Two-factor authentication (2FA) brings an extra layer of security that passwords alone can’t provide. Requiring an extra step for a user to prove their identity reduces the chance of a bad actor gaining access to data.
One of the most common methods of 2FA is SMS text messages. The problem is that SMS is not a secure medium. Hackers have several tools in their arsenal that can intercept, phish, and spoof SMS. Despite this security flaw and better options for authentication, SMS-based 2FA is still used by several institutions.
How hackers intercept SMS
It is a great idea to add 2FA to any application to increase security. Password attacks are becoming more sophisticated, and even complex passwords can be cracked. Requiring further authentication for any login ensures better protection.
But after taking that extra security step, why use an insecure form of communication for that extra verification? After all, SMS messages are based on telephone networks. The first hackers were a bunch of folks who were finding cool ways to get around phone networks. Intercepting SMS is old hat to many hackers.
And, as Daniel Cid points out, it’s not just the phone networks, but phone companies that are bad at security.
Your voicemail is protected by only a 4-digit PIN. And on most carriers you can access your voicemail remotely.
Easy to phish. If you know some basic information about the person, you can get the PIN changed.
Easy to spoof. It is very easy to spoof an SMS message. There is no SSL or certificate to verify where it really came from.
Spoofing may actually be combined with phishing to gain access. This process allows hackers to falsify a message to appear like it’s coming from a legitimate source. The message will alert the victim that they need to reply with the security code. At the same time, the hacker will trigger a login 2FA request. If the victim replies with that code, the hacker can use it to gain access.
But following the best practices to prevent phishing isn’t enough to make SMS authentication secure. As Daniel noted, a hacker with basic information about the victim can get a PIN changed. And unfortunately, you can’t control phishing at the phone company.
The same method of social engineering can also be used to swap SIM information for a phone number. A hacker can pretend to be the victim and activate a new phone on the number. Before the victim notices, the hacker will already have breached the 2FA.
While this process may seem convoluted, it is surprisingly effective. For example, CloudFlare was breached using a similar method. Their phone provider, AT&T, was tricked into redirecting their voicemail and access to their email was gained through a 2FA account recovery process. If it can happen to an industry leader in cybersecurity, it can happen to anymore.
Hackers can also swap SIM information through a Remote Desktop Protocol (RDP). These attacks still need social engineering to get the RDP program installed. As Joseph Cox reported in Vice in January 2019, hackers had no problem gaining remote access to phone company systems. One even went as far as calling some employees and managers “brain dead.”
Because of this, weak 2FA is in some ways worse than no 2FA at all. In the case where SMS- or phone-based authentication is the only option offered by a service, it’s actually safer to skip 2FA. A good password policy will be the best option in this case.
Better alternatives to 2FA SMS
While it’s best to skip 2FA if SMS is the only option, this doesn’t solve the reason for adding 2FA in the first place. To prevent brute force and other attacks targeting password-only authentication, some form of 2FA is needed.
The good news is that there are multiple secure alternatives to SMS-based 2FA. Implementing one of these options will help keep your accounts safe from bad actors.
Hardware authentication relies on a dedicated physical device to grant access. Along with their password, users will also have to input a random token code generated by the device. Logins will fail without the code. Providers of hardware authentication include RSA SecurID and Thales SafeNet.
The physical nature of this method does have the potential for devices to be lost and stolen. But it does address many of the security issues inherent to SMS-based 2FA.
Software authentication is essentially the same principle as hardware authentication. But instead of requiring a physical device, token codes are generated with a mobile application. The most popular authentication app is Google Authenticator, but there are many options. For example, RSA now offers their SecurID authenticator as an app.
It may seem counterintuitive to recommend authentication based on a mobile device. But the software is not relying on SMS or the phone network for authentication, eliminating the inherent flaws in SMS-based 2FA.
This method checks the user’s IP address when logging in. You can block access to specific IP addresses suspected to be malicious, or simply only allow logins from known IP addresses and ranges. IP-based authentication can be used in conjunction with other forms to add another layer of protection.
Phones and text messages simply weren’t designed with security in mind. Relying on SMS for authentication actually causes a larger problem than what it’s meant to solve. But SMS still remains a very popular 2FA method despite these issues.
If a more secure option for 2FA is available, it is best to take it. If SMS-based 2FA is the only option, it’s best to skip 2FA and rely on a strong password strategy. The layer of risk that SMS creates makes it a liability more than a precaution.
While stronger 2FA options are recommended, they are not a replacement for a good password strategy. Think about it like you would your home: A strong deadbolt on the front is great, but it won’t matter if you leave the key under the mat.
If you are interested in cybersecurity content, sign up to receive information about current security issues, vulnerabilities, and exploits.