REMINDER: Text Message Based Two-Factor-Authentication Unsafe (NIST)
By Juha Saarinen, Feb 7 2017
SMS 2FA is used to protect email, often the keys to the kingdom given people use their email addresses for login IDs for a vast amount of services.
So needless to say, a lot of damage can be done through a compromised email account, making additional protection with a secondary authentication method not just a good idea, but necessary.
Of course a convenient way to do this is by sending codes via SMS in order to avoid man-in-the-middle interception.
And in its day, it made sense: everyone has a mobile phone and can receive texts without needing any user training.
But it's 2017. SMS has been weighed and found wanting when it comes to security: America’s National Institute of Standards and Technology (NIST) last year saw the writing on the wall and put SMS 2FA on its “to be deprecated” list.
It's not super easy to listen in on GSM traffic and capture the 2FA tokens, but it can be done with a bit of expertise, background information, and patience. So can siphoning off GSM signals.
Hooking up with a rogue telco to abuse the signalling system 7 (SS7) that sets up voice calls and message transmission between subscribers could be worthwhile to capture 2FS SMS in bulk, but that’s probably a bit too obvious especially in the long run.
Malware like Marcher on Android can snag 2FA tokens, which is great because everyone has a phone and many of them are no longer updated by vendors, leaving millions of devices forever vulnerable.
If that’s too complicated, there’s porting of victims' phone numbers, or good old social engineering: a message arrives telling users to expect a text with a code because their account is under attack and needs to be verified, please reply to the message with the code.
Then there’s your telco screwing up message delivery.
That SMS messages went to random people means you should think twice before trusting Telstra’s - or any telco's - network for authentication of your sensitive accounts.
We need to properly start looking to alternatives to SMS 2FA like time-based one-time passwords (TOTP), which generate temporary authentication codes in an app, transmitting nothing over a network.
Taking it further and ditching codes altogether, push-to-accept notifications could work as long as they have multiple, different accept buttons to prevent users from inadvertently allowing logins.
More complex solutions include the FIDO Alliance’s universal two-factor (U2F) USB or NFC keys.
Either way, SMS 2FA has had its day. It's time for it to be put to rest.
https://www.itnews.com.au/blogentry/its-time-to-put-sms-2fa-out-to-pasture-450092
Cyber Security Specialist | Innovative Solutions to Difficult Security Challenges
7 年Let's not let the perfect be the enemy of the good. Time based one time use password generators have also been shown to be vulnerable to man in the middle attacks. We need more adoption of 2FA and eliminate all passwords. That would be a great first step. From there we can begin the conversation over which 2FA mechanism is most secure. I prefer Smartcard based 2FA . For a more hardened approach you can add a third factor.