This Is The Surprising Truth About SMS Security
By Kate O’Flaherty
Have you heard of SIM swapping? The nasty form of attack was documented by ZDNet writer Matthew Miller last June, who detailed the horror show unfolding after he found his services had been hacked and his bank charged $25,000 by an attacker purchasing Bitcoin.
Then more recently, a study by Princeton University found five major U.S. prepaid wireless carriers are vulnerable to SIM swapping attacks. Staff at customer support centers of carriers Verizon Wireless, T-Mobile, AT&T, US Mobile and Tracfone were all said to be following vulnerable procedures that could allow this type of attack to happen.
SIM swapping sees an adversary calling your wireless carrier and requesting that your cellphone number is attached to their SIM card. The hacker can then take control of your phone by resetting all your passwords via SMS.
Aha, I hear you say, that means I should never use SMS for two factor authentication (2FA). Well, no, not exactly. Let me tell you why.
A story about SMS for 2FA
Yesterday, Twitter users were up in arms after security company Bitdefender shared a blog based on the Princeton University study’s findings. The tweet read: “Users are advised to drop SMS 2FA. Most wireless carriers in the U.S. are vulnerable to SIM Swapping attacks and lack proper procedures to fend off hackers.”
Of course, this prompted some strong reactions from the infosec community. Lesley Carhart, a well-known security professional, tweeted: “Wow. I’m pretty disappointed in Bitdefender right now. This is just about the most misleading and unintentionally harmful way they could have phrased and framed this problem. SMS 2FA has serious problems but is still a deterrent. Don’t drop SMS without an alternative in place.”
Bitdefender later clarified its tweet, which it seems was posted by its social media team without a full understanding of the issue or its implications. Bogdan Botezatu, senior e-threat analyst at Bitdefender told me that the article was meant to raise awareness on the issues and challenges posed by SMS-based two-factor authentication and why users should consider replacing it with something else.
He says: “Bitdefender highly encourages users to adopt two-factor authentication as an additional mechanism to prevent unauthorized logins. If no alternative is available, SMS-based 2FA is still a better option than none.”
SMS for 2FA: What’s the risk?
Of course, if SIM swapping attacks can easily happen, there is a risk of using SMS for 2FA. This is because it’s then a doddle for attackers to verify your account as they can simply use the text message to access your services.
SIM swapping is often easy to pull off by social engineering the telecom provider, but these are still targeted attacks, points out security professional John Opdenakker. He adds that in general the risk to the average user of accounts being compromised by mass attacks such as phishing or credential stuffing is “a lot higher.”
Stuart Peck, director of cyber security strategy at ZeroDayLab agrees, saying: “This attack requires an adversary to be motivated, and the payoff has to be large enough to go to this much effort. Usually this is related to financial fraud, as opposed to just account take overs.”
And in fact, Peck says the benefits of having SMS 2FA over nothing are “massive.”
He says: “It’s another layer of defense that is still highly effective. Is it the most secure option? No, but it’s much better than just a username and password.”
SMS for 2FA: What should you use instead?
Ideally, you should use something else as an extra method of authentication, such as a security key or app. But there is another problem: “The reality is, a lot of websites don’t offer a more secure 2FA option such as software tokens or even better, hardware security tokens,” says Opdenakker.
However, if you don’t feel comfortable with SMS based 2FA given the nature of the data protected by an account, Opdenakker advises users “to look for an alternative service with better account security options.”
And there’s another important step you can take to avoid SIM swapping attacks, says Peck: “Make sure you speak to your mobile network provider and password protect your account, especially for phone calls, as this will at least reduce the likelihood of SIM swapping.”
The final word
In general, Opdenakker recommends enabling the most secure available 2FA option–even when this is SMS. “Two layers of protection–albeit layers with known vulnerabilities–are better than one.”
Indeed, SMS 2FA requires the least amount of technical knowledge and is still the lowest barrier to entry to secure accounts, as it doesn’t require back up codes or an app to install, says Peck. Just be aware that it does come with some risks, and other options are more secure.
Peck advises people worried about protecting their accounts to consider apps such as Microsoft or Google Authenticator, or Authy. In addition, services such as 2FA Notifier for Chrome and Firefox show which sites support 2FA and how to set this up.
You heard it: Two factor authentication is good, and it’s even better if you can use a method such as a security key such as a YubiKey–or even your iPhone–or an authentication app. But if you don’t have that option, or the service you are using doesn’t allow it, use SMS instead.