News of Reddit and social media platforms falling victims to hackers and having their users’ data stolen have been filling up our news feed lately. The frequency of cyber attacks are increasing at an alarming rate and attackers get away with millions of dollars worth of data to sell online.
Attackers also don’t discriminate, whether banks, hospitals, insurance companies, retail, or chat forums; data is data – gold is gold.
So how can you protect yourself and your customers? Let’s explore the current topic on everyone’s lips in the cybersecurity sphere at the moment – SMS-based authentication.
First of all, we can all agree that it has been proven that SMS-based authentication is not secure. While SMS authentication is a convenient way to reach your users, it is also very easy to breach. If you don’t want to take our word for it, then at least heed the advice of the National Institute of Standards and Technology’s (NIST) Special Publication 800-63B – Digital Identity Guidelines published in June 2017. In their publication, NIST strongly discourages using SMS codes for authentication. Case in point: Instagram (August 2018), Reddit (July 2018), Coinbase (August 2017), just to name a few.
Back in June 2018, the Futurae team did a live demonstration of how SMS-based authentication can be hacked. We displayed how easy it is to intercept an SMS. It can take as little as 30 minutes (by intercepting network traffic), or even allow attackers to intercept SMS codes in real time (through means of tricking a user to download a malicious application). With this information, an attacker can take over any account. In many countries, it is also possible for attackers to intercept SMS via so-called “phone number portability” or “SIM-swap” techniques. And finally, the SS7 network (which is the backbone of the mobile operators), an aging dinosaur in today’s over-connected world, has never been intended for authenticated communication and is vulnerable to traffic redirection attacks to rogue nodes.
On top of this gaping security problem, there is the elephant in the room – usability: what happens when users are off the grid because they are abroad or with poor-to-no network coverage? How often does one person have to copy codes sent via SMS to their services? Not to mention, the cost of sending an SMS every time a user wants to login or perform a sensitive operation.
An interesting statistic projects the number of mobile phone users worldwide in 2019 is expected to exceed the five billion mark, which translates to 62.9% of the world’s population1. 77% of the US population currently owns a smartphone, with this number predicted to steadily grow2. European smartphone users follow close and the percentage is predicted to grow to 76% by 20203. With trends shifting to users owning smart mobile devices, companies have the unique opportunity to shift away from an outdated and risky SMS-based authentication method, to far more secure and easy-to-use approaches provided through the means of Authenticator apps, such as the one offered by Futurae. As a small percentage of your users will still not have access to a smartphone, it is equally important for you to make sure to work with a provider with a broad variety of authentication methods and not just with authentication methods that are best suited for usability. There is no one solution fits all but that is not to say that your authentication service provider should not have all. At the end of the day, the big purchasing question remains: how can I best protect my users and what would be the path of least resistance for adoption.
The fact remains that while SMS-based authentication is not considered secure anymore, it is still better than having no 2FA in place. This is also why at Futurae, we still offer SMS-based authentication among our many more human-centric and secure authentication approaches. Everyone has the right to secure their data, and we want to make sure that we have the right option for all.