Is 2FA by SMS a bad idea?

Two-factor authentication is ubiquitous and it’s a really valuable tool to protect systems and data assets. But with increasing reliance on home working and remote access in the current pandemic, what mechanism should we choose?

It’s very common these days for SMS messages to be used for two-factor authentication – many cloud service providers use this mechanism, government departments have adopted it, and it is also quite common in the banking industry. When shopping online and paying by card, you’re likely to need to enter a One-Time Password (OTP) sent via SMS before your purchase can be completed.

Authentication via SMS is attractive to business. Pretty much everyone has a mobile phone so it’s easy to implement and you don’t need to worry about smartphone operating system compatibility or the management of physical tokens. It’s a very practical solution, and it’s clear that using 2FA via SMS provides much, much greater protection for your assets than implementing no multi-factor authentication at all – but should you rely on it to protect your most sensitive areas?

There are obvious ways in which SMS one-time passwords might be compromised if your mobile phone isn’t properly secured. Malware running on your device could be used to read text messages you receive, or messages containing passwords might be written to your SIM card, which could be removed from the phone and read. If you’re not careful with how you use your phone, your one-time SMS passwords might be legible to somebody close to you.

Let’s assume that you’re pretty careful with your mobile phone. You have a strong lock screen password, you keep it in your possession and nobody else knows how to unlock it. You stick to trusted apps and have malware protection installed. You’re careful when you read your one-time passwords that nobody is looking over your shoulder.

Even that may not be enough. There are two pretty big problems that might crop up with using SMS for two-factor authentication, which would be outside of your control: SIM swapping and SMS interception via SS7 (Signaling System 7) protocol weaknesses.

There are ways in which your SIM card could be cloned – via malware on your device or by physical access to it – which could result in your text messages being intercepted. Clone the SIM card, pop it into another phone, persuade the victim to restart their device, register the cloned SIM with the network provider and receive all of the victim’s calls and texts. Mission accomplished! But cloning a SIM is reasonably difficult, technically, and attackers aren’t necessarily bothering to try.

Instead, they can target call centre operatives within your mobile phone provider and persuade them to move your phone number over to a device that they control.

All mobile providers have a process for doing this – if your device is lost or stolen, for example, you would need them to port your number over to your replacement device. There are security procedures which providers run through, but the information an attacker needs might be as simple as your name, number and birthdate, depending on the controls your provider has in place. If an attacker is successful, the result is the same as cloning your SIM – your phone will stop working and they will receive all messages sent to your phone instead, including any one-time passwords.

There’s also a series of well-known flaws inherent in the SS7 telephony protocols used to send SMS messages. The protocols governing the telephone communication systems were designed and developed decades ago, when the threat landscape and technical capabilities of adversaries were completely different to today. They were designed for fixed-line telephones and efficiency was the priority rather than security. A big design assumption was that the protocols would only be used by trustworthy parties such as network operators – there was no authentication built in.

The SS7 protocol suite was originally designed to set up and terminate telephone calls, but over time additional capabilities were integrated, including SMS services. With access to SS7 in a victim’s telco network, an attacker only needs their victim’s phone number to intercept calls and text messages, re-route calls and track the victim’s movements.

It’s not trivial to gain access to the SS7 network – you need a way into the service provider networks to access these – but where there’s reward, there’s a way, and this technique has been used in practice in real attacks. SS7 access is bought and sold on the dark web, making use of compromised telco network equipment and compromised telco administrators.

Using SMS for two-factor authentication has some real drawbacks – especially if you’re using this technique to protect very sensitive systems or large amounts of money. If you are choosing a second factor to use for authentication, be sure to consider its weaknesses carefully before adopting it.

One-time passwords generated by Authenticator apps such as Google Authenticator or Microsoft Authenticator are not susceptible to the same types of out-of-band attacks as SMS authentication, and these are highly-compatible with most smartphones. For sensitive applications, these might be a better choice. It’s also worth bearing in mind that any mechanism which relies upon a mobile phone device – either with an SMS or an Authenticator app – should be considered only as secure as the device itself. Making sure that your phone is as secure as it can be is crucial.

Contributed by Gemma Moore, director, Cyberis


Article Rating