Beware: two-step verification codes are missing

A security researcher has uncovered an unsecured database that controls access to services from some of the world's biggest tech companies. The database is a Short Message Service (SMS) transmission operator responsible for sending two-factor authentication (2FA) codes to users of Meta, Google, and possibly Cryptospheres.

Researcher Anurag Sen has discovered that the company's YX International database was exposed on the public Internet without a password. Anyone who knows a public Internet Protocol (IP) address can view the data.

Users affected by the two-factor authentication loophole

YX International sends security codes to users logging into platforms like Meta, Google and TikTok. The company enables users' messages to be transmitted quickly over mobile networks around the world. Among the messages it transmits are security codes that are part of two-factor authentication methods that many large companies use to protect user accounts.

Some service providers, such as Google, can send an SMS code to verify the user's authenticity after entering a password. Other authentication options include generating a code from an authenticator app to complete a password.

Read more: 15 most common crypto scams to look out for

While two-factor authentication aims to improve security, it's not a silver bullet. Accordingly, the crypto exchange Coinbase warns that 2FA is the minimum security measure, but it is not foolproof. Hackers can still find a way to steal money from crypto wallets.

“While 2FA seeks to improve security, it is foolproof. Hackers who have compromised authentication conditions can still gain unauthorized account access. Common ways to do this include phishing attacks, account recovery procedures, and malware. Hackers can intercept text messages used in 2FA,” Coinbase said.

Criminals are using these techniques to defeat 2FA.

Last year, there were reports of criminals bypassing 2FA on Apple devices. A hacker can access Apple's cloud platform iCloud and replace a user's phone number with their own. The scheme also puts the money at risk for crypto wallet apps on Apple devices, as some apps can send verification codes to hacked phone numbers.

Criminals can also use SIM swaps to create two-factor authentication crypto scams. In this line of attack, criminals convince mobile operators like AT&T or Verizon to transfer a phone number from the rightful owner to the fraudster. After that, the criminal only needs one more piece of information to find a self-managed wallet app that owns the real phone number.

Following the rise of quantum technology, Apple recently improved the security of the secure enclave hardware included in iPhones. A post-quantum cryptography scheme generates new keys whenever a malicious actor tampers with old ones.

This feature can help crypto wallet developers improve the security of their customers' crypto by storing critical information in a secure enclave. So far, at least one vendor has used Secure Enclave to provide access to their wallet app.

Read more: What is a Private Key in Crypto?

BeInCrypto contacted the world's largest cryptocurrency exchanges Binance and Coinbase for comment on whether the XY International data leak affected their users. Neither company had responded by press time.