SMS is still multi-factor authentication's dangerous default

It's about time that developers raise the minimum standard for MFA. SMS is a dangerous default that must be left in the past.

By Rob Sturgeon , written on September 21, 2020

From The Security Desk

Long ago the only text messages we could send between phones were called Short Message Service (SMS). These messages were encrypted by your phone before being sent to the nearest cell tower. 

Unlike end-to-end encryption, in which the data is encrypted on the sender's system or device and only the recipient can decrypt it, this is encryption 'in transit,' which means that it is decrypted when it arrives at your network's servers. 

You may have heard of Stingray, which is merely a brand name for a device called an IMSI-catcher which can imitate a cell tower. Anyone with one of these can snoop on all SMS messages within 1 km (0.62 miles).

IMSI-catchers are only sold to law enforcement, and the features are pretty troubling. A device sold by The Detective Store can intercept 2G, 3G, and 4G networks, as well as the stronger types of in-transit encryption. To buy this from a store, you must prove that you work for 'authorised state institutions'. Of course, there are always ways to get around this. Someone created an IMSI-catcher with only $20 of equipment and Python code from a GitHub project. Although that device was only able to snoop on the names of phones and their networks, a  determined hacker could easily make one with more features than that.

But as we all know, most cybersecurity threats do not come from people within a mile of our devices.

SIM swapping is another technique used by fraudsters. It can be done from anywhere your network operates, and it involves using personal details that have been obtained elsewhere to convince your network that they are you and you want to transfer your phone number to a new device. This gives hackers access to all of your SMS messages. Hacking is even easier if you can do it from another country entirely, as you can avoid prosecution or extradition for your crimes. 

After your phone encrypts and sends SMS to the nearest cell tower, they are decrypted and stored by your network's SMS Centre (SMSC) until being encrypted to send from the nearest cell tower to your recipient. But SMSC servers can be compromised. 

APT41 is a group of Chinese state-sponsored hackers that were first exposed by cybersecurity firm FireEye in August last year. In November 2019 FireEye released a report detailing APT41’s latest malware tool, which was designed to compromise SMSC servers to look for specific individuals that were of interest to Chinese authorities

“If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor,” FireEye researchers explained. The US government has recently charged five members of the group for this, as well as other hacking attempts for personal financial gain.

When you enable multi-factor authentication (MFA) for an online account, you are usually sent a 6 digit code by SMS to enter along with your password. MFA is sometimes called two-factor authentication (2FA), but MFA is now more commonly used because you can use more than two.

It’s easy to see how using SMS to send a One-Time Password (OTP) makes your online accounts more vulnerable to IMSI-catchers, network hacking, and SIM swapping.


Using authenticator apps

My first authenticator app was Authy. This was a better option than Google Authenticator because it offered the ability to backup your OTPs in the cloud. A quick look at Google Authenticator on the App Store reveals that there are no cloud backups and the app has not been updated since iPhone X support was added in September 2018. Any service that works with Google Authenticator works with better apps in the category. Like many competitors to Google in this category, such as Microsoft Authenticator and LastPass Authenticator, Authy is still in active development. 

Both of these apps also allow the ability to approve login requests using push notifications, which is considered to be more secure than OTPs. Microsoft Authenticator allows passwordless login to your Microsoft account too, so approving on your phone is the only step required.

Most websites with MFA require a phone number first, even if they allow you to use an authenticator app in the next step. Have you ever chosen the option that says 'I don't have access to my app' or something similar? One of the options you will be given is 'send me an SMS code'. This means that no matter how secure the MFA option you choose is, the risk of IMSI-catchers and compromised SMSC servers remains. 

Facebook, Twitter, GitHub, LastPass, Amazon, Google, and PayPal all offer you the ability to send an SMS instead. You have the SMS fallback option so that you aren't completely locked out of your accounts forever if you can’t access your app. But this means you have the same level of SIM swapping risk while thinking you’re using a more secure method. There is less risk from IMSI-catchers since an SMS code is not being sent every time you log in, but a nearby hacker can still trigger an SMS by choosing the 'send me an SMS code' option. 

No matter which authenticator app you use, it’s important to make sure that cloud backups are enabled in the settings. It may seem safer for this data to remain local on your device, but this can cause serious problems if you lose access to your it. To add an account you scan a QR code which gives your phone a specific seed for generating the OTPs in the future. This seed has the same effect in every authenticator app, which means that you can scan the QR code with multiple apps. 

To verify that the app has saved the seed, the website will ask you to provide an OTP. If you're adding several apps to your account, only provide this OTP when you have added the seed to all of your apps. Most websites only allow you to set one authenticator app, except for Amazon. If you lose your primary device but use multiple apps with cloud backups, each app is a more secure fallback than SMS.


Backup codes and hardware security keys

Most websites allow you to export a list of backup codes, which are OTPs that are only really for use in emergencies when you cannot access your app. The general recommendation for this is to print the list and store it somewhere safe. Don't store codes on your computer or leave printed codes lying around.

You can also use hardware security keys such as Google Titan or Yubico's YubiKey. These devices look like small USB sticks, and they use the FIDO2 authentication protocol to verify that the person logging in is who they say they are. Since the keys are in the users' possession they cannot be stolen remotely by a hacker. 

Research by Google has found that using an on-device prompt makes it almost impossible to fall victim to a generic phishing attack. A phishing attack that is tailored to you specifically, rather than sent to a large number of victims, has a 10% chance of being successful, which is significantly better than the 26% chance of success with SMS. But with hardware security keys, the chance of a successful phishing attack is reduced to zero.

For services that do not give the option of using the FIDO2 authentication protocol, the YubiKey Authenticator app can also display OTPs, which are stored on the key itself. It's a good idea to have at least two identical keys in different locations so that you will still be able to use a spare key if you lose your primary key. Since it can connect it to any device, this key is almost as good as having a cloud backup.

Bluetooth still has security issues, such as the Bluetooth Titan token security flaw in May 2019 that allowed an attacker within 30 feet to log into your accounts, provided they also had your username or password. But this vulnerability has since been fixed. 

Similarly, Near Field Communication (NFC) is the technology used in contactless payment services like Apple Pay and Google Pay. This is enabled by a chip in the back of the phone that can only send data to devices that are within an inch or two. Yubico provides hardware keys that connect via USB, NFC, or even the Lightning port of an iOS device. None of these devices have ever been compromised.


SMS is a dangerous default

In August 2019, Twitter CEO Jack Dorsey was a victim of SIM swapping. This shows that we’re all at risk.

In a world where users continue to reuse the same terrible passwords across multiple services, MFA is the only line of defence. We can’t allow our last hope to be messages that aren’t even encrypted end-to-end. 

Developers have a responsibility to provide a better default MFA option, or at least to explain the risks of SMS more explicitly to their users. If you have at least two other MFA options, see which of your online accounts allow you to disable SMS as a fallback. There are a surprising number of services that allow you to do this. See what options you’re given if you say you can’t access your authenticator next time you’re logging in.

It's about time that developers raise the minimum standard for MFA. SMS is a dangerous default that must be left in the past.


For more from Pando, sign up to our weekly newsletter.