The latest “religious war” brewing in the information security community seems to center around whether or not SMS text messages should be used to deliver one-time passwords (OTPs) as a method of multi-factor authentication. Oh, for the days of emacs and vi!
Two recent news stories have contributed to the increased chatter around this issue. Google claims that they’ve seen no successful phishing attacks against their 85,000 employees since early 2017 when they migrated away from OTPs as a second authentication factor and switched to physical security keys. And, forum website Reddit recently discovered a breach and claims that the attacker was able to steal administrative credentials by intercepting the administrator’s OTP that was sent via SMS.
Opponents of SMS-based MFA believe that this act – obtaining OTPs sent via SMS – is trivial in 2018. Let’s examine some of the methods that attackers can employ to accomplish this.
The most common method of attack is called “SIM jacking”. An attacker can contact the target’s cell provider, claiming to be the target, and convince the provider to switch the target’s phone number to a new SIM card, one that’s loaded in a phone the attacker possesses. They are then able to receive the target’s text messages and phone calls. Similarly, a “porting” attack involves contacting a different cell provider than is used by the target, and asking the provider to port the target’s number to that service.
A more complex attack can be conducted against the Signaling System 7 (SS7) infrastructure used by different telcos to interact with each other. An attacker with access to this infrastructure – not an easy feat by any stretch – could intercept text messages and record phone calls.
Finally, malware loaded on a mobile device that can intercept SMS messages, and deliver them to the malware’s operator, has been around for years. Often it is distributed as a part of a legitimate-looking application, as was the case with the Perkele and Pincert malware families.
If you’re an individual concerned about protecting access to your accounts, should you be worried?
Somewhat. Certainly, there are ways to intercept SMS messages. Most require concerted effort by a human attacker, though, and while this obviously occurs, it’s far from as likely as the opportunistic attacks that we see most individual home users dealing with. Put simply, most people won’t find themselves targeted specifically for this type of attack, unless there’s a cybercriminal or nation-state dedicated to gaining access to their data and systems.
(For my own personal security, I trust SMS-based OTPs for some websites and applications that don’t handle my financial information or any personal information beyond my email address. For all others, I use stronger controls, such as physical keys and authenticator apps that generate OTPs only I can see.)
Enterprises have a different set of use cases, though, than individuals. Tasked with protecting access to business-critical applications, sensitive data sources, and privileged accounts, enterprises must make different risk calculations than home users. Deploying MFA in the enterprise requires the rollout and administration of authentication applications, management of keys for individual users, and integration with existing directories and user-facing services like the helpdesk.
Security teams in these circumstances may consider a mix of tools and products. One of our guiding principles in designing security architecture is that the complexity of a given security control is likely to grow in proportion with the criticality of the asset being protected, or the severity of the risk in question (or both). Applied here, the simplicity of using SMS 2FA may not outweigh the risk of a targeted attack that would expose SMS-based OTPs, and therefore would not be sufficient to protect access to critical applications or elevated privileges. While managing hardware keys adds overhead and complexity, it does reduce the risk of compromise of credentials by guaranteeing a more effective second factor.
A variety of solutions beyond SMS-based OTPs and hardware keys exist, though. CBTS partners with vendors like Duo Security, Microsoft, and RSA to help sort out the right approach for enabling MFA in an enterprise. We’d love to help you figure out the most effective path forward.