“Maybe yes, maybe no, maybe rain, maybe snow.”
The above line was uttered by Beekeeper, the criminal mastermind played by American actor William Shockley in the final scene of “Treasure Raiders,” a guilty-pleasure B action movie starring Russian bodybuilder Alexander Nevsky, Scottish actor Steven Brand, David Carradine (star of the popular 70s TV series “Kung Fu”), and an assortment of primarily other Russian actors. It’s one of our favorite flics around here when we’re tired and want to watch something where we know almost every line by heart so we won’t have to think so much.
It also has almost nothing to do with cybersecurity or the subject of this article, except that it may be timely, perhaps because of the recent cyberattacks reputedly state-sponsored by Russia. But it’s a good way of raising the question of whether using SMS text messages for two-factor authentication (2FA) is a good idea or not. Because in my opinion, the answer is, well, maybe.
Using SMS for 2FA: The good
On the good side is the fact that it’s simple for companies to implement and easy for users to use. Everyone has a smartphone nowadays, so sending them a text for confirmation of identity when they’re trying to log on to an online service you’re offering them is a neat way to make sure they are who they say they are. So, if security is not a huge concern but you want to make registrations or logons a little more secure, using SMS for 2FA is not such a bad idea, right? After all, there’s always some tradeoff between usability (convenience) and security, and not many users are likely willing to carry around a key fob all the time—or more preferably, a YubiKey.
The bad
The other side on this matter, however, can be pretty convincing in their argument that using SMS for 2FA is not only a bad idea but a REALLY BAD idea. Take for example this recent article by Brian Krebs, where he concludes by saying, “It’s now plainer than ever how foolish it is to trust SMS for anything.” Brian also advises people “to remove phone numbers from your online accounts wherever you can, and avoid selecting SMS or phone calls for second factor or one-time codes.” He points out that although “most online services require users to supply a mobile phone number when setting up the account,” they usually “do not require the number to remain associated with the account after it is established.” For another interesting read on the subject of the vulnerability of SMS to SS7 hijacking and other attacks, read this article by an anonymous CIO on Medium. Or this article from our own Derek Kortepeter, where he discusses a specific case of SMS spoofing used for a phishing scam.
Some ramblings
Let me ramble on about this for a while, as I’ve been studying this issue for some time now.
First of all, the SMS carrier bears some responsibility in all this. Just because someone emails you a blurry JPEG of what appears to be a signature written on a generic-looking phone bill doesn’t mean you can now take it on faith that you have confirmation of their identity and proceed to port their phone number from their current carrier to your company as they have requested. Some carriers did indeed try to offer hardware tokens in the past to secure SMS messaging for their customers, but when companies like PayPal first offered to support such tokens and then make using them almost impossible while continuing to offer SMS for 2FA, one can hardly blame the customer for using this. Of course, PayPal now also supports the use of an authenticator app like Google Authenticator or Microsoft Authenticator instead of SMS for two-step verification of account logins, but not everyone is comfortable letting Microsoft or Google manage their identity online. Don’t forget that some users still use feature phones that aren’t capable of running such apps. Also, some large enterprises such as banks or insurance companies may prefer to issue their own authenticator apps to their customers for use as 2FA to confirm their identity (though they also typically use SMS to confirm transactions such as deposits and withdrawals.)
Another important thing to recognize is that SMS was essentially designed to be weak in the area of authentication when used only by itself as a messaging platform. Using it in conjunction with password authentication as a second factor simply makes it harder for an adversary who has already captured your password to assume control over your online identity unless they are specifically targeting you (for example, by spear-phishing) and are willing to do the extra work to compromise your SMS messaging. So perhaps using SMS for 2FA is really about the same level in terms of security as using a Time-based One-Time Password (TOTP) for which there are numerous ways to implement.
But while SMS can provide some measure of additional security via its usage for 2FA, there remain problems with its implementation for this purpose, particularly if you are someone who travels a lot internationally. You may, for example, be stuck when you want to access your bank account online in another country because your SIM won’t let your phone roam for SMS messaging there, only for voice calls. One solution (actually a hack) to this problem could be to remove the SIM from your phone before boarding your flight and sticking it in a burner phone that you give to a trusted family member. That way, they can receive your SMS 2FA codes when you need to withdraw monies from your account while you’re overseas as you can call your family member and ask them to recite the code they just received on the burner phone.
Using SMS for 2FA? Some practical tips
If you do have to use SMS for 2FA for some sites or online services, the following suggestions from Darren Lewis, an IT consultant at Fusion Systems, are helpful to keep in mind: “When using MFA on a phone, you need to think of the security of your phone and the apps. Make sure the phone is screen-locked in case you lose it or leave it lying around. Make sure also that your phone is not rooted.” Darren says he uses Authy instead of Google Authenticator wherever possible as it has an auto backup function and can enable using your fingerprint to open the app. But sometimes SMS is the only game in town when you need to do some 2FA.
Featured image: Shutterstock
