20.5k unique visitors in the last 3 days

Malaysian Cyber Command Warns Against SMS for Multi-Factor Authentication

The National Cyber Coordination and Command Centre highlighted the criminal use of mobile malware and SMS blasters.

Malaysia’s National Cyber Coordination and Command Centre (NC4) has released an advisory regarding the risks of using SMS to authenticate access to online services. It states plainly that:

Using SMS for authentication, especially in two-factor authentication (2FA), presents significant security risks. Cybercriminals can intercept or spoof SMS messages, gaining unauthorised access to sensitive information. The threat actors can manipulate SMS systems to deceive users, resulting in financial losses and compromised personal data.

The recommendation to switch away from SMS for multi-factor authentication is prompted by a surge in cybercriminal activities, including the infection of phones with malware and the use of SMS blasters. The advisory drew particular attention to the November 2024 arrest of gang members that sent bogus SMS messages using SMS blasters driven around greater Kuala Lumpur. NC4 urged organizations to transition to more robust methods of authenticating users, such as push notifications, authentication apps and FIDO2 security keys.

Four specific recommendations were made.

  1. Transition to Phishing-Resistant Authentication Methods: Organisations should adopt more secure authentication mechanisms, such as hardware security tokens like FIDO2 security keys, Authenticator Apps, push notification or biometric verification, which offer greater resistance to phishing attempts.
  2. Implement Alternative Verification Methods: Utilise services like MyDigital ID, which provide more secure and reliable authentication processes compared to traditional SMS-based methods.
  3. Educate Users: Conduct regular awareness programmes to inform users about the risks associated with SMS-based authentication and the importance of recognising phishing attempts.
  4. Monitor and Respond to Threats: Establish robust monitoring systems to detect and respond to suspicious activities promptly, thereby mitigating potential security breaches.

The full text of the advisory is here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email