Your bank now sends you a text message to validate your login or to get your password reset. You feel so safe now! No hacker can get you. After all, you are now using “two factor” authentication (2FA) and the hacker would have to have both your phone and your password to get in. Sounds great, right? It does sound great, but unfortunately, there are concerns. Using SMS as a component of 2FA can provide a false sense of security. In some cases, it can actually weaken your security posture. Let’s explore some examples of how SMS-based 2FA can be circumvented and what an enterprise can do to lower their risk.
One would think that by enabling SMS text as part of your authentication strategy, your security posture could only be strengthened. However, things can go badly if an SMS text alone can be used to verify identify.
On August 22, 2017, John Biggs, a current contributing writer for TechCrunch, found himself locked out of his email and social media accounts. His family and friends also received text messages from his phone asking for money. How could that happen? The fault here was not with anything he did, or did not do. A hacker was allegedly able to talk John’s cell phone provider into moving his line to a new hacker controlled cell phone. Once that had occurred, the hacker was able to ask for password resets on all of his online services, which dutifully sent SMS text messages to validate his identity. Unfortunately, those text message were now going to the hacker controlled cell phone. In minutes, his accounts were taken over! Fortunately, due to his industry knowledge, he was able to recognize what had happened and contact his cell phone provider to get his phone number back and reverse the breach. In the short amount of time the hacker had access to John’s accounts, it was discovered that his friends had received Phishing messages from his account sent by the hacker. Luckily his friends were able to recognize that the text messages were not from John, despite the messages containing some personal information gleaned by the hacker while going through John’s email. No major harm done but things could have been a lot worse for someone who did not know how to recognize the issue or how to respond.
However, social engineering by a smooth talking hacker isn’t the only reason SMS is not best for 2FA.
In May 2017, a German mobile service provider, O2 Telefónica, revealed that hackers had exploited vulnerabilities in the underlying protocols used for cell phone SMS communications (known as SS7), to bypass two-factor authentication (2FA) allowing them to make unauthorized withdrawals from users’ bank accounts. The hackers began their compromise by infecting their targets’ computers with malware. This allowed them to capture the users’ bank account credentials and phone numbers. The attackers then purchased access to a fake telecom provider, which then allowed them to use vulnerabilities in SS7 to set up redirects from the victims’ phone numbers to lines controlled by the hackers. Finally, the attackers logged into the victims’ online bank accounts and transferred money to accounts of their own. Although 2FA communications were made to the users’ phones, they had been routed to phone numbers controlled by the attackers.
How do we protect ourselves and our companies from a determined hacker using methods such as these to by-bass 2FA?
- Education of staff is an important start. Hackers use phishing emails to your staff as a key strategy to get malware onto users’ computers. Companies like PhishMe provide training to and testing of your employees to ensure they are as prepared as possible to be the first line of defense against hackers’ phishing schemes. Teaching users how to choose good passwords provides a good foundation to build on.
- Use good Email protection which can catch and stop email phishing which could compromise one of the two factors. More than 90% of targeted attacks start with email, and these threats are always evolving. Proofpoint’s Targeted Attack Protection (TAP) stays ahead of today’s attackers with an innovative approach that detects, analyzes, and blocks advanced threats before they reach the inbox.
- Employ a firewall that can watch for phishing and other authentications based attacks. If a website asks for a user’s Dropbox credentials but the user is not actually at Dropbox.com, wouldn’t it be great if you had a little birdie on your shoulder that said, “No! Don’t hit submit!” While you may or may not have a little birdie on your shoulder, a Palo Alto Networks firewall will observe, recognize and stop these kinds of threats.
- Ensure you are using a well-designed second factor authentication (2FA) scheme. 2FA involves something you have and something you know. A security researcher once told me that if you are not using 2FA, it’s not a question of whether you will be hacked, but how long will it be before you find the hacker who is already in your systems. DUO provides strong 2FA but also does it in an easy to use manner by providing an app that simply prompts you whether that is really you logging in (the little birdie on your shoulder recommends choosing “No” if it’s not you logging in!)
Is all SMS authentication bad when being used for 2FA? Not necessarily. Although the above anecdotes show how clever hackers can work around SMS based 2FA, using SMS for 2FA is certainly better than no 2FA, provided it is used in conjunction with a good password. However, It should never be used as a replacement for a password or alone to validate your identity for password recovery. As a specialist integrator of next-generation technologies, Teneo would love to work with your security team to assess your security posture and recommend technologies which may be a good fit for your environment. Please let us know how we can help.