Malaysia’s National Cyber Coordination and Command Centre (NC4) has released an advisory regarding the risks of using SMS to authenticate access to online services. It states plainly that:
Using SMS for authentication, especially in two-factor authentication (2FA), presents significant security risks. Cybercriminals can intercept or spoof SMS messages, gaining unauthorised access to sensitive information. The threat actors can manipulate SMS systems to deceive users, resulting in financial losses and compromised personal data.
The recommendation to switch away from SMS for multi-factor authentication is prompted by a surge in cybercriminal activities, including the infection of phones with malware and the use of SMS blasters. The advisory drew particular attention to the November 2024 arrest of gang members that sent bogus SMS messages using SMS blasters driven around greater Kuala Lumpur. NC4 urged organizations to transition to more robust methods of authenticating users, such as push notifications, authentication apps and FIDO2 security keys.
Four specific recommendations were made.
- Transition to Phishing-Resistant Authentication Methods: Organisations should adopt more secure authentication mechanisms, such as hardware security tokens like FIDO2 security keys, Authenticator Apps, push notification or biometric verification, which offer greater resistance to phishing attempts.
- Implement Alternative Verification Methods: Utilise services like MyDigital ID, which provide more secure and reliable authentication processes compared to traditional SMS-based methods.
- Educate Users: Conduct regular awareness programmes to inform users about the risks associated with SMS-based authentication and the importance of recognising phishing attempts.
- Monitor and Respond to Threats: Establish robust monitoring systems to detect and respond to suspicious activities promptly, thereby mitigating potential security breaches.
The full text of the advisory is here.



