SMS = Security Mislaid Service

Stop using SMS (Short Messaging Service) for time-based one-time password (TOTP)

Licensed from Stock Photos

Text messaging (SMS) based authentication is the weakest link in securing anything online. However, using SMS for two-factor authentication is not considered safe anymore. The National Institute of Standards and Technology (NIST) published a guideline warning about SMS authentication as a strong authentication method. Also, Google and other leading online services are either moved or in the phase of moving to prompt-based authentication. So why is SMS not safe anymore? What should we use then?

Before we jump into why SMS authentication is not safe anymore, let’s go over what two-factor authentication is and why everyone should use it if it’s offered.

Dual-factor authentication (also known as multi-factor authentication) is a method of access control that uses two or more different factors of authentication. There are five different authentication factors: something you know, something you are, something you do, something you have, and somewhere you are. Passwords are a “something you know” factor; fingerprints are a “something you are” factor.

The reason why everyone should use two-factor authentication is that it provides an extra layer of security. Even if your password is compromised, cybercriminals will still need to access your dual-factor to gain the necessary access. However, SMS-based two-factor authentication will not make your account(s) hackproof.

SIM Swapping is the widely used method to hijack SMS-based authentication texts. Mobile network providers employ thousands in their stores and service delivery networks, who can be tricked or bribed into swapping the mobile number to someone else. It’s a time-consuming endeavor to get the SIM swapped.

Recently many online services were observed to intercept text messages intended for other mobile users without their knowledge, and these services can be availed easily. One such service is called Sakari, which is a bulk business SMS provider.

Extract from Sakari’s homepage:

Cloud-Based Text Messaging Service

Sakari is a business text messaging service that allows businesses to send SMS reminders, alerts, confirmations and marketing campaigns.

We can get 100s of such SMS service providers with a simple google search. Using services like Sakari doesn’t need technical knowledge or expertise in security. Voice.com’s Joseph Cox text messages were routed (of course with his permission for testing), and his services like Bumble, WhatsApp, and Postmates were compromised using Sakari’s service.

Joseph Cox writes:

I didn’t expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me.

Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16.

Considering the broad impact of fraudsters abusing this and other weaknesses in the vast mobile ecosystem to subvert the security of SMS-based communications and multi-factor authentication completely.

  1. It’s good to remove phone numbers from your online accounts wherever you can and avoid selecting SMS for second factor or TOTP codes.
  2. The online accounts that you value should be secured with a unique and strong password, as well as use the most strong form of multi-factor authentication available. Usually, this is done using a mobile app like Microsoft Authenticator, Authy, or Google Authenticator that generates a one-time code.
  3. Some sites like Google, Twitter, and Facebook now support even more robust options such as physical security keys. Google even started using the phone’s built-in security key for multi-factor authentication from Andriod 7.0 onwards. The other forms of physical security keys to consider will be Google Titan or any other FIDO (Fast IDentity Online) certified one.

At the end of the day, the goals are simple: safety and security — Jodi Rell

Cyber Security Professional by heart. Enabling enterprises to transform digitally with effective security practices in place.