That pentest report that called me out on MFA gaps

Got a pentest report back last October from a client in Austin. The tester pointed out we had 12 legacy accounts still using SMS-based MFA instead of app-based authenticators. I argued it was fine for months until they showed me how easy sim swapping actually is. Switched all those accounts to Microsoft Authenticator push notifications within a week after seeing their demo. Has anyone else had a pentester call out something you thought was secure but really wasn't?

3 comments

3 Comments

eva_thompson25d ago

Honestly I used to think SMS was fine too. I figured if someone had my phone number they still couldnt get past my password. Then a buddy showed me how easy SIM swapping really is with just a phone call to the carrier. That changed my mind real quick.

kellyjones25d ago

Yikes, that's exactly what happened to a friend of mine a couple years back. He got a text from his carrier saying his number was being transferred, but he thought it was a scam at first. Then his phone went dead silent for about an hour, no service at all. By the time he got it sorted out, the hackers had already used his SMS codes to get into his email and then his PayPal. He lost about 400 bucks before he could freeze everything. The carrier admitted someone just called in and convinced them to swap the SIM, no ID check or anything. It's scary how little it takes.

murphy.abby25d ago

Wait hold on "just a phone call to the carrier"??? That's insane lmao. @eva_thompson are you serious? Like they dont even need to know your password or security questions? I always figured those carrier stores had some kind of verification process. That is genuinely terrifying to hear because I still have friends who use SMS codes for their bank accounts and I'm gonna have to send them this post now lol.