Two-Factor SMS Authentication Will Not Protect You If Hackers Can Intercept Your Messages


For the sake of simplicity, experts often describe two-factor authentication (2FA) as a system that lets you log in to your account only if you provide something you know as well as something you have.

The thing you know is obvious – the right username and password combination. The thing you have, however, is a different story. With a few exceptions, you don't actually provide something you have with you. You usually enter a temporary code that somehow appears on a device you have. And which device you have with you at all times? That's right, your mobile phone.

SMS and two-factor authentication

Texting the temporary passcode to your mobile phone is an obvious solution. It's quick, it's inexpensive, and for a while, there weren't any other alternatives. To this day, there are numerous online services that offer this kind of two-factor authentication, and many people use it, thinking that it's the most sensible thing in the world.

Security specialists, however, have had their doubts for a while. The thing is, when they voice their concerns, they are often criticized for being overly paranoid, and it must be said that every now and again, the scenarios some of them describe aren't very plausible, especially as far as regular users are concerned. In the case of SMS and two-factor authentication, however, the fears are founded in cold, hard facts about the technology in question, and they shouldn't be dismissed lightly.

SS7 – the ancient technology that we still use to send and receive SMSes

Signaling System No. 7 (SS7) is a collection of protocols that we've used for, among other things, transmitting text messages ever since the first mobile phones came out. The actual protocols were developed way back in 1975, and like any technology that is more than forty years old, they too have proven to have one or two disadvantages.

From a security standpoint, things have been particularly worrisome, especially during the last decade or so. Experts have been talking about SS7 vulnerabilities since 2008, with the first flaws allowing the tracking of victims, and with later discoveries letting crooks forward and intercept calls and messages. In theory, only telecommunication providers should have access to SS7 networks, but in reality, anyone can go to the underground markets and buy tools that would allow them to skim through the flow of information.

As soon as they found the first vulnerabilities, experts declared SS7 inadequate to protect users' privacy and said that something more modern should replace it. Apparently, however, telecommunication providers thought that the threat isn't that serious, and the calls of the security community were ignored. In 2017, the inevitable happened.

The German branch of O2-Telefonica, a European mobile service provider, admitted that some of its customers have had their bank accounts drained after criminals exploited a flaw in the SS7 network. First, the hackers used social engineering to trick victims into installing malware on their computers. Armed with stolen usernames, passwords, and phone numbers, the crooks tried to log into users' accounts in the middle of the night. Then, they intercepted the SMSes with the two-factor authentication codes and successfully siphoned off the money.

In the aftermath of the incident, more people started pushing for a newer technology to replace SS7, but the fact of the matter is that at the moment, we simply don't have an alternative. This, alongside the threat of SIM swapping, makes SMS as a medium for transferring 2FA codes less than perfect. Does this mean that you should not, under any circumstances, ever use SMS two-factor authentication?

SMS two-factor authentication is better than no two-factor authentication

The SMS, especially when it's used for something as sensitive as 2FA codes, has its faults. It must be said, however, that some people get a bit carried away with the warnings. Indeed, SS7 attacks are not just a theoretical possibility, but a fact of life, as customers of O2-Telefonica can testify. This type of crime can only be perpetrated by sophisticated hacking groups who are both highly skilled and highly motivated, though. And contrary to popular belief, there aren't that many of those around. Most of the cybercriminals preying on users have neither the knowledge nor the resources to pull off such an attack. The same goes for SIM swapping.

And in any case, even if they are skilled enough to intercept text messages, by having two-factor authentication enabled, you are, at the very least, making their lives much harder. That's always a good thing.

You should know by now that there are a few alternatives. Two-factor authentication apps like Google Authenticator generate their codes locally meaning that crooks can't intercept them. And if you want to be even more secure, you can always look at U2F authentication tokens.

Even these options are not faultless, but, especially if you're protecting something important like your email or your online banking account, they do a much better job than text messages. Check the 2FA options for all the services you use, and if you can choose something more secure than text messages, make sure you do. Even if SMSes are the only option, you should make sure that 2FA is enabled.

January 9, 2019

Leave a Reply