The use of SMS as a system of authentication of users is not only something now anachronistic but also an absolutely reckless practice. Furthermore, of all the ways to manage two-factor authentication (2FA), using SMS is the most popular insecure. We already said it in 2019 when talking about safer ways for multi-step verification of user identity.
SMS-based two-factor authentication, however, is perhaps the least severe scenario in an absolute sense. Much more dangerous are the mechanisms of resetting passwords based on SMS, account registration and recovery.
Because the use of SMS as an authentication mechanism is strongly discouraged
Using SMS to authenticate users and verify their identity is extremely risky. SIM swap attacks have grown year after year precisely because attackers try to receive i confirmation codes sent via SMS from various platforms (including, unfortunately, some services online banking) on the telephone numbers of the victims.
Despite the efforts of AGCOM and other European authorities to combat the phenomenon, there are many groups of malicious actors who try to gain control over someone else’s numbering, also by leveraging the vulnerabilities inherent in the SS7 protocols, used in telecommunications networks. The goal is to hijack SMS and calls to SIMs other than those of the legitimate owners. Maybe with the connivance of unfaithful employees who work for some small telecommunications operator, with registered office in a sovereign state free from ties with other countries.
The new rules on number portability and SIM swapping aim precisely at reducing the possibility that SIM swap attacks will actually succeed. But it’s still not enough.
Type attacks SIM swap Unfortunately, they continue to find fertile ground because many leading companies have not yet rejected the crazy idea of using SMS to confirm access to accounts or confirm the reset of a password. And it is even more worrying that some credit institutions still rely on this mechanism.
SMS are like postcards: anyone can read their contents
Do you know the old postcards that were once sent by post from your holiday destination (someone even did it when they returned from holidays…)? Here, SMS appear in the same way: they are easily intercepted with a SIM swap attack and are vulnerable to attacks MITM (man-in-the-middle)often carried out by cybercriminals with the support and mandate of compliant governments.
The SMS are sent in clear text: anyone can access their content. In fact, it is not a messaging technology created to guarantee the safety of the content of the texts exchanged between one terminal and another.
What should companies do?
Businesses should not allow their customers and users to access accounts or reset passwords via SMS. Furthermore, they should seriously propose safe alternatives: in the case of two-factor authentication, for example, you should always propose more secure options such as the use of FIDO2 keys, biometric authentication, use of apps that generate short-term passwords or OTP codes.
The widespread adoption of SMS as an authentication mechanism has been one senseless choice by companies, putting the safety of their customers at risk. It’s time for affected companies to take a stand, abandon this dangerous practice, and adopt more secure solutions to protect users’ digital identities.
Spencer Dailey, in his post entitled “Companies embracing SMS for account logins should be blamed for SIM-swap attacks“, also mentions the high-sounding names of Apple, Dropbox, PayPal, Block, Google as well as those of other companies.
The expert also comments constructively on the inertia of institutions and operators who for at least 10 years now have not yet agreed on the strengthening of protocols of telephony as SHAKEN/STIR which would not only help to effectively combat the phenomenon of SIM swapping but also to block spam calls when the caller’s number is not real and, generally, even non-existent.
In Europe, thanks to the SIM Verify initiative, companies that rely on SMS can at least check whether a SIM has been recently transferred. This is already something, but it still doesn’t solve the root problem.
Opening image credit: iStock.com – PeopleImages