Full Report
The company wants its users to move away from using SMS in two-step verification. The post Here’s what Google is (and isn’t) planning with SMS account verification appeared first on CyberScoop.
Analysis Summary
# Main Topic
Google is initiating a gradual transition to phase out SMS-based verification as a mechanism for two-step verification (2SV) across its suite of services, including Gmail, due to inherent security vulnerabilities and financial fraud schemes associated with text messages.
## Key Points
- Google is replacing SMS one-time codes with a QR code-based verification system when users create new accounts in certain situations.
- The transition away from SMS will be gradual and rolled out regionally, with no firm timeline for completion.
- SMS verification codes are explicitly vulnerable to phishing attacks where users share codes with adversaries.
- SMS verification is also susceptible to a financial scam known as "traffic pumping," where fraudsters manipulate service providers into sending high volumes of SMS messages to controlled numbers for revenue generation.
- Google Authenticator remains unaffected by this change.
- Google clarified that it is not eliminating *phone number-based* 2SV, only the *SMS mechanism* for verification.
- Passkeys are recommended by Google as the preferred alternative to SMS verification.
## Threat Actors
- Not explicitly attributed to specific named threat groups; the focus is on fraud schemes leveraging the SMS infrastructure.
- Fraudsters involved in "traffic pumping" schemes are implicated in causing financial impact related to SMS reliance.
## TTPs
- **SMS Phishing:** Exploiting user error in sharing time-sensitive verification codes received via text message.
- **Traffic Pumping/Toll Fraud:** Fraudulently stimulating the delivery of large volumes of SMS messages to specific numbers controlled by the perpetrator to generate revenue.
- **New Verification Method:** Utilizing QR codes scanned by the phone camera for authentication initiation, reducing reliance on easily intercepted text messages.
## Affected Systems
- Google Accounts (including Gmail and all related services relying on Google account sign-in).
- End-users currently relying on SMS for Two-Step Verification (2SV).
- Phone carrier infrastructure (as the security of SMS relies on them).
## Mitigations
- **Adoption of QR Code Verification:** Using the new QR code scanning method when prompted during sign-in/setup.
- **Preferential Use of Passkeys:** Google recommends adopting passkeys as the preferred method for account security over SMS.
- **Use of Google Authenticator:** Continued use of the dedicated authentication app is supported and unaffected.
- **Discontinuation of SMS Codes:** Users are strongly encouraged to move away from SMS codes due to security risks.
## Conclusion
The move demonstrates a strong stance against insecure authentication practices, specifically targeting the weaknesses of SMS (phishing susceptibility and susceptibility to toll fraud). Organizations and users relying on Google services should prioritize migrating from SMS 2SV to phishing-resistant methods like Passkeys or utilizing dedicated authenticator apps to secure accounts against rising threat vectors like traffic pumping.
# Morning News Roll-up {current_date}
## Overview
The top stories focus on major cybersecurity shifts, including Google's move away from SMS verification, significant high-profile cyberattacks, and legislative/organizational changes in the technology and security sectors.
## Top Stories
### Google Phasing Out SMS Two-Step Verification
- Summary: Google is actively moving away from SMS-based codes for 2SV across its services, citing risks like phishing and the "traffic pumping" fraud scheme. They are implementing a QR code-based system and recommending passkeys as the superior alternative.
- Source: Here’s what Google is (and isn’t) planning with SMS account verification | CyberScoop
### Lazarus Group Theft and Crypto Security Concerns
- Summary: Crypto analysts have noted the capabilities of the Lazarus Group (attributed to North Korea) in a massive $1.46 billion theft involving the Bybit cryptocurrency exchange, highlighting sophisticated threat actor capabilities in the financial sector.
- Source: Crypto analysts stunned by Lazarus Group’s capabilities in $1.46B Bybit theft
### Developers Behind Alleged Generative AI Hacking-for-Hire Scheme Identified
- Summary: Microsoft has identified the developers responsible for an alleged hacking-for-hire scheme that leveraged generative AI services, indicating an increasing focus on the misuse of nascent technologies by threat actors.
- Source: Microsoft IDs developers behind alleged generative AI hacking-for-hire scheme