The use of SMS codes to authenticate users has long since passed its zenith, but this method is still used all over the world in various industries as a supposedly secure 2FA login. This method is also still considered secure by regulators, especially in the financial services industry or the health sector. This is surprising, in view of the known security risks and the increasing number of cyber attacks.
As early as June 2017, the National Institute of Standards and Technology (NIST) published guidelines on digital identity. In this special publication (800-63B), NIST strongly advised against using SMS codes for authentication. This is no accident… Various companies such as the British Metro Bank, Google or Yahoo have been victims of cyber attacks involving secure codes sent over SMS.
The security risks around SMS are varied and can be roughly divided into three categories; local attacks, attacks via mobile phone providers, and attacks via your own smartphone.
The sending and delivery of SMS messages is still based on a communication protocol from 1975, Signalling System 7 (SS7). If an attacker is located near the nearest radio tower, or near the victim’s device, this outdated protocol makes it possible to intercept a sent SMS message in real time without any problems. ens.
Mobile phone provider attacks
Mobile phone connections within Switzerland are secure. However, this does not always apply to connections abroad. The standards of encryption on the mobile networks vary greatly from country to country and make it easy for attackers to intercept messages. In other words, if a user abroad wants to log on to his e-banking platform, there is a potentially increased risk.
In addition, attackers often manage to get hold of a SIM card with stolen information through social engineering via mobile phone providers. By the time the victim recognizes the misuse, it is usually too late. These so-called “SIM swapping” attacks usually proceed very quickly. Dr. Security discusses more details in this blog post.
One of the biggest risks is often hidden on your own Smartphone. For instance, it often happens that a child might install a game on their parents' Smartphone. What is probably less known, is that this app could simply read SMS messages received, even while in the background. Therefore be careful when installing apps! Check the app developer by carefully studying the originator. Not only game apps, but also crypto currency apps are popular “Trojan horses” for this kind of attacks.
Although not directly correlated, another widespread attack that leverages SMS messages, is the so-called “smishing” attacks (analogous to phishing via e-mail): criminals use SMS messages to ask the victim to log into a specifically crafted website to gather their sensitive personal data (such as e-banking access data). The messages give the impression of coming from a trustworthy entity (such as pretending to be from the post delivery service about a specific parcel delivery). Unfortunately, these attacks often work very well, since trust in SMS messages received on your own smartphones is generally much higher than in email.
Expensive and breaking the control chain
It is not only the security aspect that should discourage companies from using SMS messages, other factors also come into play and should be considered. SMS use is generally very expensive, because there are costs for each individual SMS that needs to be sent.
There is also no control over whether an SMS is actually delivered, or by when it is delivered, and if it is actually read by the user. Especially in parts of Asia, SMS transmissions are often difficult, with carriers blocking or delaying their delivery. Using SMS messages often breaks insights into user behaviour: was the user’s phone in a secure location when interacting with the website? Was the SMS protected by local phone authentication (such as fingerprint, or FaceId), or could anyone, just by looking at the phone screen read out the SMS code?
And finally, the burden of proof in case of abuse, according to many company terms and conditions, lies with the user, which is actually not fair: it becomes extremely difficult to understand what happened in case of attacks.
Win-Win for companies and users
The use of SMS codes for portal logins is still more secure than not using 2FA, but today there are various alternative authentication methods that are not only more secure but also more user-friendly, and give companies much greater insights into their own users behaviours. Futurae offers a variety of authentication methods that provide full flexibility for companies: from hardware to novel software-based solutions and protection against social engineering attacks. In addition, Futurae enables fast and uncomplicated integration into the existing infrastructure and reduces the total cost of ownership. Not only are expensive SMS costs eliminated, but also the often associated help desk calls in case of problems. SMS codes that never arrive – or reach an attacker – are a thing of the past!
Want to learn more?
Reach out to our experts at Futurae.