person entering authentication code from mobile phone

SMS Authentication — Is It Enough to Protect Your Business?

SMS is often used as a carrier to send one-time passwords (OTP) to provide additional security for two-factor authentication when digital consumers access web or mobile applications. Unfortunately, SMS carrying an OTP is not enough. As hackers become more sophisticated, it’s becoming easier for them to compromise web or mobile applications with a wide range of out-of-band exploitation techniques that include carrier sniffing (SS7 attacks), malware (acting as a man-in-the-middle) and social engineering tactics (conveniently performing SIM swap fraud), all of which can successfully compromise security and grant fraudsters access to sensitive data.

As we move increasingly to work from home arrangements through the help of remote access, consuming multiple endpoints in the enterprise has become the new normal. How then can our enterprises secure digital users and business systems from out-of-band exploitation techniques – especially if the carriers of the OTP are not protected via a secure channel? For reference, the ubiquitous SMS standard used (GSM 03.40) is not encrypted.

SMS Is Definitely Not Adapting Fast Enough to Provide Secure Authentication

SMS is only the messenger. SMS has been trusted as a secondary form of authentication for a long time — it has been cheap, convenient and ubiquitous — so what’s changing?

  • Businesses are increasingly moving to cloud-based services, potentially changing the attack vectors hackers can use to access and authenticate themselves
  • The number of endpoint devices is growing exponentially, especially as “Bring Your Own Device” policies come into effect and the Internet of Things continues to grow
  • Consumers are becoming increasingly reliant upon dedicated apps or online access from their devices, and security may not be as robust throughout the chain
  • Circumventing password protection for specific users is now trivially easy, meaning OTPs are increasingly becoming the first line of defense
  • Hackers today have refined their social engineering and phishing campaigns in conjunction with broader availability of hacking information and tools on the public internet. For example, SIM swapping is getting easier to pull off with fraudsters no longer needing to find the details from the dark web.

SMS authentication has become a legacy technology that no longer meets the demands of 21st century, digital consumers that are always connected to the internet. SMS in particular has not evolved in 30 years, and it was originally built in an era where bandwidth was scarce. The infrastructure it relies on is not agile. To be fair, SMS was only intended to deliver a short message, not a secret. The predicament we are in today is the fact that SMS is deeply integrated into the systems of millions of businesses and applications guarding access to our data.

Here are some examples of SMS OTPs being compromised:

[SOCIAL ENGINEERING] Philippines – “Hackers used a Philippine senator’s credit card to purchase P1 million (equivalent to USD 20K) worth of food through a delivery app. The senator said he received a text alert of a request to change his phone number from the credit card company. However, since he was presiding over a hybrid hearing by the senate committee, he had no time to check his phone from 2:00 PM to about 5:00 PM. Apparently, the hacker managed to change his number, and when an OTP (one-time pin) was sent to confirm the purchases, the hacker was confirming them and ordered from Food Panda, the senator explained. After office hours, the senator said he saw the alert and checked with the credit card company, which reported to him the transactions. The senator said it was the first time he experienced being victimized by hackers and with such a huge amount. He also noted that hackers have become innovative, such as changing the phone number of credit card users.” – philstar GLOBAL, the Philippines – Hackers uses senator’s credit card to buy food worth P1 million

[MALWARE] Global - “The operators of the TrickBot banking malware have developed an Android app that can bypass some of the two-factor authentication (2FA) solutions employed by banks. This Android app, which security researchers from IBM have named TrickMo, works by intercepting one-time (OTP) codes banks send to users via SMS or push notifications. TrickMo collects and then sends the codes to the TrickBot gang's backend servers, allowing the crooks to bypass logins or authorize fraudulent transactions.” – ZDNet - TrickBot now pushes Android app for bypassing 2FA on banking accounts

[NETWORK] Germany - Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other. These shortcomings can be potentially abused to, for example, redirect people's calls and text messages to miscreants' devices. Now we've seen the first case of crooks exploiting the design flaws to line their pockets with victims' cash. O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.” – The Register After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts

We need stronger, more reliable authentication methods to protect user transactions and digital identities.

Why SMS Dependent Systems Fail to Provide Secure OTP Authentication

There are several vulnerabilities in SMS authentication that hackers can exploit to access OTP:

  • A hacker may contact a mobile phone carrier pretending to be the user and have the SIM changed to something they have access to (SIM swap fraud)
  • A user may accidentally download malware onto their device, allowing bad actors to view the content of the phone including received text messages
  • Organizations that aren’t ready to invest in strong authentication often decide to use “out-of-band” SMS to send OTPs. Out-of-band distribution is more vulnerable to hackers.
  • Criminals can exploit mobile networks at large by using weaknesses in a common set of telephone signaling protocols known as Signaling System 7 (SS7)
  • These techniques can be combined with social engineering to target vulnerabilities

Alternatives to SMS Authentication

Although SMS is vulnerable, there are some excellent alternatives that can provide robust, secure authentication while meeting the needs of your digital consumers:

  • Authentication systems are being updated to meet stronger regulation compliance requirements including PSD2, FFIEC and PCI-DSS 3.2
  • Simple Mobile Push Authentication can be combined with complete Identity and Access Management solutions to provide deeply secure authentication based on security needs over a secure, encrypted channel such as HTTPS

Supporting Your Business and Customers Throughout the Authentication Cycle

A good SMS authentication alternative also needs to provide trusted identity, password and authentication solutions throughout the customer journey:

Find out more about consumer authentication.

Edwardcher is a highly skilled digital security expert and avid technologist with an instinctive passion for finding pragmatic technologies to solve practical problems. He has over two decades worth of experience working in the trenches developing software and delivering solutions & services to the military, telecoms, banks, enterprise and the government with synergies in NFC, TSM and mobile financial services applied with PKI, risk management and strong authentication.