Why You Shouldn't Use Texts For Two-Factor Authentication

An anonymous reader quotes a report from The Verge: A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The group targeted a Coinbase account protected by two-factor authentication, which was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn't actually steal anyone's bitcoin, although that would have been an easy step to take. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces. The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"

All SMS-based 2FA Systems should use Signal

End to end encryption easily solves this and other problems related to government spying.

First of all, these are not cellular network "vulnerabilities." These are "features." And these "tools" are not Proof-of-Concepts for finding weaknesses in the networks. They are "products" that are sold to government for the purpose of spying on YOU and ME.

Re:All SMS-based 2FA Systems should use Signal

[AmiMoJo]

Why even bother trying to transmit the code? Just use time based codes.

Re:All SMS-based 2FA Systems should use Signal

[bobbied]

SS7 ISUP, yes, is very old. Other parts of SS7 are not so old. In fact, SS7 allows you to extend it to do custom things and pass vendor specific data in proprietary formats, and many vendors have done this. Some SS7 extensions fell into common use, others didn't. But SS7 has been changing a lot over the last few decades as voice and data services have evolved and many proprietary extensions have become commonly used.

Most of this advancement though has pretty much ended at this point. These days the whole industry is sliding into VOIP services and the signaling protocols that supports it. SS7 is still commonly used where the POTS network meets a VOIP carrier but that use is obviously not ideal and SS7 is thus dying out, slowly.

Apps

Only LUDDITES use text messages for two-factor authentication. Modern app appers app authentication apps for authentication through apps.

Apps!

Re:Apps

[GameboyRMH]

You joke, but it sounds like you're describing 2FA apps :-P

Re:bank?

No. I mean, you might have your account drained of all money, but your bank would be just fine.

This is two-step, NOT two factor

[imp7]

Why do we keep seeing this being reported incorrectly by security "professionals"? Using SMS has always been two STEP, not two factor. You need to use the correct words describing a system if you are going to rag on that system.

Re:This is two-step, NOT two factor

[TheRaven64]

SMS is intended for two-factor authentication when the phone is a thing that you have and is separate from the thing that you know. The problem that TFA points out is that 'having the phone' and 'being the only one who can receive SMS to that number' are not even slightly the same thing. The other problem is that an increasing amount of stuff is done on the phone, so the phone stops being a separate 'something you have' and is just your terminal, which is as likely to be controlled by the attacker as any other terminal (probably more so, given how many run unpatched operating systems with known vulnerabilities).

Serious Threat...minor chances

[Lucid7]

This is just a rehashed article from over a year ago. Same exact examples are referenced. That SS7 site on tor has been reported a few times now as being fraudulent. The bitcoin wallet on there had like 2 transactions into it. This is a serious threat for sure but they are grossly overestimating the effects of this in the wild. It's not exactly 'easy to attack SS7' for the non telecom enthusiast. If it was, people would be selling the service and telecom would've moved on by now.

Re: Serious Threat...minor chances

[fubarrr]

The exactly same attack "false roaming request" has been in the wild since 2003 or 2004. Literally millions of people loose money due to having their phone number hijacked and being used to send SMSes to paid numbers.

Same trick is being used by Russian spies to regularly steal online accounts of European politicians

Re:bank?

[nine-times]

Basically SMS isn't secure, and shouldn't be treated as a method of securely transmitting data.

Re:Lol

[GuB-42]

Google may be savage but Google is legal.
Google won't empty your bank account without your permission, Google won't ask you for a ransom, Google won't use you computer as a proxy for all kind of illegal activity.
That's also why it is better to be in debt to a bank than to the mafia, no matter how savage banks are. Sure, debt collectors are annoying and they may take your house but at least your life will be safe and you won't be mailed body parts of family members.

stop using your primary phone

If you're paranoid or actually at risk of being hacked, buy a burner phone and use that for your 2 step authentication.
Nobody can social engineer or cell tower hack your number because they don't know it.

Still better than password only

[MightyYar]

So... still better than password-only. That's probably good enough for my purposes.

Re:Still better than password only

[Solandri]

No, it's worse than password-only. If your account is only protected by a password, then there's no password recovery. You forget your password and you're locked out of the account, permanently. OTOH that means anyone trying to get into your account has to guess/know your password in order to get in.

With this SMS intercept exploit, they can get into your account without knowing your password.

You're thinking of using a SMS in addition to your password in order to login to an account - i.e. 2FA. Yes in that case it's better than password-only (unless it lulls you into picking a poor password because you think you're being protected by the SMS). But that's not what this exploit is about. It's about resetting your password by intercepting a SMS that was supposed to go to your phone. The SMS is used to bypass your password, not to augment it. (In your defense, TFA conflates the two as well, leading to the confusion.)

In other words, it's stupid using 2FA to login, if your password reset procedure is 1FA. Attackers will simply ignore the stronger security to target the weakest link - the 1FA step.

Re:Still better than password only

[MightyYar]

Replying to myself. Apparently Google discontinued the secret question method so honestly I have no idea what happens when you try to recover your account and I'm not in the mood to try it :)

Re:Still better than password only

[apoc.famine]

But you're not considering security through obscurity. And while we all know that's a bad idea, there is still significant overhead when it comes to knowing enough about my personal details to break into my banking website. In no particular order:
 
What bank do I use?
What is my login to that bank?
What phone number do I use?
Do I have 2fa using text turned on?
 
An attacker needs to know all of that in order to leverage this sort of attack. Even getting into my email requires the phone number when accessing it from an unknown device, which would be the fastest way to find my phone number. Malware that gets access to my email would be able to turn it up, but running Linux plus NoScript, I think I'm pretty safe.
 
Outside of compromising my email account, I'm not sure how someone would piece together enough of this information. I don't tend to post my cell number anywhere, and I don't tend to go to the physical bank very often. My login for my banking website is not a logical first.last or anything like that, so it's not really guessable. And by the time they guessed the password to my stolen phone I'd have disabled it anyway.
 
Outside of a targeted spear phishing attack, how do you anticipate that an attacker would get all this info?

2FA with SMS is not about security

[Carewolf]

It is just an excuse to harvest your phonenumber.

Re:2FA with SMS is not about security

[swillden]

It is just an excuse to harvest your phonenumber.

For what purpose?

Personally, I think you're nuts. I've been around the security business for the last 20 years, working for and consulting with many organizations that have set up 2FA for their users... and I have never, once, heard anyone suggest that it is useful for phone number harvesting. Moreover, knowing peoples' phone numbers really isn't all that useful. I suppose there may be some rare situation in which it could be used to correlate information from various sources to create a more comprehensive dossier, but I can't think of a single such scenario where there wouldn't be other data elements that could be more easily and reliably used for the correlation. I guess there may be some organization out there who would sell your phone number to telemarketers, etc., but none of the organizations I deal with that use 2FA would do that. Do you have any examples of some that would?

From a security perspective I've been uncomfortable with SMS-based 2FA for a long time. I still have it enabled on a few accounts either because no other option is offered (none of the banks I use have anything other than SMS), or because I want to have SMS as a backup option, even though it's not the one I use most of the time. This research makes me think that I should stop using it as a backup, and just make sure I'm sufficiently covered in other ways.

Is there any good form of authentication.

[jellomizer]

There is always a way in. For Apples face ID that states there is a 1 in a million chance of breaking it. That means they are probably over 6,000 people in the world that could get into your phone with their face alone. And being that close relatives and people with similar generics often live closer by, so some of these 6,000 people may be rather close.
Humans actually make worse assumptions when granting access to security. They can often be conned into thinking you are someone who you are not rather quickly. Being most effective hacks are social hacks where someone actively gives the bad guy access to their computers.
Using text as part of the two factor authentication isn't as bad as most. Being that most security problems don't come from someone hacking into your account, but getting in the backdoor and getting your info that way. So the two factor with the text is probably good enough for rather secure methods to protect your account for sites that they wouldn't bother targeting just you. Just because if they stole a password table they wouldn't spend the time trying to hack the text response if they have a million more passwords to try.

Re:bank?

[bws111]

What is that even supposed to mean? The FDIC doesn't protect the bank against anything, it protects you in case your bank becomes insolvent. It does not protect you or the bank from fraud, robberies, or anything else.

Re:bank?

[TheRaven64]

Part of the problem with that logic is that people use SMS as a second factor when the client is the phone. In that case, it's just a second channel. It's hard to compromise both the SMS and the IP channels, unless you've compromised the endpoint, and that's one of the use cases where 2FA is supposed to actually help: if someone has malware on your computer, needing your phone to log in limits the damage that they can do. If someone compromises your phone, then needing your phone to log in gives them complete control.

Re:bank?

[lifeisshort]

How about automated voice calls? Are they any more secure - my bank offers me a choice between text and voice call.

Practicality

[bradley13]

The thing is: Using texts is a lot better than nothing.

The other thing: Using texts is practical. I just had my phone die, with all sorts of authenticator apps on it: for Google, for my credit cards, for my bank, etc.. To get those all replaced is an absolute PITA. Whereas anything using texts was automatically moved to my new phone, just by moving the SIM card.

Security has to be practical, or people won't use it. Texts are very practical. Instead of encouraging people to do something else, why not improve texts? Just as an example, how about if texts were encrypted ("Signal" or some similar protocol)?

Just trust them- they're not evil, they say so

[Geoffrey.landis]

Red herring.

Your entire post is a red herring. You're basically saying "I don't think they'd do anything bad because we can trust giant corporations."

You haven't put forth any reason to think that, you just do.

I don't. The entire history of the web tells us that you can't trust corporations with personal information.

And, I really don't care whether they gave my number to Rachel at Card Services (and everybody else in the world) because of a data breach or because they sold it. That's a distinction without any difference to me.