Why 2FA SMS are dangerous for your sensitive accounts

Earlier this month, Apple Inc. announced a proposal for a simple security upgrade of SMS 2FA codes.

However, reading the fine print (or actually just the intro) in the original Github explainer tones down the excitement: “This proposal attempts to reduce some of the risks associated with SMS delivery of one-time codes. It does not attempt to reduce or solve all of them. For instance, it doesn’t solve the SMS delivery hijacking risk, but it does attempt to reduce the phishing risk.”

So, what is exactly the difference between SMS hijacking and SMS phishing and are these the only cyber risks associated with delivering SMS multi-factor authentication codes? And what are Apple’s very talented engineers suggesting to implement?

What are 2FA codes?

Two-factor authentication (also known as 2FA) is a subset of “multi-factor authentication” – a method of confirming users’ claimed identities by using a combination of two or more different factors. It can be a combination of (1) something the user knows (like their phone number, national ID, email, PIN) and (2) something the users has (like a mobile phone) or (3) something the user is (like a fingerprint, facial ID).

Today, many applications and services use an automated service to deliver 2FA codes by SMS to the user’s mobile phone to confirm the user’s identity. For example, some bank apps require the user to enter their email or user name, and the bank’s backend system sends an authentication code to the mobile phone that’s registered in the bank’s database for that user. Once the user receives the code to their mobile phone, they can use it to access their bank account via mobile app or desktop.

It looks something like this:

What are the cyber risks associated with 2FA codes?

There are several types of cyberattacks surrounding SMS-delivered 2FA codes. We’ll focus on the most common.

1. Creating a fake web site (Phishing): the attacker somehow convinces the target to browse to a fake website, masquerading as a legitimate secured service (e.g. the users’ bank account). Once on the fake website, the user tries to access their account by entering their user identification and triggering a 2FA code, which they enter into the fake site. The attacker (operator of the fake site) catches the ID and code, enters the real site and takes over the user’s account. Convincing the target to enter the fake site can be achieved through a well-crafted phishing message by SMS or email, or by pure social engineering. A nice overview of social engineering tactics can be seen here, as explained by RCR Wireless News.
2. Mobile Identity theft (SIM swap) – the attacker illegitimately convinces the target’s mobile network operator (MNO) to issue the target a new SIM card, and provide it to the attacker. This is achieved by taking advantage of poor security procedures and human errors by the MNO’s personnel. Once the new SIM is operated by the attacker – all SMSs sent to the target are received by the attacker, including any 2FA SMS codes, which enable the attacker to access secured sites and apps. Stacey Schneider’s personal, frightening and well-documented case can be read here.
3. SS7 attack (SMS hijacking) – As we’ve described in our blog post “A step by step guide to SS7 attacks” the attacker maliciously gains access to the global SS7 network and manipulates the target’s MNO network so that eventually SMS sent to the target device are actually sent to a false location, reaching a device operated by the attacker. This is achieved by issuing crafted false SS7 messages in the network. The target may never be aware that a malicious actor is hijacking all their SMS and accessing their accounts. A well-known case is draining customer bank accounts at the UK Metro Bank.
4. Fake cell tower and a Man-in-the-Middle attack: Using a fake cell tower, the attacker forces the target’s mobile device to connect to a fake mobile network, controlled by the attacker using a device called “IMSI catcher”. Once the attacked device is hooked onto the IMSI Catcher, the attacker impersonates the identity of the attacked device in front of the real network and provides the target’s device connectivity to the real network. The attacker is then in control of all communication between the target device and the network, and also can intercept SMS 2FA codes to gain access to any desired system. For a better understanding of IMSI Catchers, check out our blog post “Top 7 IMSI Catcher Detection Solutions for 2020”.

What is the new security upgrade for SMS 2FA codes that Apple is suggesting and what does it address?

Apple researchers are suggesting to standardize the SMS 2FA format so that devices can automatically process the text and input it into the relevant sites/apps without user intervention. This claims to reduce the risk of users being tricked into entering their multi-factor credentials into fake websites. Meaning, this solution aims to overcome SMS 2FA code theft via phishing (cyber attack #1, explained above).

Today, SMS 2FA formats are not standardized. See below are a few examples:

Does standardizing SMS 2FA codes solve the problem?

In itself, this is a positive solution. However, there are still various cyber-attack methods to steal SMS 2FA codes. Suggesting that there is a solution to the problem, may cause the public to let their guards down and be oblivious to phishing attempts. This is highly risky in itself since attackers are constantly improving their tactics and will most certainly find a new way to manipulate human user’s behavior.

In addition, executing this solution on a global scale is highly difficult as there are countless services today that use SMS 2FA codes, and implementing this standard by all service providers is a long term task.

What other solutions are there to solve 2FA cyber risks?

Generally speaking, the best way to avoid these attacks is by opting out of SMS 2FA code authentication. Many services don’t offer this option, and 2FA by SMS is mandatory to gain access to their service. We’ll address the attack types, one by one, and offer alternative protection measures.

1. Phishing attempts – be very suspicious of links sent from your “bank”, “insurance company”, “government”. Always double-check the sender’s name, check the spelling and grammar and see that it makes sense. When in doubt (and in these cases, better doubt than sorry), independently search for your service provider’s website on your browser and only access the official website.
2. SIM Swap – here, it’s a case of MNO action and your own precaution. In most cases, there’s really nothing you can do. If you don’t use SMS 2FA codes for authentication (opt-out) then you’re at lower risk of having the attacker access your accounts by obtaining your SIM card. Still, there are other risks such as identity theft to name one. Wired wrote it better than us, check out a detailed list of possible protection measured here.
3. SS7 attacks – with network-based attacks, only a network-based protection solution will do the trick, as the attack needs to be identified and stopped at the MNO network level. These are solutions that are implemented by the MNO and provided to customers or offered as an add on service. Contact your MNO to see if they offer FirstPoint’s SMS 2FA code protection for their subscribers.
4. Fake cell towers (IMSI catchers) – IMSI catchers are physical devices that need to be in your proximity in order for the attack to happen. Sometimes, an IMSI catcher can be operated by an independent hacker at the table next to you at a coffee shop and sometimes an IMSI catcher can be operated by HLS entities in an airport you’re traveling through. So, it’s difficult to identify if there’s such a device being operated nearby. One of the signs of an IMSI Catcher being operated is potentially degraded service, but this can also happen if there’s spotty cell reception. For alternate solutions, check out our blog “Top 7 IMSI Catcher Detection Solutions for 2020″, or contact your MNO to see if they offer FirstPoint’s mobile cybersecurity solution against fake cell towers and man-in-the-middle attacks.

As with many cyberattacks, the most dangerous are the ones that involve a mix of social engineering, taking advantage of built in vulnerabilities and some good hacking skills. On the user side, it’s important to take responsibility wherever possible.