The Problem with Two-Factor Authentication via SMS

Are you using the services of Gmail, PayPal, iCloud, Facebook, Twitter, Snapchat, Skype? Are you actively using online banking? Then you have the chance to activate a security layer called two-factor authentication on top of your password to make your account more secure. Indeed most banks are using two-factor authentication by default for many years. If you want to authorize a transaction your bank will most likely send you an SMS containing a short PIN. This SMS-PIN is necessary to make any transactions in your account.

The same is true for Facebook, Google, and many other online services. They are offering a two-factor authentication via SMS as well. Microsoft has even implemented it into its operating system. If you want to log into your Gmail account Google will also send you an SMS code to prove your legitimacy.
While two-factor authentications via SMS are indeed safer than using only a password there is still a problem with the SMS part: it is hackable.

Weakness of two-factor authentication via SMS

Despite SMS authentication it is still possible – and this is a known issue since 2005 – to operate man-in-the-middle attacks as well as trojan attacks.

Man-In-The-Middle Attacks
If you are using SMS authentication you can still be hacked by a simple trick. An attacker will create a fake bank website which looks identical to the original one. Users will try to login to this defective online banking homepage by using their original online banking credentials. Ta-da, hackers already have your login credentials. They will use your credentials now to log in to the original banking page and do whatever transactions they want. Victims will get SMS codes from their bank, they will enter them to the fake page and ta-da hackers have the SMS code as well. This is, of course, a well-known attack and banks have since then added transaction details to the authentication SMS so it is easier for us to detect malicious attacks.

Trojan Attacks
Hackers will install a trojan on your PC. As soon as a user logs into the online banking environment they can make any transaction they want.

Hackers didn’t sleep since 2005 so they developed methods to intercept and redirect SMS messages. In fact, it is too easy to obtain a phone number and the website operator has no way to really identify if the person who actually receives the 2FA code by SMS is even the correct recipient. An SS7 protocol issue makes it possible that even if you cellular network uses the most advanced encryption method available hackers can still listen to your phone calls and read your SMS messages. The Signalling System Number 7 (SS7) is a protocol suite which is used by a majority of telecommunications operators. This security flaw makes it possible for hackers to read your SMS messages and listen to your phone calls in real time.

[highlight]To communicate securely over an insecure channel you simply need to use apps like FaceTime, Signal, Duo, Skye or WhatsApp as they end-2-end encrypt all your calls and messages.[/highlight]

There are even cases where hackers are sending out SMS messages pretending to be Google.

Be warned, there’s a nasty Google 2 factor auth attack going around.

— Alex MacCaw (@maccaw) 4. Juni 2016

But this engineering hacking is not the only way to get access to all of your accounts. You can also a social hack to get access to one’s account.

Social Hacking aka Social Engineering

It is not only about trojans and man-in-the-middle attacks. There have been recent cases where criminals are using social hacking to get access to all of your accounts and even your Mac and PC. Read this story posted on where an early adopter of Bitcoin lost several million dollars because of this attack. Bitcoin and other cryptocurrencies are of course favorable targets for hackers as Bitcoin transactions can not be made undone.

Here is the security issue:

For resetting your password you don’t need your password. You only need a security code you receive via SMS. But your password is, in theory, your first factor. So hackers can easily create a new password on their own by just using one factor: the SMS authentication code. You can imagine what they can do with all of your accounts by having access to a (new) password as well as the authentication code. They can do basically whatever they want.

Why are companies still offer two-factor authentication via SMS to their customers? They still offer SMS authentication because it is the only option for most people. They argue that 2FA via SMS is still better than no 2FA at all.

Now let’s get to the topic of social engineering. Usually, if you think about hackers you probably think of evil people who are sending you malicious .exe files via email to intercept your personal data. But this is not the only way how you can break into one’s computer or bank account.
By using social engineering hackers are able to get access to your accounts by tricking the call-centre agent of your cell phone company or your bank by using psychological tricks and publicly available data. Social hackers – that is how I call them – can easily go through all of your data available publicly on social networks like Facebook, Twitter, Instagram, LinkedIn, and your personal blog. There they will find information like your birthdate, address, or your favorite sports team. After social hackers have collected your personal data, they can now call your telecommunications company to reset your PIN or password by identifying themselves with your phone number, email address, birth date, and postal address. Social hackers will, for example, call the call centers as often as ten times until one call center agent will like your voice and forget about all security guidelines and finally sends you a new PIN or password or he approves a mobile number portability. This means that you will soon have no access to your phone and (what the fuck) to no single account and not even your PC or Mac because the social hacker can now reset every single password or even mark your MacBook as stolen.

How to Protect yourself

  1. Create long secure passwords with random numbers, upper and lower case letters and special characters. It is best if you use password generators like the Norton Password Generator If you are using DuckDuckGo you can simply type “password 30” or “PW 30” and DuckDuckGo will give you a random password (unfortunately not containing any special characters).
  2. Don’t answer security questions truthfully. If a social hacker sees that you have liked the “LA Lakers” on Facebook it already has the first answer to a possible security question. If your mother has just tweeted you on twitter, well there is the second solution to your “security” question.
  3. Use one-time passcode generators. Google Authenticator is one example for a time-based one-time passcode generator (TOTP). TOTPs are generating every 20,30,60 seconds a new code. Many services like Google, Facebook, Dropbox (and more) are supporting these passcode generators.
  4. Use a security key. You can buy a security key relatively cheap. They use a FIDO industry standard also called universal second factor (U2F). Security keys are physical keys you need to insert into your USB port, connect to your PC or smartphone via Bluetooth or NFC. You still need to enter a PIN or password as these devices use a public key cryptography. This means that in order to get access to your account criminals need first of all steal your physical key (e.g. out of your wallet or key chain) and secondly correctly guess or hack your private key. This is what I would call “bulletproof” safe.
  5. Then you can, of course, identify yourself by using biometric data. This means you can use your iPhone, MacBook, SAMSUNG and login to applications or online banking by using the already existing fingerprint sensor or face-detection software. When hackers want to get access to your data or account they practically need to steal your device and secondly compromise the biometric sensor.

While all those steps are sounding pretty complicated it is usually very simple to set them up and they might save you a lot of money and headache. Just think about what might happen if hackers have access to all your online banking, your Bitcoin wallet, etc.

Are you currently using two-factor authentication via SMS? Post your opinion about this whole topic in the comments and I will join the discussion!

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy