MFA Post 3: SMS Codes

-

 When most people encounter multi-factor authentication it is through SMS codes, a type of possession proof that relies on possession of a phone tied to a known phone number. These are short text messages sent to your phone with a numeric code that you are supposed to type in addition to your password to log in. The codes are (hopefully) random, and (hopefully) only valid for a short period of time. Typically, they are six digits, but some implementations use words or codes of different lengths. 


SMS Codes are by far the most common implementation of MFA, likely because it is easy to implement and works with something most people have already: a mobile phone. When these first started becoming wide-spread one of the advantages was claimed to be that they worked without a smartphone, but at this point very few people have a phone that can receive SMS codes but that cannot run an app, so that advantage has disappeared. Nevertheless, SMS codes remain widespread. 


Advantages

SMS codes are relatively easy to implement and require only that the customer has a phone with them, which most of us do today. They also are very easy to use. Almost everyone can figure out how to use them. In fact, if the relying party (the thing you are logging into) knows your phone number you don’t really even need to enroll in MFA for them to use it, although they typically ask you first since some cell phone plans still require you to pay for SMS messages. Apple has even simplified submitting them by offering auto-fill for SMS codes in Safari on iOS and MacOS.


SMS codes have an additional advantage that nearly no IdP takes advantage of: they can provide context for the authentication. The vast majority of SMS codes are delivered in a message like this:


1 of 2

Here is your code: 123456

Please note that this message may incur additional charges from your mobile phone company. You are solely responsible for these

2 of 2

Charges


It is possible to include information that would provide some useful context in the message. For instance, if you are looking at a login screen for your bank and get the SMS code in a message that looks like this you may think twice about using it:

Thank you for initiating a transfer of $10,000 to a bitcoin wallet with identifier NorthKoreanHax0r. Here is your code to complete this transfer: 654321.

This is an example of something called “step-up authentication”, which I will talk about more in a later article. The point here is merely that the service could actually provide some useful context for why you are getting this code.


There are three main types of attacks against user accounts today: phishing (and related man-in-the-middle attacks), credential stuffing, and password guessing (sometimes called a password spray). In a later article, I will talk more about each of these, but for now, we just need to know some basics. Phishing is where the criminals fool the user into submitting their authentication claims to a fake site controlled by the attacker. Credential stuffing is where the criminals use username/password pairs stolen from somewhere else and try them against a particular service. Password guessing is where they simply try some small number (usually 10-15) common passwords to see if they work. 


SMS codes do erect barriers against credential stuffing and password guessing. The criminal would have to capture an SMS code in addition to having or guessing the correct password. There are stronger protections that can be used but it is disingenuous not to recognize that SMS codes do offer some protection against those threats. 


Disadvantages

Where to start? There are so many disadvantages to SMS codes. First, they can be intercepted with relative ease. The underlying system that delivers SMS messages to your phone was designed in 1975 without many security considerations in mind. It was designed for phone companies, and they are a lot more interested in accurately being able to bill you than in your security. In the original protocol, while your phone authenticates to the cell phone tower, the cell phone tower doesn’t authenticate to your phone. Although this was addressed in 3G, it is possible for an attacker to downgrade to a vulnerable protocol. Consequently, for a few hundred dollars, an attacker can build a fake cell phone tower - an IMSI-Catcher - and relay your signals. Owing to other protocol vulnerabilities they can then read your SMS codes, along with any other SMS message you send or receive. 


Next, as implied above, the fact that you are getting a code to log into a particular site does not mean you are actually at that site. SMS codes do not really mitigate phishing attacks. They only mitigate offline phishing attacks. If you are staring at a phishing page that just captured your password, the attacker could very easily submit it, trigger the SMS code, and ask you for that as well. At that point, they have everything they need to log into the legitimate site. This is sometimes referred to as SMS Phishing, or smishing. 


Consider the message above. It does not even tell you where it is from. Most companies that use SMS codes use a service for them, meaning that the codes for multiple companies come from the same number. For instance, Marriott, Schwab, and United Healtcare all send messages from the same number. This is probably a minor issue, but could cause user confusion.


Finally, phone companies have a checkered history of protecting your phone number. A friend called me once and asked for help in getting his email account back. A criminal had contacted customer service for a top-1 mobile phone carrier, convinced them they were my friend, further convinced them that they had lost their phone and bought a new one, and gotten the phone company to register their SIM card (Subscriber identity module card - the little smart card in your phone that identifies your phone to the phone company) to his phone number. Because he had configured SMS MFA on his email account the attacker was then able to request a password reset for his email account. The only authentication claim the email provider requested for this (because of how he the account was configured) was an SMS code. As the attacker now controlled the phone number the code was sent to their phone, not his. This is referred to as a SIM Swap Attack. 


These types of attacks are quite common and although phone companies have taken steps to address them they still keep happening. Most carriers now offer some kind of port-out protection for your account. They may also offer PIN codes. You should contact your carrier and see what options they offer. 


While most security professionals, myself included, disparage SMS codes, some go so far as to argue that SMS codes offer a false sense of security. There are far superior, i.e. more secure, options, but technically superior technology is often shunned in favor of the one that more people can actually use. This is definitely the case with SMS codes. Therefore, in spite of all their weaknesses, I stand by my claim that if it is the only MFA solution offered, you should use it. Any MFA is better than no MFA. 

Comments

Post a Comment

Popular posts from this blog

U2F, FIDO2, and Hardware Security Keys

-
  In our journey through possession proofs we have encountered hardware factors of various kinds. HOTP and TOTP is often implemented as hardware devices, and of course, so are Smart Cards. In this post we will look at authenticators that implement the FIDO standards -  U2F, WebAuthn, and CTAP2. WebAuthn and CTAP2 are collectively part of the FIDO Alliance ’s FIDO2 protocol suite. U2F and UAF are older FIDO protocols that are supported under FIDO2. They can all be thought of as being part of the FIDO2 suite of protocols.  To understand these protocols, and their advantages and disadvantages, we need to be familiar with the three fundamental actors: Relying party (RP) - Also known as the server. This is the service that a user wishes to log into. Client - This is the application that brokers the authentication from the relying party to the authenticator and eventually the user. Much of the time, this is a web browser, but it could be any application. Authenticator - This is a thing tha
Read more

The Busy Executive’s Guide to Personal Information Security

-
Congratulations. As an executive you are the favorite target of ne’er-do-wells across the world. They will spoof email messages to staff and business partners in your name. They will try to hack your corporate account, your bank account, your email account, and your phone. In addition to hundreds of messages per week from semi-legitimate vendors who want to sell you their most recent search engine optimization snake-oil you will also get a variety of Word documents, PDF files, and PowerPoint presentations, most of which are laden with malware. If this sounds depressing, it is. It is the world of Information Security. There are ways to protect yourself, however. This document will tell you the most important things you can do. 1. Patch Your Stuff! The first thing you need to do is to patch. Software and hardware vendors provide regular security updates to fix security bugs. Or, rather, the reputable ones do. The first step is to use devices and software that provide timely and reliable
Read more

Single Sign-On

-
There are two kinds of organizations. Those that manage their single sign-on (SSO) system, and those that let their users manage their SSO. The other day I was in a discussion with a number of security leaders about how important identity management is to your security strategy. Obviously, everyone agreed that identity is very important. After all, if you don’t have a strong identity strategy pretty much no other component of your strategy will be strong. There is a reason that the first function of the NIST CSF is Identity.  However, the discussion then turned to SSO and whether it didn’t constitute putting all your eggs in one basket, and whether doing so is a good idea. Yes. SSO does constitute putting all your eggs in one basket. But, that is a good  thing. Why? Because you, as a security leader control  that basket. You know where it is. You know how it is configured. You have already required strong multi-factor authentication (MFA) on it. (You have right? If not, stop reading th
Read more