Why is 2FA via SMS not considered secure? What does an attack look like or require?

151 views

I’ve been reviewing some of my security choices after the latest LastPass breaches. I see some password managers discouraging SMS-based 2FA in favor of Authenticator-based 2FA. I’m curious to understand how SMS 2FA gets compromised: what does attackers need to do? How easy is it to compromise?

In: 9

6 Answers

Anonymous 0 Comments

Because SMS messages can be intercepted or redirected by attackers. This is known as a “man-in-the-middle” attack. There are more secure methods of 2FA that do not rely on SMS, such as authentication apps that generate one-time codes or hardware tokens that produce unique codes when pressed. These methods are more resistant to man-in-the-middle attacks and provide a higher level of security.

Anonymous 0 Comments

The most common method is called SIM card hijacking. Someone can call your phone company and tell them you want to move your phone number to another device. All calls and texts will then be forwarded do a new phone. Another method is SIM cloning which requires the actual SIM card; I’m not sure how this is done with new E SIMs now.

Anonymous 0 Comments

Social attack vector. “Yes hello servicedesk? I am John Smith and my phone died. I could not be without so I bought a new one, but can’t log in with it.”

Given the pressure on most service desks, verification of these things tends to be minimal.

Technical attack vector would be the cloning of a SIM.

Anonymous 0 Comments

SMS messages are not encrypted, meaning other people near you can actually just read your SMS too. And that is just the most obvious security flaw.

Anonymous 0 Comments

Someone else can pretty easily get your texts, either by intercepting them over the air or getting the phone company to redirect them. Since nearly any device that can receive text messages can run an authenticator app instead, you should use the app. (SMS 2FA is still better than only having a password, though, so you should still enable it if it’s the only 2FA option.)

Anonymous 0 Comments

Creating a fake web site (Phishing): the attacker somehow convinces the target to browse to a fake website, masquerading as a legitimate secured service (e.g. the users’ bank account). Once on the fake website, the user tries to access their account by entering their user identification and triggering a 2FA code, which they enter into the fake site. The attacker (operator of the fake site) catches the ID and code, enters the real site and takes over the user’s account. Convincing the target to enter the fake site can be achieved through a well-crafted phishing message by SMS or email, or by pure social engineering. A nice overview of social engineering tactics can be seen here, as explained by RCR Wireless News.

Mobile Identity theft (SIM swap) – the attacker illegitimately convinces the target’s mobile network operator (MNO) to issue the target a new SIM card, and provide it to the attacker. This is achieved by taking advantage of poor security procedures and human errors by the MNO’s personnel. Once the new SIM is operated by the attacker – all SMSs sent to the target are received by the attacker, including any 2FA SMS codes, which enable the attacker to access secured sites and apps. Stacey Schneider’s personal, frightening and well-documented case can be read here.

SS7 attack (SMS hijacking) – As we’ve described in our blog post “A step by step guide to SS7 attacks” the attacker maliciously gains access to the global SS7 network and manipulates the target’s MNO network so that eventually SMS sent to the target device are actually sent to a false location, reaching a device operated by the attacker. This is achieved by issuing crafted false SS7 messages in the network. The target may never be aware that a malicious actor is hijacking all their SMS and accessing their accounts. A well-known case is draining customer bank accounts at the UK Metro Bank.

Fake cell tower and a Man-in-the-Middle attack: Using a fake cell tower, the attacker forces the target’s mobile device to connect to a fake mobile network, controlled by the attacker using a device called “IMSI catcher”. Once the attacked device is hooked onto the IMSI Catcher, the attacker impersonates the identity of the attacked device in front of the real network and provides the target’s device connectivity to the real network. The attacker is then in control of all communication between the target device and the network, and also can intercept SMS 2FA codes to gain access to any desired system. For a better understanding of IMSI Catchers, check out our blog post “Top 7 IMSI Catcher Detection Solutions for 2020”.

https://securityboulevard.com/2020/02/what-are-the-problems-with-2fa-codes-and-whats-apples-latest-proposal-to-solve-them/