If you follow tech news or the New York Times, you may have seen a story this month about Twitter CEO, Jack Dorsey, having his Twitter account hacked through an increasingly common tactic from hackers, SIM porting. A tactic which renders no mobile SIM 100% safe and therefore no SMS two-factor authentication solution totally safe.
In the story, The New York Times highlights how SIM porting, or SIM swapping as it is also referred to, has been around for years and is potentially one of the most concerning hacking methods. The adoption of SMS 2FA (2 Factor Authentication) — a security authentication process that uses text messages as the second factor (level) of security — that organisations are using which they believe makes account access more secure is, in fact, putting their customers at risk of these SIM hacks.
SMS Two-Factor Authentication
While there are a variety of two-factor authentication (2FA) solutions available, one of the most prominent is SMS 2FA and chances are one or many of the platforms or service providers you use today are utilising this solution.
SMS-based 2FA is easy to recognise. Platforms like Facebook, Google and many others will have, at some point, suggested that you add this layer of security, which, instead of requesting a password — because they’re known to be inherently weak — they will send you an SMS containing a one-time-code which you would then enter in order to gain access to your account.
The idea behind SMS 2FA is that even if someone has your username and password, they won’t be able to sign into your account without access to your text messages. At first, that sounds great, until you realise that access to your text messages could be even easier to achieve than access to your password. Furthermore, many password reset processes involve sending you an SMS code to confirm it.
While SMS 2FA removes the simple password from the equation, it opens up another vulnerability for hackers to exploit, one which requires even less skill than cracking passwords. The SIM port/swap.
How Does the SIM Port Work?
Playing on the human error of customer service operators at telco providers, ‘hackers’ use their charm, pressure or financial rewards to persuade telco operators to ‘switch’ a target’s phone number to a new device from the target’s SIM in their phone to a SIM which is in the possession or under the control of the hacker.
In some cases, the operators are swayed to make these swaps believing that the hackers are in fact victims, and in other cases, the hackers resort to different ‘persuasion techniques’ and astonishingly achieve great success by both methods.
With the hackers’ success factor, SMS 2FA is no longer secure.
Hackers, now in control of a target’s phone number, can request temporary login codes from platforms like Facebook, Twitter, Google, financial institutions, online data storage, cloud resources via SMS confirmation. The temporary code is sent as an SMS to the hackers ‘swapped SIM’ on a mobile device in their possession, and the account is truly hacked without raising any queries with any online service operators. The hackers then have the ability to steal any resources, both financial and information unchallenged as a ‘legitimate’ user.
“I’ve been looking at the criminal underground for a long time, and SIM swapping bothers me more than anything I’ve seen,” said Allison Nixon, the director of research at the security firm Flashpoint. “It requires no skill, and there is literally nothing the average person can do to stop it.” Source quote: Nathaniel Popper, New York times, 5th September 2019.
So why is SMS 2FA so popular?
Customer Strong Authentication
Officially brought into force on the 14th of September 2019, the Customer Strong Authentication (CSA) directive requires that UK and European companies adopt multi-factor authentication to increase the security of electronic payments.
This saw a steep increase in financial organisations and online resources introducing SMS 2FA under the banner of “Strong Customer Authentication”. You’ve probably already seen emails from credit card companies or banks outlining their new authorisation processes. Perhaps you’ve even seen some companies, like a leading UK retailer, sending out less than clear communications, indicating that they themselves are not quite sure what SMS 2FA actually does, which services it covers and how and when to utilise. Too little. Too late. Too rushed?
While it is inherently positive that Strong Customer Authentication has come into force, it’s happening at a time when 2FA is migrating away from SMS and toward other solutions such as mobile apps and PINgrid to provide 2-factor authentication without the inherent SMS risk – SMS 2FA has been discouraged by the US National Institute of Standards and Technology’s (NIST) for many years already.
Back in 2015 NIST cautioned “Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementors of new systems should carefully consider alternative authenticators.”
Meaning that this mass adoption of SMS 2FA has most organisations starting from a place that is already 5 years behind the standards expected of modern security.
So far, in this article, we’ve highlighted that passwords are problematic and prone to breach, and so too are the SMS 2FA solutions that were designed to fix them. So, what is secure?
When planning future MFA technology choices, businesses should choose something that is not tied to a phone number. Instant messaging technology such as WhatsApp are able to provide end to end encryption and are assumed to be more secure, however they still fall foul of a SIM port attack as SMS is still used for their setup.
The appeal of an SMS style solution is that it is a central push technique with no requirement for any configuration or software on the user’s device. This convenience leads to the root of the problem as there is no established trust with the device on which the code is received.
A secure solution needs to know exactly which device a centrally generated code is being sent to which would require some form of configuration or app on the user’s device. If this is accepted as a prerequisite, then the mobile app could simply generate the code itself instead of needing a constant connection. The fundamental concept is the basis of the original OATH (Initiative for Open Authentication) specification, where known trusted user device is used which can’t be duplicated or intercepted.
Another approach which can utilise SMS is if a challenge is sent to the user, not an actual one-time code. If a hacker intercepts a one-time code they can use it, but if they intercept a challenge that only the true recipient knows what to do with then the hacker is none the wiser.
Solutions like 2FA with PINgrid, which operates on desktop, tablet and mobile devices use a pattern as the “something you know” 2nd factor of authentication. A challenge grid can be sent to the user over SMS or email but without knowledge of the pattern the challenge alone is of no use. Using pattern-based graphical technology, the user simply views the PINgrid challenge, recalls their pattern and enters the One Time Code presented – no PIN or password is required.
A significant distinction with PINgrid as opposed to many other OATH solutions is that if a One Time Code is somehow captured it cannot be reverse engineered to separate the “something you know” and “something you have” which as a result keeps both factors safe.
Truly Secure Solutions
While moving to a multi-factor authentication solution is better than doing nothing, it’s important to understand what is secure and what security risks are associated with an SMS based solution. Two-factor authentication implies higher levels of security but with one-time codes sent via SMS as the second factor, when viewed in line with SMS Swapping/Porting, it becomes an insecure solution.
Organisations seeking true security for themselves and their customers need to, at a minimum, adopt solutions that don’t rely on just a phone number and then work toward the goal of eliminating PIN and password steps altogether. Additionally, businesses can now find many services that enforce application security to their products and users, such as Castle’s customer identity and access management system. This clever service analyses and recognizes good behavior from customers, and also recognizes bad behavior from ‘the bad guys’. Subsequently, it protects your users by preventing account takeovers and automates recovery processes with zero stress about angry and frustrated complaints. With systems like this available, it is worth wondering why businesses are still allowing a lazy and insecure two-factor authentication to plague their website.
SMS Two-factor authentication – where to find out more
**Update: 11th October 2019**
Since we published this blog, the BBC series, Rip off Britain has run a story about SIM Porting/Swapping and how SMS authentication can be hacked. The story featured Mike Duckett, a business show presenter on Marlow FM Local radio, who discovered problems with his mobile phone account and after investigation discovered that his SIM had been swapped to a hacker. Once the hacker had control of his SIM and therefore his phone, they could use the accepted route to authenticating a user by receiving an SMS code to Mike’s phone. The hackers could then access and take control of Mike’s accounts, gain additional account and personal profile information and gradually access all his online accounts and resources, his history and his detailed personal information.
Featured on Rip off Britain, Series 11, Episode 20, 11th October 2019.
This is happening now and it’s happening everywhere, not just with high profile celebrities.