Published on October 11th, 2020 📆 | 8100 Views ⚑0
Why You Should Stop Using SMS Security Codes—Even On Apple iMessage
Facebook, PayPal, Microsoft, Twitter, Sony, Uber, Dropbox, Amazon… the list goes on. It’s strikingly ironic—these companies are rightly pushing us to better secure our apps and services with two-factor authentication (2FA), verification codes when we log in or make payments. But the default 2FA option is usually SMS—one-time codes texted to our phones, and SMS has infamously poor security, leaving it open to attack.
SMS attacks either compromise phones/phone numbers or the messaging centers themselves within mobile networks. These messages are in plain text form—they’re not encrypted between sender and receiver, so if an attacker can access the message, they can read the content.
Phone/phone number compromises include malware that is unwittingly installed by users and will then look for one-time SMS passcodes and send those back to the attacker. Mobile malware can also capture usernames and passwords for websites and apps on the device—although these credentials can be easily harvested by other means. Then we have SIM swapping attacks, where networks are tricked into issuing a new SIM for a target’s phone number. Then any SMS message can be read.
Unlike end-to-end encrypted messaging—such as WhatsApp or iMessage, or even more general over-the-top platforms such as Facebook Messenger, SMS is built into the architecture of the mobile networks themselves. So, the security of your SMS messages relies on the security of those networks, or lack thereof. This issue has been known for years. And last year it was disclosed that hackers had planted malware deep inside multiple networks to intercept messages at will.
Apple’s iMessage feels more secure than other SMS messengers—and it does end-to-end encrypt traffic, but only where both the sender and recipient are using Apple devices. When it comes to SMS messages, including one-time passcodes, iMessage is no more secure than any other SMS platform.
iMessage does do a good job of simplifying SMS one-time passcodes, which can be entered into a 2FA field with a prompted tap. But that does nothing to secure the SMS message itself, which is stored within your standard SMS message history. Similarly, Apple and Google’s new initiative to collaborate on standard formatting and domain-specific codes does nothing to strengthen SMS security, albeit it will address the increasing risk of SMS phishing.
We know that through data breaches, password reuse and reliance on common, easy to guess password combinations, usernames and passwords are wide open to attack. You need two-factor authentication. But where this uses SMS messaging, that’s also vulnerable to compromise—albeit such compromises remain comparatively and thankfully rare—but it is becoming more of an issue. Last year, several German banks withdrew SMS as a 2FA option for just this reason.
Check Point warned of an SMS 2FA attack just last month, “an Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings and more.” The “Rampant Kitten” operation, attributed to Iranian hackers, intercepted 2FA codes for otherwise secure Google and Telegram accounts. The attack was brutally simple, Check Point told me, an app pushed out to users via social engineering that asked for permission to read SMS messages.
This is a problem that’s now much worse with so many of us working from home. According to Forrester, “when entire workforces were forced to go remote, most of these companies started using two-factor authentication in the form of one-time passwords (OTP) over SMS.” But, while this is quick and easy, Forrester warns, “it is susceptible to compromise in certain cases.”
That said, you must enable two-factor authentication whenever it’s available. Microsoft has warned that a million-plus of its accounts are compromised monthly. “That’s a really, really, really high number,” the company’s head of identity security told a security industry event earlier this year.
Microsoft says that 2FA would stop more than 99% of those attacks. “No SMS 2FA or authenticator app on Office 365,” Cyjax CISO Ian Thornton-Trump points out, “is how even a U.S. federal agency was ‘pwned’. The entire attack could have been mitigated.”
But, where users are targeted, Forrester says, “SMS 2FA only stops 76%” of attacks. “The SMS protocol—over 30 years old now,” it says, “is susceptible to man-in-the-middle attacks, social engineering and SIM swapping.” Forrester suggests third-party password replacement, advanced analytics, single sign-on and physical keys. Feasible for enterprises—albeit with a cost, training, support and user acceptance overhead, but hardly feasible for private users.
If you’re using Apple’s ecosystem, you already have the ideal alternative, where the default option is not SMS but one-time passcodes displayed on trusted devices that are already logged in. “It’s a device we know is yours,” Apple says, “and can be used to verify your identity by displaying a verification code from Apple when you sign in on a different device or browser.”
Google is now defaulting to the same. In July, the company made phone verification prompts “the primary 2-Step Verification (2SV) method,” shifting away from SMS messages or voice calls. Google says it recommends “prompts” instead of text message verification codes to “avoid phone number-based account hacking… get more info about sign-in attempts… [and] block suspicious activity—if you didn’t try to sign into your account, tap ‘No’ on the notification to secure your account.”
Such system-based security and alerts cannot be spoofed in the way emails and messages can. It’s also much harder to use social engineering to persuade someone to tap to let you into their account than to send you a code they were texted, with an “it was meant for me, not for you,” excuse.
Apple and Google are uniquely positioned to deploy an easy-to-use 2FA system, built into devices on their ecosystems. But this isn’t available to others unable to tap into device-level, often biometric security. For most, the easy option is still SMS messaging. You register your phone number and you’re texted four- or six- digit codes, sent via plain text, vulnerable to those compromises.
“But it’s important to understand,” infosec commentator John Opdenakker says, “that these are still targeted attacks. In general, the risk to the average user having accounts compromised by mass attacks such as phishing or credential stuffing is a lot higher.”
The greatest benefit with SMS is also its greatest weakness. The reason it has become a 2FA default is that we all have access to a cell phone and an SMS messenger. There’s no need to run a separate authenticator app to produce one-time codes, there’s no need to carry around digital keys, it works across all apps and platforms and doesn’t rely on any specific ecosystem.
But, behind the façade, the SMS system over which those codes are being sent is wide open. An archaic network that runs across mobile networks worldwide, where there’s no end-to-end encryption, where you have no way to know over which networks your message travels in open-text form between sender and recipient. Last year, the FBI warned that 2FA had inherent weaknesses, advising us to opt for biometrics—exactly what you have with the Apple and Google approach.
Security researcher Sean Wright describes SMS 2FA as “better than nothing”. And that’s a common perception in the security industry. “It has known flaws,” he says, “which have been successfully exploited. It’s served its purpose we should now move onto newer and better solutions. It would also save firms money to replace SMS, as they’d no longer have to pay to send messages.”
Social engineering attacks are increasing, seeking to steal codes from unsuspecting users to hijack WhatsApp accounts or payment credentials. It’s time for a new approach. We need a widening of the Apple/Google approach, 2FA authentication built into our devices, protected by biometrics, presenting system prompts and on-device options to keep our devices secure.
Such a system needs to be openly accessible to service providers, in the way many banking apps rely on multi-device apps to use biometrics to authorize logins. But the providers themselves need to be encouraged away from SMS to such schemes. It’s not enough to offer authenticator apps or digital keys as alternatives—that’s unrealistic for the vast majority of the user base.
According to ESET’s Jake Moore, “text messages are better than no second layer of security. Getting people behind the idea of two factor authentication is a tough task in itself, so I can see why some organizations start mildly and offer an SMS concept which people are used to. However, I think it’s better to future proof in the long run to go straight into recommending an authenticator app to bolster account security and defend them from the simplest of attacks.”
The challenge of course is that this makes 2FA much more complex and risks non-compliance. Nicola Whiting, Chief Strategy Officer at Titania, advocates for the built-in approach. “Fully automated OTPs, standardized across multiple browsers, providers and platforms have the potential to provide users with higher protection… That OTPs have an almost ‘zero effort’ adoption cost, will be key to widespread adoption and for transformational security benefits to be achieved.”
Until then, while there may be many reasons you should stop using SMS passcodes, there’s unfortunately a much bigger reason to keep doing so. If this is the best 2FA option we have right now, the one you’re most likely to use, then you should keep using it. It’s for the industry to fix this issue, not for you.
“We often miss the mark in security,” Lisa Forte, partner at Red Goat Cyber Security, says. “Security is a journey. So, for someone who has used ‘Summer1’ as their only password for years, enabling SMS 2FA is huge progress. Is it a perfect solution? Definitely not. Not even close. But it is progress and that person is now harder to attack than they were. This is a journey with no end point. Attacks evolve and so must we. Look for progress and not perfection.”
So, yes, you should stop using SMS security codes for two-step verification—but, unfortunately, you can’t.