Why text may not be the best choice for two-factor authentication

Insecure SMS Message

Many cyberattacks are carried out using stolen or weak credentials. Which is why the security industry is encouraging us to take more care of our logins by adding two-factor authentication (2FA). This means that after entering your password, you have to enter a verification code that’s sent to you via another device.

There are a number of choices for this; you can use an app such as Google Authenticator, or you can have an SMS text message sent to your phone. SMS is the most widely used form of 2FA because it’s easy, convenient and works for people who don’t have smartphones.

However, there are increasing worries about whether SMS is really a secure way of getting your 2FA codes. As far back as 2016, the National Institute of Standards and Technology (NIST) in the United States was warning that SMS may not be secure. [1]

SMS vulnerabilities

There are a number of techniques that cybercriminals can use to bypass 2FA if SMS is the method being used. Early attacks focussed on switching the user’s mobile number to a different provider. In some countries, notably Australia, this was relatively easy to do with minimal checks. A call to a service provider could get the number reassigned to a phone that the hacker controlled. It could take weeks for the legitimate owner to get the number back, by which time the attacker could have accesses bank accounts and transferred funds.

If someone has been lazy enough to use the same password for their mobile operator’s online portal as they have for other accounts, then in many cases all an attacker has to do is log in online to access stored text messages.

Malware is another means of getting hold of 2FA codes. Installed on the mobile phone, whether as part of a banking trojan or on its own, this allows the attacker to intercept 2FA codes or simply have them forwarded as they arrive.

Because people regularly lose or damage mobile phones, 2FA systems require a reset mechanism that allows people to recover their account. If an attacker has already compromised the user’s email, they may be able to simply bypass or reset the requirement for 2FA on banking or other systems.

Our old friend the social engineering attack can be a way around 2FA as well. The attacker calls, claiming to be from the user’s bank and says that as part of a fraud check they will be sent a code to verify their identity which they need to read back over the phone. The attacker then logs into the victim’s account with stolen credentials – thus generating a 2FA request – and the user reads the code back to the hacker, unwittingly compromising the account.

The latest technique involves a variation on man-in-the-middle attacks [2] initiated via phishing emails to create a fake session in order to intercept a user’s entry of their 2FA credentials.

Staying safe

Clearly, having 2FA on your account is better than simply relying on a password alone. But if you are using SMS as a means of receiving the code, then you need to recognise that there are risks. If you can, it’s better to use a more secure method such as an authentication app which is harder for attackers to circumvent.

Of course, you should use strong passwords too and have different ones for each account. Use a password manager if you have trouble remembering them all. If SMS-based 2FA is the only method available, then it’s better than nothing, but be aware that it’s not perfect.

[1] https://www.securityweek.com/nist-denounces-sms-2fa-what-are-alternatives
[2] https://vimeo.com/308709275