What is wrong with SMS-based 2FA?

What is wrong with SMS-based 2FA?

In short:

One reason why you should not use SMS for TOTP (Time-based One-Time Password) is that SMS messages are not secure. SMS messages are transmitted over cellular networks and can be intercepted by attackers. This means that if an attacker is able to intercept an SMS message containing a TOTP, they could potentially use it to gain unauthorized access to a user's account.

In contrast, TOTP generators use cryptographic algorithms to generate one-time passwords that are difficult for attackers to guess or recreate. These passwords are typically displayed on the user's device, rather than being transmitted over an insecure network, which makes them more secure than SMS-based TOTPs.

Another reason to avoid using SMS for TOTP is that SMS messages can be delayed or not delivered at all, which can cause problems for users who rely on them for authentication. In these cases, the user may not be able to access their account if the SMS-based TOTP does not arrive in time.

Overall, it is generally recommended to use TOTP generators instead of SMS for TOTP, as they are more secure and reliable.

In today's digital age, online security is more important than ever. With cyber attacks on the rise, it's essential to take steps to protect your sensitive information from hackers and other malicious actors. One of the most effective ways to do this is through the use of two-factor authentication, or 2FA for short.

2FA is a method of verifying your identity during the authentication process (ex: when you log into an online account, in addition to providing a username and password). It works by requiring you to provide two different forms of authentication: something you know (like a password) and something you have (like a smartphone or security key).

Authentication via SMS is attractive to business. Pretty much everyone has a mobile phone so it’s easy to implement and businesses don’t need to worry about smartphone operating system compatibility or the management of physical tokens. It’s a very practical solution, and it’s clear that using 2FA via SMS provides much, much greater protection for their assets than implementing no multi-factor authentication at all – but have you heard about the "Security vs Convenience concept" ?

Online security threats are becoming increasingly sophisticated, and traditional username and password combinations are no longer sufficient to protect your accounts. Two-factor authentication adds an extra layer of security by requiring a second factor, in addition to your password, to gain access to your account.

In this post, we will discuss why SMS-based 2FA can compromise security, the historical reasons why SMS messages are not encrypted, and alternative 2FA methods that are more secure than SMS-based 2FA.

Chapter I: How SMS-based 2FA can compromise security

While 2FA is an important tool in online security, SMS-based 2FA is not the most secure method. Attackers can intercept SMS messages, compromising the security of your account.

SMS attacks either compromise phones/phone numbers or the messaging centers themselves within mobile networks. These messages are in plain text form — they’re not encrypted between sender and receiver, so if an attacker can access the message, they can read the content.

Last but not least, providers can be tricked into issuing a new SIM for a target’s phone number. Then any SMS message can be read.

Chapter II: How easy and affordable it is to intercept an SMS

SMS messages can be easily intercepted because they are not encrypted – creating vulnerabilities for SMS-based 2FA. Therefore malicious actors can exploit these vulnerabilities. In addition, SMS messages are transmitted over a radio signal, which can be intercepted using simple equipment.

Cybercriminals and authorities can exploit vulnerabilities in SMS-based 2FA by intercepting the SMS message containing the one-time code. They can do this by using a fake cell phone tower (stingrays) or by using a malware-infected app on your device.

Phones periodically and automatically broadcast their presence to the cell tower that is nearest to them, so that the phone carrier’s network can provide them with service in that location. They do this even when the phone is not being used to make or receive a call. When a phone communicates with a cell tower, it reveals the unique ID or IMSI number (International Mobile Subscriber Identity) associated with the SIM card. The IMSI number identifies that phone and its owner as a paying customer of a cell carrier, and that number can be matched by the carrier to the owner’s name, address, and phone number.

A stingray masquerades as a cell tower in order to get phones to ping it instead of legitimate cell towers, and in doing so, reveal the phones’ IMSI numbers. In the past, it did this by emitting a signal that was stronger than the signal generated by legitimate cell towers around it. The switch to 4G networks was supposed to address this in part by adding an authentication step so that mobile phones could tell if a cell tower is legitimate. Even for 4G and 5G. Though the 5G protocol offers a feature that encrypts the IMSI when it’s disclosed during pre-authentication communication, law enforcement would simply be able to ask phone carriers to decrypt it for them. Or simply guess it

An other common method is through SIM swapping, where an attacker convinces your mobile service provider to transfer your phone number to a SIM card under their control. This allows them to intercept any SMS messages sent to your phone, including those containing 2FA codes.

Another way is through phishing attacks, where an attacker tricks you into providing your 2FA code by posing as a legitimate service or website. They may send you a fake login page or email that looks like it came from a trusted source, and then use the code you provide to access your account.

Lastly, attackers can also intercept SMS messages through software vulnerabilities or by using specialized equipment to intercept and read the messages as they are transmitted over the airwaves. Intercepting SMS messages is not a difficult or expensive process. Cybercriminals can purchase a device that can intercept SMS messages for as little as $20 on the dark web.

In France, in february 2023, five people have been charged, including three placed in provisional detention, for sending 424,000 SMiShing (SMS phishing) messages pretending to be from the French health insurance company (Assurance Maladie) between September 2022 and February 2023. Unlike traditional phishing campaigns, the scammers used IMSI-catchers installed in cars.

II.A: SS7 vulnerabilities

SS7 (Signaling System No. 7) interception refers to the act of intercepting telecommunications traffic that passes through the SS7 protocol. SS7 is a set of protocols used for exchanging information between network elements in the public switched telephone network (PSTN). It allows telecom operators to exchange information about call routing, number translation, and other functions.

At the time of writing this post, it's been 6 years, since the National Institute of Standards and Technology (NIST) called for the deprecation of SMS authentication as a second factor for strong authentication (2FA). But the SS7 protocols set has been developed and is still in use since 1975.

In 2008, vulnerabilities that permitted geo-tracking where published. Same thing in 2014 during the Chaos Communication Congress.

Then in 2017, O2 Telefónica, a German mobile service provider, confirmed that the SS7 vulnerabilities had been exploited to bypass 2FA to achieve unauthorized withdrawals from bank accounts.

In 2020, Sergey Puzantov, a telecom security expert at Positive Technologies showed how 5G is still weak due to SS7.

II.B: A phone number is easy to hijack

A SIM swap scam is when a hacker tricks your mobile phone carrier into giving them control of your phone number. They can do this by pretending to be you and providing some personal information. Once they have control of your number. In other words, it doesn't necesseraly target a phone, but it targets the network.

SIM swap fraud takes advantage of a mobile phone provider's ability to move your phone number to a different SIM card. This is usually done when someone loses their phone, gets it stolen, or switches to a new phone. Criminals use this feature to transfer your phone number to their own SIM card.

A number of high-profile hacks have occurred utilizing SIM swapping, including some on the social media sites Instagram and Twitter. In 2019, Twitter CEO Jack Dorsey's Twitter account was hacked via this method.

It all starts with gathering personnal data about the victim. Yes, a phone number is a personnal data. This is why the 533 million Facebook users' phone numbers is a major problem. When the frauders has obtained these details, they then contact the mobile provider to port the victim's phone number to the frauder's SIM. This can be done by impersonating the victim using personnal data to appear authentic and claim they've lost their phone. Once done, the victim will lose connection to the network and the frauder will receive SMS and voice calls previously intended for the victim. Allowing to in receive OTP sent by SMS as well.

Europol arrested criminals for stealing over USD 100 millions in cryptocurrencies by using this technic.

Twitter has announced that starting with March 20, users who don’t pay the Twitter Blue subscription will no longer be able to use the SMS-based two-factor authentication (2FA) option. The reason? It's convenient but not safe.

II.C: A physical access is quick and discret

Reading or cloning SIM card can be done in a matter of minutes. Though, not all of them are cloneable. Once done, the attacker can impersonate the victim. Blank SIM cards and writer devices are available from Amazon. Softwares are publicly available as well.

II.D: OS security

Android and iOS are operating system like Windows, macOS and Linux. Therefore, they come with their strenghs and their weaknesses. Android has been highllighted recently following some researches from Check Point Research. The attack was able to steal existing SMS and forward 2FA SMS to a phone number provided by the attacker.

II.E: Spoofing in still very common today

Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. A SMS isn't signed or encrypted either, making it easy to spoof.

Although this technic is not a SMS exploit by nature it benefits from its lack of security to allow some phishing and spoofing. This technic might need to be combined with phishing to gain access but once done it allows the attacker to falsify a message to appear like it's coming from a legitimate source. The idea is to impersonate a bank website for example. The message will alert the victim that they need to reply with the security code. At the same time, the hacker will trigger a login 2FA request. If the victim replies with that code, the hacker can use it to gain access.

Chapter III: Why SMS messages are not encrypted

SMS or Short Message Service was introduced in 1992 as part of the GSM standard for mobile phones. It was initially designed as a way for network operators to send short text messages to their subscribers. However, it quickly became popular among users as a way to communicate with each other using text messages. Despite its popularity, SMS is not end-to-end encrypted, meaning that it's possible for anyone who manages to intercept the text to read its content. This makes SMS-based 2FA vulnerable to interception.

SMS messages have never been encrypted since their creation, making them an attractive target. Although some encrypted messaging services over SMS have been introduced like the RCS (Rich Communication Services) protocol, these services are not widely used and do not provide end-to-end encryption like popular messaging apps. As a result, SMS messages can be intercepted and read by anyone who has access to the message, such as mobile carriers or attackers who are able to intercept the messages during transmission.

Chapter IV: Alternative 2FA methods

SMS-based 2FA is vulnerable to several types of interception and cybercriminals can exploit these vulnerabilities to gain access to your accounts. It's important to use a more secure 2FA method to protect your sensitive information.

IV.A: Hardware authentication

IV.A.1: Physical tokens

Physical tokens are small devices that generate one-time codes for 2FA. These tokens are more secure than SMS-based 2FA because they do not rely on a communication channel that can be intercepted.

IV.A.2: Security keys

Security keys are a form of hardware-based authentication that use cryptographic algorithms to secure access to online accounts. These keys can take the form of a USB device or a wireless dongle that communicates with your computer or mobile device. When you use a security key, you'll be prompted to insert it into your device and tap a button to authenticate your login.

Security keys are extremely secure and are considered to be one of the strongest forms of 2FA available. They're not susceptible to phishing attacks or other forms of social engineering, as they require physical access to the device.

IV.A.3: Hardware security keys

Hardware security keys are small physical devices that you can plug into your computer or mobile device to authenticate your identity. They use encryption and digital signatures to ensure that your login information is secure. Popular hardware security keys include YubiKey, Google Titan Security Key, and Feitian MultiPass FIDO Security Key. However, it is important to note that they can be physically lost or stolen by the owner. The mecanism is good but the vulnerabilities lies somewhere else.

IV.B: Software authentication

IV.B.1: Authenticator apps

Authentication apps provide a more secure alternative to SMS-based 2FA by generating unique and time-based one-time codes. These codes are significantly more secure because they are locally generated on the user's device and cannot be intercepted over-the-air. They work offline. As a result, authenticator apps provide a stronger layer of protection for online accounts and are a recommended method of 2FA.

IV.B.2: Email-Based 2FA

Email-based 2FA works similarly to SMS-based 2FA, but instead of receiving a text message, you receive an email with a one-time code. While email-based 2FA is more secure than SMS-based 2FA, it's still vulnerable to phishing attacks.

IV.B.3: Biometric authentication

Biometric authentication is a method of using your physical characteristics to verify your identity, such as your fingerprint, face, or iris. This form of authentication is becoming more popular on mobile devices, with many smartphones now featuring fingerprint or facial recognition technology.

Biometric authentication is very convenient and can be faster than entering a password or using a security key. However, it's important to note that biometric data can be compromised if it's stored improperly. Additionally, not all devices support biometric authentication, so it may not be a feasible option for all users.

One day I will write about biometric authentication and why I will never recommand that.

Chapter V: 2FA in real mobility life, when there is no network or no SIM card at all

Finally I would like to talk about something I've been experiencing since 2012 when I dropped my SIM card. As a traveler, I gave up on the idea of buying new SIM cards everywhere I was. I also gave up on the idea of paying big chuncks of money every months for an international plans. Instead, I use WiFi everywhere and a VPN. That said, I will never receive an SMS.

In a simplier way, many places in the world offer an internet connexion (via WiFi or cable) while there is no phone network around. Think also about no roaming due to maintenance or missing plan.

Then there is a very simple use case. When your phone is low battery.

For these reasons, it makes absolutely no sense to send an SMS (on a dedicated network) while you're using internet (another more secured network). Services should propose the same network or provide an offline solution like these hardware and software solutions listed above.

Chapter VI. Conclusion

In this article, we've explored the security risks of SMS-based two-factor authentication (2FA) and why it's a bad choice for online security. While SMS-based 2FA may seem like a convenient option, it's actually vulnerable to interception and hacking, making it easy for cybercriminals to gain access to your accounts and sensitive information.

It's important to choose a secure 2FA method that can provide better protection against these risks. Alternative methods like authenticator apps or hardware tokens are more secure options that can be used instead of SMS-based 2FA. These methods use encryption and generate unique codes that can only be used once, making it much harder for cybercriminals to gain access to your accounts.

As everyday internet users, it's our responsibility to protect our sensitive information from malicious actors. By choosing a secure 2FA method and being vigilant about our online security, we can help prevent cyberattacks and keep our information safe.

In conclusion, while SMS-based 2FA may seem like an easy and convenient option, it's not worth the security risks it poses. Choosing a more secure 2FA method and taking steps to protect our sensitive information is essential for maintaining our online security in today's digital world.

Chapter VII. Bonus

  • How can I tell if a website or service is using SMS-based 2FA?

One way to determine if a website or service is using SMS-based 2FA is to check their security or authentication settings. Look for an option to enable two-factor authentication or multi-factor authentication. If SMS is the only option listed, it's likely that the website or service is using SMS-based 2FA. Additionally, some websites or services may explicitly state that they use SMS-based 2FA as a form of authentication in their documentation or security policies. If in doubt, you can contact the website or service's customer support team for more information.

A good indicator can also come when websites ask for a phone number. One day I will write about that too. Why I don't like to give a phone number or why I don't like phones in general.