Lee Suker from XConnect explains the vulnerabilities of SMS ‘One Time Passwords’ (OTP) that enable a wide variety of use cases from signing up to new Internet services to confirming financial transactions. The battle for security is a constant one, and must be fought effectively. Operators and the mobile ecosystem are responding to the threat by making investments in solutions and collaborating on best practices.

There is significant fear, uncertainty and doubt with regards to vulnerabilities of SMS OTP.  However, I question whether the risk associated with known exploits is greater than shifting investment to other methods of 2FA (two factors authentication). The weaknesses in SMS OTP are being mitigated while the vulnerability of other 2FA tools may lay undetected or secret.

There have been some recent well publicised SMS OTP breaches associated with the fraud type known as SIM SWAP and SS7 attacks.

• SIM SWAP attacks result in the victim’s telephone number being hijacked by an attacker.  The attacker is likely to have socially engineered the victim’s mobile operator in order to get a new SIM (associated with the victim’s telephone number) issued to the attacker.  This is not a technically sophisticated attack and can be prevented by strong customer authentication procedures either in-store or at the call-centre.  Third party enterprises using SMS OTP can also reduce risk by using SIM-swap check services available from some telecommunications data providers.
• SS7 attacks result in the victim’s SMS being intercepted. These attacks rely on the limited methods of access control to the SS7 network and vulnerabilities in SS7 MAP methods.  Vulnerabilities result in a Home network believing that the victim is roaming (but they are not).  Messages, calls, and packet data will then be sent to the attackers’ equipment rather than the victim.  This is more difficult for the victim to detect, since they will still be able to send messages as well as technically sophisticated multi-stage attack. Key is the ability of criminals to harvest important fixed identifiers, such as IMSI (International Mobile Subscriber Identity). The risk is that these identifiers will be harvested and combined with other data to commit crime.

  In XConnect’s own research in Dec 2018, we tested SRI_SM methods from nearly 250 different mobile networks.  We found that they had implemented sms-home routing solutions and returned only virtual IMSI, MSC and VLR information.  Other ways exist to obtain IMSI information but to do so would be a deliberate mis-use attempt.”

Operators and the mobile ecosystem are responding to threats.  This includes making investments in SS7 firewalls, SMS home routing solutions, as well as better practices such as ISO27001.

Prior to home-routing and ss7 firewall investment, an easy way to get access to IMSI was using a technique called HLR Lookup (common name for performing an SS7 signalling method called SRI_SM).  This lookup returned the IMSI associated with a given phone number as well as the current network connection information.  This vulnerability was exploited by criminals and telecommunication fraudsters, but also innocently used to address number portability needs.

In XConnect’s own research in Dec 2018, we tested SRI_SM methods from nearly 250 different mobile networks.  We found that they had implemented sms-home routing solutions and returned only virtual IMSI, MSC and VLR information.  Other ways exist to obtain IMSI information but to do so would be a deliberate mis-use attempt.

Naturally, with all information security it is a game of whack-a-mole.

Good information security management is a process of risk management and continuous improvement and recognition that there will always be some risk.

Mitigating against a vulnerability doesn’t have to include avoiding a particular technology.  Moreover, introducing a new or more sophisticated control measure to mitigate against a risk can actually open up new unknown vulnerabilities that might introduce greater risk.

For example, is the confidence we place in the iOS/Android stack and operational processes used to deploy mobile apps misplaced?  Is it easier to identify and resolve vulnerabilities with Mobile Networks through industry bodies like GSMA and MEF than it is to deal with secretive organisations like Apple and Google?

Good security also balances convenience and risk.

SMS is certainly very convenient, and I will leave to others to judge if there are more cost-effective ways for criminals to make money, especially as mobile operators continue to mitigate against these threat with additional security controls.

Director, Market Development