out, even sweeping aside the leaked personal information and phone numbers, the exposure of the two-factor codes was a serious security issue that put numerous accounts at risk. “In some cases, websites will only require a phone number to reset an account. With access to the text message through the exposed database, hijacking an account could take seconds.”

Voxox took the database down once it was contacted by TechCrunch.

Get the full story at TechCrunch.