SMS for 2-Factor Authentication can be compromised

Earlier this year in May 2016, the National Institute of Standards and Technology (NIST) published a guideline recommending the depreciation of SMS authentication as the second factor for strong authentication. NIST has recommended other forms of two-factor such as time-base one-time passwords generated by mobile apps — over text messaging.

In SMS-based two-factor authentication (2FA), a user must confirm the intended login or transaction by entering an OTP sent to their mobile phone — typically, a four- to eight-digit numerical code. This authentication method was once believed to protect against man-in-the-middle (MitM) attacks until security professionals realized that text messages can be intercepted by fraudsters easily.

If a mobile phone is compromised due to some malware, a fraudster can command the malware to monitor text messages, including OTPs, mobile SIM swaps, SIM clones, number porting attacks, fake caller ID and call forwarding scams which are operated by customer service representatives.

But 2FA has a major problem with also phones which have not been corrupted. Since encryption is not applied to short message transmission by default, messages could be intercepted and snooped during transmission, even if the receiving device wasn’t infected by malware. Moreover, SMS are stored in plaintext by short message service center (SMSC) before they are successfully delivered to the intended recipient. These messages can be seen by anyone in SMSC and there are spying programs too like FlexiSpy which enable intruders to automatically record all incoming and outgoing SMS messages and then upload the logs to a remote server for later viewing and analysis.

This method will fool a decent percentage of users who have enabled text messages as a form of two-factor authentication. Certainly, text messaging isn’t the strongest form of 2-factor authentication, but it is better than allowing a login with nothing more than a username and password, as this scam illustrates. For this reason, most companies haven’t urgently migrated to other authentication methods.

Other safer options like push-to-approve to biometrics, such as fingerprint scans, retina scans or even voice recognition will take time. Google recently went a step further by debuting a new “push” authentication system that generates a prompt on the user’s mobile device that users need to tap to approve login requests.

But presently, the need of the hour is that websites should make user-friendly password policies and put the burden on verifier. It’s important that the users are not asked every time to improve their security by changing the passwords frequently because they are not improving it.

Leave a Reply