SMS is usually used as a carrier to send one-time passwords (OTP) to supply additional security for two-factor authentication when digital consumers access web or mobile applications. Unfortunately, SMS carrying an OTP isn’t enough. As hackers become more sophisticated, it’s becoming easier for them to compromise web or mobile applications with a good range of out-of-band exploitation techniques that include carrier sniffing (SS7 attacks), malware (acting as a man-in-the-middle), and social engineering tactics (conveniently performing SIM swap fraud), all of which may successfully compromise security and grant fraudsters access to sensitive data.
As we move increasingly to figure from home arrangements through the assistance of remote access, consuming multiple endpoints within the enterprise has become the new normal. How then can our enterprises secure digital users and business systems from out-of-band exploitation techniques – especially if the carriers of the OTP aren’t protected via a secure channel? For reference, the ever-present SMS standard used (GSM 03.40) isn’t encrypted.
SMS is certainly not adapting fast enough to supply secure authentication
SMS is merely the messenger. SMS has been trusted as a secondary sort of authentication for an extended time — it’s been cheap, convenient, and ubiquitous — so what’s changing?
- Businesses are increasingly moving to cloud-based services, potentially changing the attack vectors hackers can use to access and authenticate themselves
- The number of endpoint devices is growing exponentially, especially as “Bring Your Own Device” policies inherit effect and therefore the Internet of Things continues to grow
- Consumers are getting increasingly reliant upon dedicated apps or online access from their devices, and security might not be as robust throughout the chain
- Circumventing password protection for specific users is now trivially easy, meaning OTPs are increasingly becoming the primary line of defense
- Hackers today have refined their social engineering and phishing campaigns in conjunction with the broader availability of hacking information and tools on the general public internet. for instance, SIM swapping is getting easier to tug off with fraudsters not wanting to find the small print from the dark web.
SMS authentication has become a legacy technology that not meets the stress of the 21st century, digital consumers that are always connected to the web. SMS especially has not evolved in 30 years, and it had been originally inbuilt in an era where bandwidth was scarce. The infrastructure relies on isn’t agile. To be fair, SMS was only intended to deliver a brief message, not a secret. The predicament we are in today is that the incontrovertible fact that SMS is deeply integrated into the systems of many businesses and applications guarding access to our data.
Here are some samples of SMS OTPs being compromised:
[SOCIAL ENGINEERING] Philippines – “Hackers used a Philippine senator’s MasterCard to get P1 million (equivalent to USD 20K) worth of food through a delivery app. The senator said he received a text alert of an invitation to vary his telephone number from the MasterCard company. However, since he was presiding over a hybrid hearing by the senate committee, he had no time to see his phone from 2:00 PM to about 5:00 PM. The hacker managed to vary his number, and when an OTP (one-time pin) was sent to verify the purchases, the hacker was confirming them and ordered them from Food Panda, the senator explained. After office hours, the senator said he saw the alert and checked with the MasterCard company, which reported to him the transactions. The senator said it had been the primary time he experienced being victimized by hackers and with such an enormous amount. He also noted that hackers became innovative, like changing the telephone number of MasterCard users.” – philstar GLOBAL, the Philippines – Hackers uses senator’s MasterCard to shop for food worth P1 million
[MALWARE] Global – “The operators of the TrickBot banking malware have developed an Android app which will bypass a number of the two-factor authentication (2FA) solutions employed by banks. This Android app, which security researchers from IBM have named TrickMo, works by intercepting one-time (OTP) codes banks send to users via SMS or push notifications. trick collects then sends the codes to the TrickBot gang’s backend servers, allowing the crooks to bypass logins or authorize fraudulent transactions.” – ZDNet – TrickBot now pushes Android app for bypassing 2FA on banking accounts
[NETWORK] Germany – “Experts are warning for years about security blunders within the Signaling System 7 protocol – the magic glue employed by cellphone networks to speak with one another. These shortcomings are often potentially abused too, for instance, redirect people’s calls and text messages to miscreants’ devices. Now we have seen the primary case of crooks exploiting the planning flaws to line their pockets with victims’ cash. O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that a number of its customers have had their bank accounts drained employing a two-stage attack that exploits SS7.” – The Register – After years of warnings, mobile network hackers exploit SS7 flaws to empty bank accounts
We need stronger, more reliable authentication methods to guard user transactions and digital identities.
Why SMS Dependent Systems Fail to supply Secure OTP Authentication
There are several vulnerabilities in SMS authentication that hackers can exploit to access OTP:
- A hacker may contact a mobile carrier pretending to be the user and have the SIM changed to something they need access to (SIM swap fraud)
- A user may accidentally download malware onto their device, allowing bad actors to look at the content of the phone including received text messages
- Organizations that aren’t able to invest in strong authentication often plan to use “out-of-band” SMS to send OTPs. Out-of-band distribution is more susceptible to hackers.
- Criminals can exploit mobile networks at large by using weaknesses during a common set of telephone signaling protocols referred to as Signaling System 7 (SS7)
- These techniques are often combined with social engineering to focus on vulnerabilities
Alternatives to SMS Authentication
Although SMS is vulnerable, some excellent alternatives will provide robust, secure authentication while meeting the requirements of your digital consumers:
- Authentication systems are being updated to satisfy stronger regulation compliance requirements including PSD2, FFIEC, and PCI-DSS 3.2
- Simple Mobile Push Authentication is often combined with complete Identity and Access Management solutions to supply deeply secure authentication supported security needs over a secure, encrypted channel like HTTPS
Supporting Your Business and Customers Throughout the Authentication Cycle
- A good SMS authentication alternative also must provide trusted identity, password, and authentication solutions throughout the customer journey:
- Initial biometric identification through ID upload, document verification, facial matching, and address checking
- Risk management and fraud prevention through algorithmic analysis and suitable challenges supported user, device, location, sensitivity, and similar areas
- Adaptive authentication permits a user to settle on various methods of proving their identity, including security tokens and biometrics.
- A positive user experience from start to end
Find out more about consumer authentication, visit HID Readers in Saudi Arabia.