SMS-Based Two Factor Exploited in Bank Account Transfer Scheme
Yet another example of how SMS-based two-factor authentication is not secure can be seen in the recent Signalling System No. 7 (SS7) attacks in January. Malicious hackers redirected money from German customers’ banking accounts to their own accounts in a series of attacks, according to Ars Technica and Süddeutsche Zeitung.
First, they compromised bank accounts with Trojans that infected users’ devices and stole their account passwords. This allowed attackers to see customers’ account balances. Second, they compromised the one-time password sent as a text message to the users’ phone which was required to make money transfers.
To do that, they exploited a flaw in SS7, the telephony signaling language that allows people to send text messages across the world, take uninterrupted phone calls on trains, and roam from one network to another internationally. The protocol is used by more than 800 telecommunications companies globally - thereby making it a key target for criminals to remotely intercept one-time passwords and enable money transfers.
The exploited vulnerability has been publicly known for many years, targeting telecommunications networks. The attack was carried out from a foreign mobile network operator in mid-January, and that network has since been blocked, and affected customers notified. Last week, Rep. Ted Lieu of California called for the Federal Communications Commission (FCC) and telecom industry to fix this flaw, which was said to be discovered in 2006 and fully disclosed in March, as reported by SC Magazine.
According to an article by Security Intelligence, this ‘flaw’ is really an intentional loophole/design feature of SS7, and that telephone networks were not designed to be secure. SS7 gives users a seamless experience as they travel. One alternative to keeping phone calls private is by using end-to-end encryption apps. Another recommendation is to use more secure methods of two-factor authentication to better protect access to your accounts.
NIST Nixes SMS-Based 2FA
Last July, the U.S. National Institute for Standards and Technology (NIST) announced they were pulling SMS-based two-factor authentication (2FA) from their Digital Identity Guidelines, Special Publication 800-63-3, a move that Duo supported.
NIST states that SMS 2FA isn’t secure due to the fact that the phone may not always be in possession of the phone number, and because SMS messages can be intercepted and not delivered to the phone. The SS7 attack is one example of why text-based 2FA isn’t the most secure method.
The latest Verizon Data Breach Investigations Report (DBIR) noted this very attack scenario as a ‘common event chain’ listed by NIST as a reason to move away from SMS 2FA. The Verizon DBIR stated:
We are not suggesting using two-factor authentication via SMS is akin to building a house of sticks (as opposed to a straw house) for the mitigation of wolf attacks, but it is a window into the thinking of the adversary. When faced with defeating multi-factor authentication, they will pragmatically try to devise a way to capture both factors for reuse.
Better Ways to 2FA
What are some better, more secure 2FA methods? Try U2F (Universal 2nd Factor), an open authentication standard developed by the FIDO (Fast Identity Online) Alliance for secure and easy-to-use 2FA.
How does it work? Simply enroll with Duo, then tap a physical USB device to verify your identity. This device is known as a U2F authenticator that protects private keys with a tamper-proof component known as a secure element.
Or use Duo Push, a push notification delivered to your phone via a 2FA mobile app, Duo Mobile. Approve the notification to verify your identity and get granted access after completing your primary method of authentication (typically a username and password).
Learn more about evaluating different two-factor authentication solutions by downloading the Two-Factor Authentication Evaluation Guide.
This guide walks through some of the key areas of differentiation between two-factor authentication solutions and provides some concrete criteria for evaluating technologies and vendors.