If the OTP entered is correct, then the user can log in to their account.

How does the 2FA scenario above protect our account from hackers?

The Anti-Phishing Working Group states that almost 70% of the initial compromise systems come from phishing.

Likewise, account takeover is most often done by tricking someone into filling out a fake login form to obtain credentials from the victims. Another scenario, hackers can also retrieve credentials through malware installed via pirated/cracked applications, keylogger applications and other malicious applications. Apart from that, our credentials could be exposed through a data breach and spread through dark web and surface web forum channels.


If successful, all the things the hacker does above will actually only get one factor, namely the Knowledge Factor. Users who enable 2FA will present additional authentication challenges with other factors such as OTP which are even time-limited. In fact, with 2FA, users will get notifications about account login attempts as well as OTP sending notifications which will make users aware earlier of hackers’ attempts to take over accounts. So, with 2FA, the difficulty of taking over an account will become more complex, which makes the possibility of hackers taking over the account smaller.

SMS vulnerability to send OTP

Another vector that may still be a vulnerability is the OTP sending process, namely through what channel the OTP is sent to the user. There are many options for how OTP is sent, one that is quite often used is via SMS (Short Message Service) or what is also called SMS-based 2FA. SMS is used as a channel for sending OTP because the SMS feature is a basic cellular network feature or service that everyone who uses a smartphone has, therefore it will be the main choice for verification. However, behind this convenience, there are several fundamental security problems that can arise


Network Intercept Vulnerability with SS7 Attack. One of the vulnerabilities that occurs when we use SMS services to obtain OTP codes is that it is prone to network intercepts. The technique used to carry out this tapping uses SS7 attacks. SS7 (Signalling System No.7) 3 is a protocol used in the world of telecommunications for telephone calls, roaming and SMS. SS7 is a fundamental protocol which is one of the cellular communication layers, so that all types of cellular communication will pass through the SS7 protocol. SS7 is responsible for setting up and terminating telephone calls over digital signal networks to enable cellular and wireless connectivity. SS7 attacks work by exploiting security gaps in the SS7 protocol that can be intercepted. Several sources explain that SS7 is actually a closed source system where the information contained in it can only be accessed by the provider and the government, but in fact there is an assumption that the exploit kit can be carried out by hackers. The following is a video simulating an SS7 attack on WhatsApp. This attack works by exploiting weaknesses in the SS7 protocol which allows data theft, eavesdropping, text interception and location tracking. In the video shown, the OTP is obtained via SMS intercept then verifying on the victim’s WhatsApp, so that the account is retrieved



SIM Double Trouble: Swapping and Cloning. One form of vulnerability in authentication via SMS lies in weaknesses in the SIM card (Subscriber Identification Module) or cellphone number. This attack method is carried out by taking over the SIM so that all security codes sent to the cellphone number via SMS will be entered into the SIM that has been taken over. There are 2 methods that hackers usually use to take over a SIM, namely SIM Swapping and SIM Cloning. SIM Swapping is a crime that involves taking over the victim’s cell phone number. 5 Hackers will search for information (information gathering) on the victim, then the perpetrator will try to take over the SIM card by pretending to be the victim by providing the victim’s personal information to the operator’s outlet. After getting a new SIM card from the provider, the hacker will get access to activate the number and the victim’s SIM card will be deactivated by the provider. Through this scenario, the SIM card and number have been obtained by the hacker, then the OTP code will be sent to the hacker’s new SIM card. Meanwhile, SIM Cloning is a technique of duplicating SIM Cards which is commonly used for crimes. This attack uses SIM card copying software which is used to duplicate the original SIM. Hackers need the target’s original SIM to carry out this attack. After getting the original SIM, the hacker will duplicate it via the application and then activate it. Because SIM cards have the same identity, every time an OTP is sent via SMS, the provider will send it to both SIM card addresses. Thus, through the attack scheme above, basically the security level of SMS-based 2FA is very dependent on the security of the SIM card, which apparently has many loopholes to be exploited.


Possible connection problems and third party problems. Authentication via SMS or OTP via SMS is very dependent on the network of the third party, namely the signal provider to be able to get the required code. So, when we experience connection problems, the OTP code cannot be successfully entered into our SMS. Apart from that, if we are abroad, we may not get a signal from the provider and we may not receive the OTP successfully. Authentication via SMS in collaboration with third parties is very vulnerable to hacking or data theft through phishing. Access from third parties is a vulnerability because it is very difficult to control the security system and data entry and exit.


Alternative 2FA OTP sending

The alternative solution offered is to use the Authenticator Application. The Authenticator application is an application used to create a 2FA mechanism via the OTP generated therein. The mechanism carried out by the user is as follows:


  • Install the authenticator application on the smartphone,
  • Go to the security settings of the application service you want to use application-based 2FA,
  • Select 2FA (assuming the option is there); the service will show a QR code that can be scanned directly into the 2FA application,
  • Scan the code with the app
  • The application will generate a new OTP every 30 seconds


The code is generated based on the key (known only to the user and server) and within 30 seconds. Both components are the same for users and services, so the code is generated synchronously. This algorithm is called OATH TOTP (Time-based One-Time Password), and is by far the most commonly used. Some of the risks of SMS-based can be avoided by using this application-based 2FA mechanism. Some alternative applications that you can use are as follows:


  • Google Authenticator : Android, iOS
  • Microsoft Authenticator : Android, iOS
  • FreeOTP : Android, iOS (OPEN SOURCE)
  • Authy: Android, iOS, Windows, macOS, Chrome
  • Key: Android, iOS


Don’t hesitate and get extra protection for your company from cyber attacks with Visionet. We are ready to help you regardless of any doubts you have. Contact us!

Send a message