The use of SMS codes to authenticate users has long since passed its zenith, but this method is still used all over the world in various industries as a supposedly secure 2FA login. This method is also still considered secure by regulators, especially in the financial services industry or the health sector. This is surprising, in view of the known security risks and the increasing number of cyber attacks.

As early as June 2017, the National Institute of Standards and Technology (NIST) published guidelines on digital identity. In this special publication (800-63B), NIST strongly advised against using SMS codes for authentication. This is no accident… Various companies such as the British Metro Bank, Google or Yahoo have been victims of cyber attacks involving secure codes sent over SMS.

The security risks around SMS are varied and can be roughly divided into three categories; local attacks, attacks via mobile phone providers, and attacks via your own smartphone.

Local attacks

The sending and delivery of SMS messages is still based on a communication protocol from 1975, Signalling System 7 (SS7). If an attacker is located near the nearest radio tower, or near the victim’s device, this outdated protocol makes it possible to intercept a sent SMS message in real time without any problems. ens.

Mobile phone provider attacks

Mobile phone connections within Switzerland are secure. However, this does not always apply to connections abroad. The standards of encryption on the mobile networks vary greatly from country to country and make it easy for attackers to intercept messages. In other words, if a user abroad wants to log on to his e-banking platform, there is a potentially increased risk.

In addition, attackers often manage to get hold of a SIM card with stolen information through social engineering via mobile phone providers. By the time the victim recognizes the misuse, it is usually too late. These so-called “SIM swapping” attacks usually proceed very quickly. Dr. Security discusses more details in this blog post.

Smartphone attacks

One of the biggest risks is often hidden on your own Smartphone. For instance, it often happens that a child might install a game on their parents' Smartphone. What is probably less known, is that this app could simply read SMS messages received, even while in the background. Therefore be careful when installing apps! Check the app developer by carefully studying the originator. Not only game apps, but also crypto currency apps are popular “Trojan horses” for this kind of attacks.

Although not directly correlated, another widespread attack that leverages SMS messages, is the so-called “smishing” attacks (analogous to phishing via e-mail): criminals use SMS messages to ask the victim to log into a specifically crafted website to gather their sensitive personal data (such as e-banking access data). The messages give the impression of coming from a trustworthy entity (such as pretending to be from the post delivery service about a specific parcel delivery). Unfortunately, these attacks often work very well, since trust in SMS messages received on your own smartphones is generally much higher than in email.

Whitepaper Airlock 2FA

The two-factor authentication (2FA, MFA or SCA for short) in the area of IT security offers double the security. In combination with efficient customer identity & access management (cIAM), numerous processes are significantly simplified.

Find out more about strong authentication and the possibilities that Airlock offers in our whitepaper.

Request 2FA whitepaper

Expensive and breaking the control chain

It is not only the security aspect that should discourage companies from using SMS messages, other factors also come into play and should be considered. SMS use is generally very expensive, because there are costs for each individual SMS that needs to be sent. There is also no control over whether an SMS is actually delivered, or by when it is delivered, and if it is actually read by the user. Especially in parts of Asia, SMS transmissions are often difficult, with carriers blocking or delaying their delivery. Using SMS messages often breaks insights into user behaviour: was the user’s phone in a secure location when interacting with the website? Was the SMS protected by local phone authentication (such as fingerprint, or FaceId), or could anyone, just by looking at the phone screen read out the SMS code? And finally, the burden of proof in case of abuse, according to many company terms and conditions, lies with the user, which is actually not fair: it becomes extremely difficult to understand what happened in case of attacks.

Win-Win for companies and users

The use of SMS codes for portal logins is still more secure than not using 2FA, but today there are various alternative authentication methods that are not only more secure but also more user-friendly, and give companies much greater insights into their own users behaviours. Futurae offers a variety of authentication methods that provide full flexibility for companies: from hardware to novel software-based solutions and protection against social engineering attacks. In addition, Futurae enables fast and uncomplicated integration into the existing infrastructure and reduces the total cost of ownership. Not only are expensive SMS costs eliminated, but also the often associated help desk calls in case of problems. SMS codes that never arrive – or reach an attacker – are a thing of the past!

This is a guest post by Futurae.

To the original post

Blognews directly to your inbox

The Airlock Newsletter informs you continuously about new blog articles.

Subscribe blognews

No blog posts

This list contains no blog posts.

Information for you

-Our whitepapers-

Executive View: KuppingerCole - Airlock Secure Access Hub for applications and APIs

This KuppingerCole Executive View report provides an architectural and functional overview of the Airlock Secure Access Hub, an integrated platform for secure access management - a multicloud-native security tool for web applications, APIs and beyond.

 

Fill out the form now and receive Executive View!

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge