In part one of this post, Rob Malcom of Mblox & CLX, explored the recent draft NIST guidelines on digital authentication that suggested the depreciation of SMS based 2-factor authentication (2FA). Here, he sets out his recommendations for businesses, carriers and consumers and his conclusions on the NIST proposals.
Is SMS really non-secure?
NIST outlines two primary concerns, one being very specific to virtual numbers (i.e. numbers not associated with a physical device, such as VOIP or numbers linked to an app), or a physical number that has been configured to be received via an IP service. This includes numbers such as those provided by Skype, or even accessible on iMessage via your desktop.
The concern here is that although these services are not necessarily insecure, they are only as secure as their own access security standard, which in most cases are usernames and a memorised secret which are thus susceptible to remote attacks at scale without triggering a warning to the owner of the number that it has been compromised. I think this is a legitimate concern but we can go a long way in solving this concern by a.) reminding users not to use these services on numbers that are being used for 2FA b.) do a MNP lookup as part of the number validation service to ensure that the number is not a VOIP or virtual number.
The second concern relates to how physical numbers can be intercepted through weaknesses in the SS7 infrastructure. These weaknesses have been relatively well documented by various studies and media articles, but in my view the risks associated with these weaknesses have been significantly overstated in the media due to lack of understanding of the SS7 network and the starting assumptions being assumed as ‘access to the SS7 network that can reach the victim’s network is easy to obtain’.
Their fundamental starting assumptions assume the attacker has –
- the telephone number of the victim. This may seem trivial in a targeted attack but pulling off a hack en-masse would require a mapping of usernames, emails and mobile phone numbers which is not trivial.
- access to the SS7 network. Many of the demonstrations suggest that getting access to the SS7 network is trivial and the attacker has access to this network.
- access to a SS7 network which in turn has signalling reach and/or a roaming agreement with the victim’s home network.
- ensured the victim’s home network does not have protection against this type of fraud and / or not monitoring for it.
- ensured the victim has roaming enabled on their account or this could be manipulated in some way by the attacker separately.
- in-depth SS7/Sigtran expertise and equipment to pull off the hack (probably requires $10k investment to do it properly)
- the ability to coordinate the sending of a 2-factor message during the time window in which the SIM card has ‘roamed’ to the fake network.
- left no evidence and cannot be traced
In order for all 8 points to be satisfied, I would argue that the attacker would need to be a rogue employee inside a carrier with sufficient rights to intercept a message. Gaining access to the victim’s mobile operator SS7 network from the outside (i.e. not from another large MNO network) seems to be as likely as compromising the firewall of the service provider you are trying to hack. Pulling off a hack en-masse involving victims from multiple carriers during a very small time window seems extremely unlikely.
Interestingly Verizon and Sprint are immune to this type of roaming intercept fraud due to the fact that they are CDMA and not GSM networks. As they roll out 4G LTE this may change but as of right now they are probably the most secure as it relates to SMS 2FA. This is roughly 50% of all subscribers. A simple mitigation to this ‘roaming intercept’ risk on the other networks is to perform a HLR lookup of the telephone number before authenticating a user to ensure they are on their home network and not roaming.
The other threat that is commonly cited when discussing SMS security is the relative ease someone can obtain a clone of your SIM card and/or get a customer care agent to reveal the contents of a SMS. While much has been made of the idea that a person can trick a mobile carrier store employee into making a new SIM for an alternate person, this can clearly not be done en-masse and has the high probability of detection, both from the real person having network authentication fail and from in-store records and video identifying the perpetrator. Similarly, getting an inside, technical employee of either a carrier, aggregator, or sending company to access SMS message logs and reveal the contents of a specific message seems highly unlikely at scale or in situations where the goal is to thwart security methods, such as 2FA.
Lastly, it is true that malware can intercept an SMS message on a device (particularly on Android), but one could argue that this is not a weakness of SMS, but rather a weakness of the mobile operating system and/or anti-virus software.
Recommendations to Businesses
- Continue to use SMS 2FA for most typical business applications.
- Consider using other 2FA methods for the most critical, high-security use cases.
- Give users a choice between SMS and TOTP apps in many situations, and as a backup for one another.
Recommendations to Mobile Operators / Carriers
- Block all SS7 access from operators that do not have roaming agreements
- Implement SS7 and SMS Firewalls to monitor and detect for intercept fraud
- Understand threat vectors and constantly mitigate these risks
- Frequently undergo penetration testing to ensure the SS7 network is secure
- Ensure IR21’s are kept commercial confidential and try and use non sequential Global Titles for core network infrastructure
- Work with standards bodies including NIST to better explain the likely risks associated with SMS 2FA
- Allow providers legitimate paid access to HLR lookup (without full IMSI) to ensure that roaming intercept fraud could be determined.
Recommendations to Consumers
- Auto-lock your phone and require passcode or fingerprint to unlock
- Enable 2FA on all accounts with either SMS or TOTP
- Protect device from malware
- Turn on roaming only when you are likely to go abroad
- Determine whether any of your email address(es) have ever been hacked by visiting https://haveibeenpwned.com and never use those passwords ever again
- Use https://howsecureismypassword.net/ to choose a strong password and ensure you use different password and / or email addresses for each service. Remember a 3 word password (e.g. fish.hammer.cake) is orders of magnitude stronger than an 8 digit string of random letters / numbers and far more memorable.
Having personally found my Myspace, Linkedin, Adobe, and Tumblr email and password on the public internet it’s no surprise to me how often this type of simple authentication gets hacked, and why one hack can lead to many others. Use a strong password and ensure you use different password and / or email addresses for each service.
The ease, convenience and ubiquity of SMS in 2FA is our only collective chance of rolling out 2FA across a mass audience any time soon. It offers a sweet spot between simple username and passwords (which are not secure), and the more advanced secure TOTP solutions that exist today.
Businesses should continue to adopt SMS for 2FA for most types of services as this is significantly more secure than not using 2FA at all. For those businesses and consumers that want to take additional precautions this blog offers up a number of mitigations including doing MNP / HLR lookups before each authentication.
It is strongly recommended that the Mobile Operator community work to reduce the risks of roaming intercept fraud, or at the very least, speak out in the media on how well they understand and have mitigated against these risks.
By far the most important outcome is to have every company adopt 2FA in some way, and then encourage all consumers to adopt it. SMS will help with that adoption because; a.) more than 72% of Americans either do not have a smartphone or are unlikely to download and configure a 2FA app, and b.) changing devices without SMS on 2FA enabled services can be time consuming and frustrating for businesses and users alike.
CLX / Mblox
It should be remembered that security is not just about technology, but rather about company policies and processes. In my view weaknesses in this area poses a far greater risk than the weaknesses of SMS in 2FA.
Our overall recommendation to NIST is to NOT deprecate SMS but to continue to advise that SMS for many/most 2FA uses can be used, and recommend ways to increase security when needed, as outlined in this blog. For services that are particularly high-risk or high-loss situations we agree that TOTP or equivalent is a better solution provided that users are likely to adopt it.
Sign up now to MEF’s Mobile Messaging Programme – The Future of Messaging. A cross-ecosystem approach to accelerate market clean-up and advance innovation. Find out more and download the free A2P messaging fraud framework now