back to article Standards body warned SMS 2FA is insecure and nobody listened

The US National Institute of Standards and Technology's (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact, according to Duo Security. Last July NIST declared that sending one-time passwords to mobile phones was insecure. The organisation wrote in its advisory that the likelihood …

  1. Nate Amsden

    educate the users

    but don't remove the option.

    At my org where we use Duo approx 18% of the users (according to monthly Duo report) use SMS or Voice, about 65% use the Duo Push app(most of the rest use a duo generated pass code). This number hasn't changed over the past 6 months. At one point I noticed for whatever reason people located in what might be considered non 1st world(not knowing off the top of my head what constitutes 1st world) countries seemed to be more likely to use voice as the 2nd factor, at least in my org.

    I don't expect Duo to remove the option, though I suspect their admin UI has the ability to turn off various forms of 2 factor if the companies wish to(I haven't checked).

    1. A Non e-mouse Silver badge
      Flame

      Re: educate the users

      educate the users

      'Cause that works so well for securing passwords, not clicking on random email attachments, etc...

  2. JimmyPage
    Stop

    SMS messages ... may be ... redirected,

    Can someone tell me how, please ?

    When moving phones, one reason to not change numbers is the inability to forward on SMS. Redirecting voice calls is trivial - the network can simply forward calls (with CLI details) invisibly.

    I had to carry two phones for over year because it wasn't possible to redirect SMS,

    (I know there are "apps" that claim to do this - but even if they were a solution, they don't forward the CLI details. So you have no idea where the SMS came from.)

    1. Peter 26

      Re: SMS messages ... may be ... redirected,

      Maybe they mean with the method of getting the network operator to transfer your number to a new sim as mentioned in the article. You don't need much info to get that done.

      1. Alan Edwards

        Re: SMS messages ... may be ... redirected,

        "getting the network operator to transfer your number to a new sim "

        The fact that your phone has stopped working is a bit of a giveaway, though.

        Plus the network will send SMSs to your phone warning you that the SIM will stop working soon - at least O2 does, I assume the others do similar things.

        If you can get physical access to the phone for a little while, using Pushbullet or Continuity to echo the SMS to a computer would be easier, and the target would be none the wiser.

        1. big_D Silver badge

          Re: SMS messages ... may be ... redirected,

          You can have more than one SIM with the same number - my current contract includes 2 free additional SIMs with the same number (for use in tablets or laptops for data, for example) and I can pay for more.

          All use the same number and, if you put all 3 SIMs in phones, they would all ring at the same time.

          But issuing a # command on a handset, you can tell the provider that this is the "primary" device and SMS should be sent to it - SMS only gets sent to the "primary" device.

          So a hacker just needs to get the carrier to issue a secondary card and, once they have received it, they can issue the # command and intercept your SMS..

          Given how easily providers give out new SIMs, this isn't hard. Some will even send it to an alternate address, otherwise the hacker just needs to hang around outside your residence and then sign for the mail, when the postie delivers the new card.

    2. A Non e-mouse Silver badge

      Re: SMS messages ... may be ... redirected,

      Can someone tell me how, please ?

      It's been demonstrated that abusing the SS7 protocol (which underpins carrier level interconnects) can achieve this - and a lot more.

      See www.cellusys.com/2015/10/20/8-ss7-vulnerabilities-you-need-to-know-about/ for example.

  3. Pascal Monett Silver badge

    "the statement has had virtually no impact some six months after its announcement"

    Not surprising. In the current social climate, companies must appear to be doing something about security.

    This is something, therefor they are doing it - especially since the competition is doing it.

    The fact that the technology is insecure and deprecated is less important than the polish it gives to the company's image. In time, when another equally-useable tech is developed, there will undoubtedly be a move toward that new tech, but this is Good Enough For Now - from the company's point of view..

    1. Dr. Mouse

      Re: "the statement has had virtually no impact some six months after its announcement"

      "This is something, therefor they are doing it"

      This.

      Unless it is going to affect their bottom line, companies don't care about security. They will, at best, risk assess the available options and choose the one which gives them the most profit. At worst, they will choose the cheapest option, and say "We haz securitiez!"

      However, there is also another thing they must deal with: Users. The normal user doesn't care enough to understand, they want convenience. This is why most don't use strong or multiple passwords, they want to be able to log in easily, without all the hassle. If they must use a 2FA system, they want the easiest, and a text message is often the simplest for them.

      Finally, there are additional hurdles. For example, not everyone has a decent data bundle. If they must rely on an internet connection on their mobile for 2FA, but have only limited data, they would probably have to turn data on just to log in on another device. A text message, however, will "just work". I expect this is more of a problem in "poorer" countries, but I know of many people this applies to here in the UK.

      Phew, that turned into a bit of a ramble.... Not even certain what my point was any more lol.

      1. Charles 9 Silver badge

        Re: "the statement has had virtually no impact some six months after its announcement"

        And what about those for whom SMS is the only possible second factor? Otherwise, you have to lump them with the numerous people WITHOUT a second factor.

        1. Anonymous Coward
          Anonymous Coward

          Re: "the statement has had virtually no impact some six months after its announcement"

          It seems the problem is weak and reused passwords. In that case, adding a few random characters would gain them more security than SMS 2FA anyway.

          1. Peter2 Silver badge

            Re: "the statement has had virtually no impact some six months after its announcement"

            If the problem is scammers getting numbers transferred then surely the mobile phone companies need to send an SMS and snail mail to the original details of the account holder notifying of this, with a 7 day gap between making the request and taking action.

            That'd pretty much eliminate that problem, surely?

            1. Charles 9 Silver badge

              Re: "the statement has had virtually no impact some six months after its announcement"

              But many times the action needs to be done QUICKLY, like within MINUTES. Otherwise, you can just insist they go to a brick and mortar branch. What then when many people don't have a second means of reaching them in that kind of window?

      2. Mr Flibble

        Re: "the statement has had virtually no impact some six months after its announcement"

        AIUI, the likes of Google Authenticator don't require a 'net connection except, occasionally, to ensure time sync.

        1. Charles 9 Silver badge

          Re: "the statement has had virtually no impact some six months after its announcement"

          But that requires an Android phone. What if you have an iPhone or a feature phone?

  4. Anonymous Coward
    Anonymous Coward

    Microsoft uses SMS 2FA

    Microsoft uses SMS 2FA to verify your ID when it locks you out of skype because it doesn't like you continually logging in to different devices over a short period of time. (Testing to prove that my family can communicate whilst avoiding roaming charges abroad... using the locally available free wifi, that is.)

    As an amusing aside, if you are on O2 PAYG, on some tariffs (without bolt-ons) it can be cheaper to call the UK from anywhere in Europe other than from the UK, due to the cap on roaming charges within the EU...

  5. Anonymous Coward
    Anonymous Coward

    I have to say, on my first foray into 2FA I gave up with apps - the services I was looking at all seemed to use different TOTP apps - Duo Mobile, Google Authenticator, Symantec VIP Access, and then a couple (Twatter) only do SMS 2FA anyway. The one thing they all seemed to have in common was that I could use SMS!

    Although SMS is breakable, you're looking at a targeted, likely state-level attack on an individual, in which case you arguably have larger problems (is it coincidence that "Extreme Ways" - the Bourne theme - just came on the office radio as I was typing this!?!?!).

    Although I generally tend to go for the most secure option just out of sheer bloody mindedness, it seemed like SMS was the most straightforward approach which would stop some script kiddie reusing my password (were it disclosed by some means) which is more than adequate for my threat profile (I'm pretty boring. I think. Other than the fact I use a lot of encryption to hide mundane traffic), and which had the lowest risk of me permanently locking myself out of my accounts because I'd screwed it up somewhere!

    I can see that if you were a travelling journo or someone in a sensitive position then you might live with the inconvenience of having a bunch of different 2FA apps installed for your different services, and I gather they're starting to converge, with more services supporting Google Authenticator as a common standard for instance. Until everyone supports one - or at most - two core 2FA apps however, it seems like SMS is probably sufficient for most people, since most people are fighting unauthorised logins by ne'er do wells who will move onto the next password on their list if it doesn't work immediately (the principle of only needing to be better secured than your neighbour) rather than targeted attacks from people with the time, skills, ability and inclination to go after a mark's SMS traffic.

    1. A Non e-mouse Silver badge

      Although SMS is breakable, you're looking at a targeted, likely state-level attack on an individual

      No you're not. Just Google "SS7 Hack". It was even demonstrated on TV.

    2. EnviableOne Silver badge

      Some TOTP App

      TOTP is an standard protocol (RFC 6238), so you can use any TOTP compliant App for any TOTP compliant authentication, all you need is to load the seed data.

      1. Charles 9 Silver badge

        Re: Some TOTP App

        And if they find a way to steal the seed data?

  6. Adrian 4 Silver badge

    Why SMS ?

    The other advantage of using SMS or voice for 2FA is that it gives the verifying company your phone number for use in the usual data collection party. Google presumably already has that if you use an Android, but possibly doesn't like to admit it.

  7. Dan 55 Silver badge

    SMS isn't really two factor

    1. Seal somebody's mobile.

    2. Email's already logged in. Now I know their account.

    3. Go to I've forgotten my password page for their email provider.

    4. Recovery by SMS.

    5. Copy and paste number delivered by message SMS into browser.

    6. Change password.

    Where's the second factor?

    1. rh587 Silver badge

      Re: SMS isn't really two factor

      Where's the second factor?

      If you steal someone's device you're in. If you've got someone's phone (and have broken into it for access to SMS/e-mail), then it doesn't matter if they're using a TOTP auth app or SMS - if you own the device, you've got the crown jewels.

      If we're extrapolating to that point, your only option is a dedicated hardware token which you keep separate from your phone or any device which you use to login or which might contain passwords (aside from when you're actually logging in, obviously).

      1. EnviableOne Silver badge

        Re: SMS isn't really two factor

        if you're not logging on from the phone, the Phone that receives the SMS is the something you have, the password/username something you know.

        But as others have said and NIST seem to imply, as the SMS can be hijacked en route, SMS no longer counts, but this still applies for TOTP which is tied to the device with the correct seed

    2. find users who cut cat tail

      Re: SMS isn't really two factor

      > 1. Seal somebody's mobile.

      OK, still following you...

      > 2. Email's already logged in. Now I know their account.

      ... and now you lost me. There is no e-mail on the phone. The phone cannot send or receive e-mails even if it wanted. It cannot communicate with the computer for with it provides the second factor even if it wanted. It is a bloody phone.

      If you do everything from your smartphone then yes, you are already screwed.

      But I do not understand what is so bad on SMS as the second factor if the primary authentication is via a PC that have to be hacked (or at least sufficiently fooled) completely independently for an attack to succeed.

      And I especially do not understand how *removing* that SMS factor would help me.

      1. Dan 55 Silver badge

        Re: SMS isn't really two factor

        If you've got a dumbphone then it wouldn't help you, but the vast majority of people use smartphones which can be stolen and can have malware installed.

        And that's before some bright spark with your address and your phone number tries it on with your network operator to get a duplicate SIM.

        There needs to be less using SMS 2FA under the guise of getting your phone number and more using FreeOTP. While not perfect it's a step up from SMS.

  8. Chris King

    Why bother trying to redirect the SMS ?

    How many apps ask for access to your SMS inbox and your address book these days, even if they don't really need those permissions ?

    One rogue app, and you can pick up the victim's SMS without even having to interact with the MNO. App stores make this even easier, because users are encouraged to search for an app by name, and unless they check they've picked the right one... bingo, pwned.

  9. David Roberts Silver badge

    USB Dongle as an alternative?

    Thought we were supposed to be disabling all USB ports for security reasons?

  10. 0laf Silver badge

    Good enough security

    Ok it's not true 2FA

    It can be compromised.

    But in the real world does this not still give an appreciable increase in security in a relatively convenient way?

    So ok lets work on something better but don't throw the baby out with the bath water. Take a raik based approach and it might well be that for you, for now, SMS authentication works just fine.

  11. zander

    Require Replies to SMS messages over shortcode

    Companies using SMS for out of band 2FA on transactions should require a reply. e.g. fraud notifications from banks "Did you purchase X for $1,000 from......if yes reply 1, if not reply 2". In an SS7 attack, the attacker may be able to intercept the SMS messages, but they would also somehow have to spoof a reply TO the short code used by the service provider, which would require direct access to the network. That's another huge hurdle for the attacker.

    1. Charles 9 Silver badge

      Re: Require Replies to SMS messages over shortcode

      SS7 attack, maybe, but what about a SIM clone or other SIM-based attack, where the network's on the attacker's side?

      1. zander

        Re: Require Replies to SMS messages over shortcode

        You're correct, this would not be a defense against a targeted SIM clone attack, nor does it address the issue of rampant malware, especially on Android... it simply adds protection against SS7 vulnerabilities. What's so scary about SS7 attacks like the one in Germany attacking 02-Telefonica customers is that this attack can be performed at scale.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021