INDUSTRY
Seeking SMS Authentication Alternatives It’s a security measure that grates most of us each time we log into our online bank accounts, but SMS-based two-factor authentication, writes Senior Editor of Security Management Megan Gates, is increasingly vulnerable. It’s becoming commonplace for many login processes. Users need a password and an additional authenticator to complete the login. That often comes in the form of a code sent via Short Message Service (SMS), commonly known as a text message, to a cell phone. The user then enters that code into the Web account he or she is trying to access and is logged in. Megan Gates is Senior Editor at ASIS International’s Security Management magazine. She joined the Security Management team in 2013 after graduating from Missouri State University with a Bachelor of Science in Journalism.
28
People started using this authentication method to prevent phishing attacks from being successful. In addition to a password, an attacker would need the code sent via SMS to gain access to the account that he or she was attempting to infiltrate. This preventative measure has been successful in many cases. In May 2019, Google released new research on how adding a recovery phone number to accounts can prevent malicious actors from gaining access to those accounts. “We found that an SMS code sent to a recovery phone number helped block 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks,” wrote researchers Kurt Thomas and Angelika Moscicki on the Google Security Blog. “On-device prompts, a more secure replacement for SMS, helped prevent 100 percent of automated bots, 99 percent of bulk phishing attacks, and 90 percent of targeted attacks”. But on 17 September 2019, the FBI issued a Private Industry Notification (PIN) warning cybersecurity professionals that the Bureau had seen
cyber actors circumventing multifactor authentication through social engineering and technical attacks. The Bureau said that these actors used popular multifactor authentication techniques to obtain one-time passcodes and access protected accounts. The alert stems from an incident that the Bureau became aware of in 2016 when a malicious actor targeted customers of a U.S. banking institution; the attacker ported their phone numbers to a phone he owned and operated— called SIM swapping. “The attacker called the phone companies’ customer service representatives, finding some who were more willing to provide him information to complete the SIM swap,” according to the FBI. “Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned.” Because the bank perceived that the attacker was calling from a phone number that belonged to a customer, it did not ask full security questions but instead asked for a one-time code it texted to the phone number the attacker called from. The attacker “requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile payment application,” the Bureau said. During the next two years, the FBI saw an increase in complaints about SIM swapping to circumvent two-factor authentication. “Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed,” the Bureau
February / March 2020
