Passwords as a way of securing accounts have well-known problems. People have trouble devising ones that other people (or machines) can’t easily guess. Passwords like “password” and “12345678” are common, and criminals know that. When people create good passwords, they have trouble remembering them and keeping them safe.
Two-factor authentication (2FA) or multi-factor authentication (MFA) is a significant improvement. Breaking into an account requires acquiring two independent pieces of information. Many websites and services now recommend or require 2FA for their users.
By far the most common second factor is SMS messaging. It’s available on almost every cell phone. Most people already have all the hardware and software they need to receive a text message, and they always have it at hand. Unfortunately, it has some serious security issues. There have been many cases of account theft by intercepting text messages.
When using SMS for 2FA, the server first requires the user to log in with a password. After a successful login, it sends out a message with a one-time passcode over the cell network to the user’s registered phone number. It’s usually a string of six to eight digits, and it’s valid for just a few minutes. The user needs to copy the passcode from the phone to the website. Anyone using an account on the site needs to have the password and receive the text message.
Most sites, to avoid annoying the user too much, won’t require 2FA from a subsequent login if it’s from the same IP address or has a valid cookie. There may be an expiration period after which it will require another confirmation.
The protocols that support SMS date from the early nineties, about the same time the World Wide Web came into being. Today’s Internet security issues didn’t exist then. There was no thought of designing the system to prevent message hijacking. Things have become a little better since then, but security is still weak.
There’s no end-to-end encryption on the cell phone system, except by using specialized software at both ends. Communication between the phone and the base station is encrypted today, but from there it travels as plain text. It’s encrypted again only on the last leg of its trip, from a base station to the recipient’s phone.
SMS is a store-and-forward system. The recipient’s phone might not be online when a message goes out, so it has to be held in storage. The mobile switching center (MSC) makes repeated attempts until it can send the message. Text messages use the Internet for a large part of their journey. Like email, they can pass through multiple stations, and they aren’t encrypted along the way.
That brings us to the second problem: messages may be stored in lots of places. Any phone provider with a roaming agreement with the recipient’s provider can get the messages. Proxies may carry messages between the sending and receiving networks. If any system that has access to the messages is compromised, the attacker can gain access to large numbers of text messages.
Another risk, in practice the biggest one, is that one phone can impersonate another. A phone’s SIM card is its identity. Someone who gets a valid SIM card for a phone can impersonate its number, sending and receiving voice and text as if it were the genuine phone. This technique is called “SIM swapping.”
Identity thieves gather enough personal information so they can go to the cell provider and request a “replacement” SIM card or phone. Once they do that, they can intercept text messages and phone calls. They may be able to get a prospective victim’s password by similar tricks, such as phishing email and a fake website. If they have both, they can make purchases or withdraw funds as if they were the victim.
One thief used SIM swapping to steal a million dollars before being caught. In another case, $24 million in cryptocurrency disappeared from a California man’s wallet through similar techniques.
Even the chief technologist of the Federal Trade Commission was victimized this way. An information thief with a fake ID had bought “upgraded” phones for her number, and her own phone stopped working. She apparently didn’t suffer any permanent financial loss, but it took her days to get her phones working again and months to clear everything up.
In 2016, the National Institute for Standards and Technology (NIST) issued a recommendation against using SMS for two-factor authentication because of the security issues. It later softened its recommendation, perhaps under pressure from mobile carriers, but it still lists SIM swapping under “social engineering” attacks. It recommends that service providers “avoid use of authenticators that present a risk of social engineering of third parties such as customer service agents.”
Several alternatives to SMS authentication are available. None of them are quite as convenient, but they offer a better level of security when designed properly.
Services with restricted audiences, such as their own workforce, could be in a position to require a stronger form of 2FA or MFA than SMS messages. If they are, they should look for one or more suitable alternatives and require them.
A business that deals with the general public won’t be able to drop SMS authentication without increasing the number of people who don’t use any extra authentication at all. They need to offer SMS for the foreseeable future, but they should offer a stronger alternative, such as a secure application or biometric system, as well.
Above all, any provider shouldn’t use 2FA as an excuse to slack off on standard security practices. If people think they no longer need to be careful about their passwords, it could actually make things worse. Every security factor that protects a valuable account needs to be as strong as possible. Contact us to learn more about how our IT services will allow you to achieve the security your business needs.