What to Do About the Vulnerability of SMS-Based Authentication
Consumers and businesses rely on SMS because of its accessibility and simplicity. However, it’s for this reason that it’s become a relatively easy target for people with bad intentions. Thankfully, there are more secure options available to choose from to ensure user protection and fraud prevention.
It’s become a depressingly common story — a major commercial institution gets hacked and new questions arise about the security of the devices and technologies we’ve all come to depend on and even take for granted. In the most recent case, UK-based Metro Bank confirmed that hackers took advantage of a vulnerability in the way mobile networks process text messages (SMS) to attack some of its customers.
Only a small number of consumers were hit, according to the bank. And none of them lost any money in the attack. That’s because – thanks to two-factor authentication (2FA) used by the bank – the attackers would have also needed the customers’ user names and passwords to do real harm. Still, the incident serves as a warning that although using some form of 2FA is better than not using it at all, relying on SMS for one of the factors does come with risks.
SMS has become a victim of its own success. Consumers and businesses have relied on it for decades because of its universal accessibility and simplicity. But as it often happens with successful technologies, it’s a target for bad actors. Fortunately, with more secure alternatives now available, it’s possible to consider migrating to other options for user authentication.
Exploiting SMS
The vulnerability that affected some customers of Metro Bank has to do with the protocol, or set of rules, that telecommunications companies use to pass calls and SMS messages from one phone network to another. The protocol, called Signaling System 7, or SS7, was first developed in 1975, and wasn’t designed for user authentication.
Even so, in addition to usernames and passwords, many banks and other companies rely on SMS as an additional layer of security for 2FA. The idea is simple. In order to help verify that a user is who they say they are, the company sends a text message with a single-use additional passcode. The user then has to enter the passcode the company sent by SMS, in addition to their usual password, to prove their identity.
However, hackers have learned how, using a computer running the Linux operating system and open-source software for writing code that interacts with SS7, to intercept SMS messages intended for others. Armed with a SMS verification code sent out by a bank and the target’s username and password, a hacker could log into a victim’s account in order to transfer money to themselves.
For example, a hacker could log into a bank website using a stolen username and password. Unable to recognize the hacker’s computer, the bank might then ask them to verify their identity via SMS. Using the SS7 hack, the hacker could then intercept the text, gather the verification code, and use that to complete the login process.
Scary as this type of attack might seem, there are two ways customers and companies using 2FA can protect themselves from it: use an encrypted messaging app, or use seamless 2FA.
Security through WhatsApp
WhatsApp is an example of a messaging app that encrypts all messages sent through its network, making it extremely difficult, if not impossible for hackers to compromise them.
Using WhatsApp to send and receive single-use passcodes for authentication avoids SMS and its potential risks. That’s because each message sent via WhatsApp gets encrypted with a unique locking code that can only be unlocked by the intended recipient at the other end. No third party can decrypt a message, not even WhatsApp personnel.
Now that the WhatsApp Business solution has enabled businesses large and small to interact with their customers right on WhatsApp, the app has become an even more compelling replacement for SMS. But what if users didn’t have to do anything at all to authenticate their mobile devices? That’s the promise of seamless 2FA.
Security through Seamless 2FA
Instead of relying on passcodes for authentication, seamless 2FA uses the same SIM card data that mobile networks use to verify subscribers. In other words, with seamless 2FA, if a user is using their device, they’re authenticated.
Mobile carriers use out-of-band signaling data – data sent on a separate channel from calls and other user data – to verify a phone’s SIM card in the background. Now, companies can take advantage of this capability to authenticate their own users quickly, easily, and securely, without using codes sent via SMS, WhatsApp, or any other method.
tyntec Seamless 2FA – powered by Direct Autonomous AuthenticationTM technology developed by Averon – requires no installation on the part of users. It uses the data coming from the SIM cards already in their phones. That makes all the difference for locking hackers out.
The recent Metro Bank incidents have highlighted the limitations of SMS for 2FA. And with the rise of technologies such as encrypted messaging and seamless 2FA, it may be time to explore other authentication methods.
For more information about tyntec’s authentication solutions with and without using SMS, visit our Authentication page.