SMS is often used as a medium for sending one-time passwords (OTP) to provide additional security for two-factor authentication when digital consumers access web or mobile applications. Unfortunately, SMS with an OTP are not enough. As hackers become more sophisticated, it becomes easier for them to compromise web or mobile applications with a wide range of out-of-band exploitation techniques including carrier sniffing (SS7 attacks), malware ( acting as a middleman) and social engineering tactics (SIM swap fraud) which can all successfully compromise security and allow fraudsters access to sensitive data.
As we move more and more to work from home through remote access, the consumption of multiple endpoints in the enterprise has become the new normal. How then can our businesses protect digital users and business systems from out-of-band operating techniques, especially if the OTP media are not protected through a secure channel? For reference, the ubiquitous SMS standard used (GSM 03.40) is not encrypted.
SMS certainly does not scale quickly enough to provide secure authentication
SMS is just the messenger. SMS has long been considered a secondary form of authentication – it’s cheap, convenient and ubiquitous – so what’s changing?
Companies are increasingly turning to cloud-based services, potentially changing the attack vectors that hackers can use to access and authenticate;
The number of end devices is growing exponentially, especially as âBring your own deviceâ policies come into effect and the Internet of Things continues to grow;
Consumers increasingly depend on dedicated apps or online access from their devices, and security may not be as strong along the chain;
Bypassing password protection for specific users is now trivially easy, which means that OTPs are increasingly becoming the first line of defense;
Today, hackers have refined their social engineering and phishing campaigns in conjunction with greater availability of information and hacking tools on the public Internet. For example, SIM card swapping becomes easier to perform as fraudsters no longer need to find details on the dark web.
SMS authentication has become a legacy technology that no longer meets the demands of 21st century digital consumers who are still connected to the Internet. SMS in particular has not evolved for 30 years, and it was originally built in an era when bandwidth was scarce. The infrastructure on which it relies is not agile. To be fair, texting was only meant to deliver a short message, not a secret. The difficult situation we find ourselves in today is the fact that SMS is deeply integrated into the systems of millions of businesses and applications protecting access to our data.
Here are some examples of compromised SMS OTP:
[SOCIAL ENGINEERING] Philippines – âHackers used a Filipino senator’s credit card to buy 1 million pesos (equivalent to $ 20,000) worth of food through a delivery app. The senator said he received a text alert of a request to change the phone number from the credit card company. However, as he was presiding over a hybrid Senate committee hearing, he did not have time to check his phone between 2 p.m. and 5 p.m. or so. Apparently, the hacker was able to change their number, and when an OTP (One Time PIN) was sent to confirm purchases, the hacker confirmed them and ordered from Food Panda, the senator explained. After office hours, the senator said he saw the alert and checked with the credit card company, who reported the transactions to him. The senator said that this is the first time he has been a victim of hackers and with such a huge amount. He also noted that hackers have become innovative, such as changing the phone number of credit card users. ‘ – philstar GLOBAL, Philippines – Hackers use senator’s credit card to buy food worth one million pesos
[MALWARE] Global – âThe operators of the TrickBot banking malware have developed an Android application that can bypass some of the two-factor authentication (2FA) solutions used by banks. This Android app, which IBM security researchers named TrickMo, works by intercepting one-time codes (OTPs) that banks send to users via SMS or push notifications. TrickMo collects and then sends the codes to the TrickBot gang’s main servers, allowing crooks to bypass connections or authorize fraudulent transactions. ‘ – ZDNet – TrickBot Now Pushes Android App To Bypass 2FA On Bank Accounts
[NETWORK] Germany – âExperts have for years warned of security flaws in Signaling System 7 – the magic glue used by mobile phone networks to communicate with each other. These loopholes can potentially be exploited to, for example, redirect people’s calls and texts to the wrongdoers’ devices. Now we have seen the first case of scammers exploiting design flaws to line their pockets with victims’ money. O2-Telefonica in Germany confirmed to SÃ¼ddeutsche Zeitung that some of its customers saw their bank accounts emptied using a two-step attack that exploits SS7. ‘ – The register – Mobile hackers exploit SS7 loopholes to drain bank accounts after years of warnings
We need stronger and more reliable authentication methods to protect user transactions and digital identities.
Why SMS-dependent systems fail to provide secure OTP authentication
There are several vulnerabilities in SMS authentication that hackers can exploit to gain access to OTP:
A hacker can contact a mobile phone operator pretending to be the user and have the SIM card changed to something he has access to (SIM swap fraud);
A user may accidentally download malware onto their device, allowing bad actors to view phone content including received text messages;
Organizations that are not ready to invest in strong authentication often decide to use âout of bandâ SMS to send OTPs. Out-of-band distribution is more vulnerable to hackers.
Criminals can exploit mobile networks as a whole using weaknesses in a common set of telephone signaling protocols known as Signaling System 7 (SS7);
These techniques can be combined with social engineering to target vulnerabilities.
Alternatives to SMS Authentication While SMS is vulnerable, there are some great alternatives that can provide robust and secure authentication while meeting the needs of your digital consumers:
Authentication systems are updated to meet more stringent regulatory compliance requirements, including PSD2, FFIEC, and PCI-DSS 3.2;
Simple mobile push authentication can be combined with complete identity and access management solutions to provide highly secure authentication based on security needs over a secure and encrypted channel such as HTTPS.
Support your business and your customers throughout the authentication cycle
A good SMS authentication alternative should also provide reliable identity, password and authentication solutions throughout the customer journey:
Learn more about consumer authentication.
About Edwardcher Monreal
Edwardcher Monreal is Senior Technical Consultant – IAM Consumer Authentication Solutions at HID Global. Edwardcher is a highly skilled digital security expert and passionate technologist with an instinctive passion for finding pragmatic technologies to solve practical problems. He has over two decades of experience in software development and providing solutions and services to the military, telecommunications, banking, business and government with synergies in NFC, TSM and mobile financial services. applied with PKI, risk management and strong authentication.
About HID Global
HID Global fuels the trusted identities of people, places and things in the world, enabling people to transact securely, work productively and travel freely. Our solutions connect things that can be digitally identified, verified and tracked. We work with governments, hospitals, educational and financial institutions and industrial organizations. HID Global is a brand of the ASSA ABLOY group headquartered in Austin, Texas, with more than 4,000 employees and international offices in more than 100 countries.