Seeking SMS Authentication Alternatives
Print Issue: January 2020
t’s becoming commonplace for many login processes. Users need a password and an additional authenticator to complete the login. That often comes in the form of a code sent via Short Message Service (SMS), commonly known as a text message, to a cell phone. The user then enters that code into the Web account he or she is trying to access and is logged in.
People started using this authentication method to prevent phishing attacks from being successful. In addition to a password, an attacker would need the code sent via SMS to gain access to the account that he or she was attempting to infiltrate.
This preventative measure has been successful in many cases. In May 2019, Google released new research on how adding a recovery phone number to accounts can prevent malicious actors from gaining access to those accounts.
“We found that an SMS code sent to a recovery phone number helped block 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks,” wrote researchers Kurt Thomas and Angelika Moscicki on the Google Security Blog. “On-device prompts, a more secure replacement for SMS, helped prevent 100 percent of automated bots, 99 percent of bulk phishing attacks, and 90 percent of targeted attacks.
But on 17 September 2019, the FBI issued a Private Industry Notification (PIN) warning cybersecurity professionals that the Bureau had seen cyber actors circumventing multifactor authentication through social engineering and technical attacks.
The Bureau said that these actors used popular multifactor authentication techniques to obtain one-time passcodes and access protected accounts.
The alert stems from an incident that the Bureau became aware of in 2016 when a malicious actor targeted customers of a U.S. banking institution; the attacker ported their phone numbers to a phone he owned and operated—called SIM swapping.
“The attacker called the phone companies’ customer service representatives, finding some who were more willing to provide him information to complete the SIM swap,” according to the FBI. “Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned.”
Because the bank perceived that the attacker was calling from a phone number that belonged to a customer, it did not ask full security questions but instead asked for a one-time code it texted to the phone number the attacker called from.
The attacker “requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile payment application,” the Bureau said.
During the next two years, the FBI saw an increase in complaints about SIM swapping to circumvent two-factor authentication.
“Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed,” the Bureau explained. “Many of these attacks rely on social engineering customer service representatives for major phone companies, who give information to the attackers.”
In addition to the Bureau’s warning, cybersecurity firm Crowdstrike also highlighted the growing threat of interceptions of SMS used for two-factor authentication (2FA). In its inaugural 2019 Mobile Threat Report, the firm explained that this type of interception is the most prevalent.
“Online services have now begun to adopt other 2FA mechanisms due to insecurities in SMS, such as the ease with which inbound challenge messages can be spoofed and message interception attacks against the Signaling System 7 (SS7) telecommunications standard,” the report said.
A press agent for the FBI said the Bureau would not comment on the notification, but the PIN did include some mitigation strategies to prevent circumnavigation of multifactor authentication.
The Bureau recommended educating users and administrators to identify social engineering “trickery—how to recognize fake websites, not click on rogue links in e-mail, or block those links entirely.”
It also suggested using additional or more complex forms of multifactor authentication for users and administrators, including biometrics or behavioral authentication methods.
The attack method the Bureau highlighted—SIM swapping—is one of the reasons that the National Institute of Standards and Technology (NIST) sought to downgrade SMS as a two-factor authentication method. It later changed its stance and said SMS is acceptable for lower-level accounts but should not be relied upon by users to authenticate themselves to access high-level accounts, such as corporate finances.
“Any use of SMS messaging is insecure—it’s not encrypted,” says Clay Miller, chief technology officer at mobile workspace solution provider SyncDog. “Devices are susceptible to theft. SIM cards can be spoofed. You can set up cloud servers that can send and receive bogus numbers.”
Because of these loopholes, security experts have been recommending that users implement other forms of multifactor authentication to log into accounts. For instance, they suggest using biometrics or security keys—like the ones sold by RSA or Google—that are not susceptible to SIM swapping or SMS attacks.
Miller says that he can see a trend towards requiring executives and others to use these kinds of multifactor authentication to access corporate accounts, “especially when we’re talking about regulated financial institutions and healthcare providers.”
He adds that there might be more of a push for this in the future due to increasing regulator scrutiny under the European Union’s General Data Protection Regulation (GDPR).
“We might in some cases have a more organizational push where people who use sensitive information must have policies in place on how they can access their account,” Miller adds.
This may be especially critical as criminals become more capable of compromising multifactor authentication through new attack methods.
For instance, in May 2019, the Muraena Team, made up of security consultants Antisnatchor (Michele Orrù) and Giuseppe Trotta, released Muraena and NecroBrowser—tools that automate credential phishing.
“This is achieved by Muraena acting as a transparent reverse proxy solution which captures credentials and session cookies,” according to a blog post by Digital Shadows’ Photon Research Team. When users attempt to close these authentic sessions, Muraena is able to keep them open—without the users’ knowledge—and use the information it gathered to impersonate them, allow the extraction of additional data, and perform other actions on the attacker’s behalf.
Despite the existence of these exploits, experts say users should continue to adopt multifactor authentication—including SMS—to prevent malicious actors from gaining access to their accounts. Doing this is better than doing nothing, says Tonia Dudley, CISSP, security solutions advisor for cybersecurity firm Cofense and board member of the National Cybersecurity Alliance—especially for email, bank, and social media accounts.
“There’s a website called twofactorauth.org, and it lists websites and instructions to enable two-factor authentication,” she says. “Every website or app might have a different one—some will let you use a text or a Verisign account; sometimes they give you only one option. Enabling it is just a good idea.”