In 2H 2021 74.4% of Twitter accounts had SMS-based two-factor authentication enabled. But is SMS security as effective as it is popular? Is it really a hassle-free solution for security-conscious organizations in a world of bad passwords? Let’s find it out!
According to the ForgeRock 2022 Breach Report, 2021 ended with two billion records containing credentials being reported as compromised. That’s 35% more than the number reported in 2020. As credential compromises continue to grow, companies’ reliance on SMS security also has been thrown into question.
Since the internet was created, protecting sensitive data has always been a challenge. With the evolution of technology, many organizations started combining the internet and telephony to add a second layer of security to their application authentication mechanisms. How? By tapping into the speed and convenience of the short messaging service (SMS).
That sounds fantastic, doesn’t it? But is SMS secure enough for this and other similar purposes? Should businesses blindly rely on SMS text messages for authentication? Are there any risks involved in using SMS texts?
Let’s find it out in the first of these two articles series on SMS security. We’ll answer all these questions and dig deeper into one of the most popular and, somehow controversial, authentication factors.
What Is an SMS Security Code and How Is It Used in Cybersecurity?
“Your verification code is 123456” or “PayPal: Your security code is 123456.”
These are two typical examples of SMS security codes you may receive via SMS text message on your phone. In fact, I’m sure that everyone who doesn’t live in a grotto and owns a mobile device has seen these kinds of text messages at least once.
The code included in the message is an automatically generated one-time password (OTP). It’s sent via SMS to the user’s associated phone number and is valid for a single login session or transaction. What are these SMS security codes used for in cybersecurity?
- “Secure” SMS Authentication. It’s used in two-factor or multi-factor authentication (more on this later in this article) to validate a user’s identity before granting access to an application. How does it work? After the user has entered his name and password, they receive a “secure” SMS text message with a four or six-digit code. All they have to do is type the security code on the login page et voila’ — access to the application is granted.
- “Secure” SMS Password Reset. Did you know that 21% of consumers surveyed by Bitwarden reset their password once a day or several times a week? Wow! And I thought I was bad! I bet many of them are using “secure” SMS as a password recovery method. Why? It’s super fast; you just have to enter your email address on the account recovery page. Then, just like with secure SMS authentication, a text message with a one-time verification code is sent to the linked telephone number. Once you enter the code on the page, you can create a new password. Easy and painless, right?
All this sounds really great, right? So-called secure SMS is fast, easy to use, and accessible to anyone with a mobile device (i.e., 67% of the global population). But is it really secure? Umm…I don’t know you, but to me, it sounds all too good to be true. Let’s start digging deeper and look beyond the facade. Because, as Prince sang, “All that glitters ain’t gold” (Prince’s “Gold” song).
5 Reasons Why “Secure” SMS Can Put Your Organization at Risk
Let’s do a little exercise. Grab your phone and check the latest text messages you received. How would you feel if they were shared with the whole world? I asked the same question to myself and quickly realized that I wouldn’t have been happy at all. Not because I have something to hide, but because I noticed that the majority of text messages were secure SMS related to some sort of authentication or transaction.
Now, this needs some serious thinking. What if a malicious actor could intercept or read those secure SMS messages? It would be a disaster. They could get access to many important things in your life: bank accounts, email accounts, sensitive applications — literally anything you use SMS security messages to authenticate for access. But could this scenario happen if you always keep your mobile device on your person? Yes, it could, and doing so is easier than you may think for several key reasons:
1. SMS Aren’t Encrypted (and, Therefore, Can Be Intercepted)
When a user enters their username and password on a website or application, the information is usually sent through the secure HTTPS port 443. With this protocol, the transmitted data is encrypted using SSL/TLS (secure sockets layer/transport layer security) secure protocol. (This requires the use of an SSL/TL certificate being installed on the website’s server.)
What does it mean? Before being sent to the server, the username and password are transformed into gibberish alphanumeric strings accessible only to authorized parties.
Is it the same for text messages? Not really. SMS are sent in clear text. This means that virtually anyone can read all of them, including authentication and password reset codes. Your mobile provider, the government, and, of course, cybercriminals. Unlike SSL/TLS, SMS is based on an old protocol, the signaling system 7 (SS7) that has been exploited for years. For example, in 2019, attackers transferred money to their bank accounts by rerouting intercepted SMS authorization codes to their mobile devices. And this is just one example; the dark web is full of cheap SS7 exploiting kits that are ready to help attackers snoop on verification codes.
2. SMS Can Be Phished and Spoofed
One day, I received an SMS stating more or less the following: “Your package is waiting for delivery. Please review and update your shipping information in the link below.” As I wasn’t waiting for a parcel, I got suspicious. And rightly so.
As paranoid as I am (well, I’m a cybersecurity expert), I have only a basic phone (i.e., a “dumb” phone) that doesn’t have internet access. Therefore, I couldn’t click on the dodgy link contained in the message even if I wanted to. Out of curiosity, though, I opened my browser on the Linux laptop I use for security testing and typed the link. (By the way, don’t do this on a Windows machine or on a device you’re using for work or personal activities. Suspicious links often contain malware that could infect your device.)
Going back to my case, of course, the link took me to a bad copy of a well-known delivery company’s website. The page was inviting me to fill in my whole address, including my phone number and other sensitive data. On top of that, it also requested me to pay a small fee for some baffling customs duties by entering my credit card details. Obviously, I ignored the whole thing and deleted the phishy SMS.
There we go! This is a typical example of how attackers can simply send you a text message disguised as a trusted organization and trick you to follow dodgy links and share sensitive information. Therefore, next time, think before you click!
3. Subscriber Identity Module (SIM) Cards Are Vulnerable to SIM Swapping Attacks
If you lose your phone or want to switch providers, it’s great that you can keep the same old phone number and get everything sorted with a single phone call. But what if a scammer contacts your carrier posing as you (i.e., carried out a social engineering attack)? They could tell the customer representative they lost their phone to get the rep to issue a new SIM card and deactivate your legitimate one. Yup, this happens more often than you think. That’s why the Federal Communication Commission (FCC) and the Better Business Bureau (BBB) published warnings and tips for citizens.
If the scam is successful, all SMS and calls are rerouted to the new SIM (owned by the cybercriminal). He will then be able to trigger and use secure SMS authentication and password resets to access your bank accounts, emails, and applications. Everything. This type of situation happened to Jared Goetz, a victim of SIM card swapping. Goetz’s credit card was fraudulently charged $39,000, his SIM was deactivated, and his email address was hacked. Luckily for him, he managed to put an end to the whole scam by talking to the hacker in an incredible phone call.
4. SIM Cards Can be Hacked
Yup. You read it right. Those tiny chips called SIM cards can be hacked, just like a device or a piece of software. How?
- Spoofing cell phone tower signals. In July 2010, a researcher managed to build a phony low-cost tower antenna for only $1,500. The homemade device enabled him to intercept secure SMS and calls by emitting a signal stronger than the legit GSM towers that were available in the area. All this with just a laptop, some open-source software, and a device. Can you imagine what professional hackers can do now, 12 years later?
- Exploiting vulnerabilities like SIMJacker. Discovered in 2019 by Adaptive Mobile Security’s researchers, SIMJacker allows the attacker to send out SMS messages, including several SIM application toolkit (STK) spyware-like codes to the designated victims. The attack exploits the S@tBrowser, a basic browser installed on many SIM cards. Once the target opens the SMS text, the cybercriminal can use the codes to track the victim’s secure SMS messages, calls, and physical location. Do you want to know more about this vulnerability? Don’t miss to check out the plethora of interesting information and videos published on Adaptive Mobile Security’s SIMJacker website.
5. Devices Can Be Stolen or Lost
In 2021, 45% of surveyed organizations suffered some downtime or data loss due to a mobile device becoming compromised in some way. For 73% of them, the incident severely impacted their business. According to Asurion, in the same year, 8.7 million phones were lost or stolen.
This happened to me once as well. One evening, I was sitting in a bar with friends and I mindlessly left my mobile phone in my bag, which was hanging on my chair. I left it unattended for less than five minutes to greet one of my friends and, in a snap of a finger, the phone was gone. And what makes this matter worse is that it was my work phone and I was on call that night. Dang! I ended up spending the rest of the evening at the nearest police station to report the theft.
On the bright side, at least it wasn’t a smartphone. Imagine what the thief could have done if the device was logged into banking apps, my company’s intranet, and applications…
So, to go back to our very first question: “Is SMS really secure?” The answer is no. It’s so unsecure that even the National Institute of Standards and Technology (NIST), in an initial draft of its special publication (SP 800-63-3), discouraged the use of SMS as an out-of-band second authentication factor for federal agencies. (They later removed the recommendation.)
As Brian Krebs, a computer security expert, said in one of his articles, “Phone numbers were never designed to be identity documents, but that’s effectively what they’ve become. It’s time we stopped letting everyone treat them that way.”
Want to follow Brian’s advice and give it a try? How? This is what we’re going to quickly discover next.
What Can I Use Instead of Secure SMS Codes?
Let’s start by saying that having an SMS security solution for your authentication mechanism is better than only relying on usernames and passwords. However, if you as an organization want to really keep your users and sensitive data secure, you should go beyond “secure” SMS authentication and consider switching to:
- Push authentication. When a user enters his username and password and uses an authentication app like Okta Verify or Google Authenticator, the user will receive a push notification on their mobile device prompting them to approve or decline the login request. Attackers won’t be able to intercept the notification as it doesn’t rely on a messaging service. This is an easy, fast, and secure way to authenticate.
- Fast Identity Online Universal Second Factor (FIDO U2F) protocol. Created by the FIDO Alliance, this protocol uses cryptography as an authentication factor. It has already been implemented by several organizations like GitHub, Facebook, Stripe, and Dropbox.
- Public key infrastructure (PKI) based authentication. Many organizations are also going passwordless by issuing PKI digital certificates to employees, a method that NIST recommends for federal agencies. This tried-and-true method is handy, more secure than traditional SMS-based authentication, and eliminates the need to remember or type in complex passwords. You just need your PKI certificate installed on your device or a smart card (or similar token) and a PIN (when using the token).
See? There is life after unsecure SMS! Intrigued by the solutions we just mentioned? Don’t miss our next article for a deep-dive into the latest authentication apps and PKI-based authentication solutions.
Final Thoughts on SMS Security
At the end of the day, SMS wasn’t developed with cybersecurity in mind. Yes, including secure SMS in your two-factor authentication mechanism is better than using only the traditional username and password. Nevertheless, SMS authentication isn’t a good option if your goal is to keep customers’ data secure and protect your organization from data breaches.
SMS phishing, SMS message interceptions, SIM hacking, and lost devices — there are enough good reasons and flaws to make you consider an alternative or, at least, be extra careful when using it.
Thinking to ditch SMS for a more secure authentication factor? Stay tuned. In our next article, we’ll explore in depth the best top-notch alternatives to SMS-based two-factor authentication. Don’t miss it!