The biggest flaw of SIM-based 2FA
Have you just started using SIM-based two-factor authentication to protect your accounts? Well, multiple experts agree that it’s not safe, and your personal data can still be stolen.
SIM-based user authentication is not safe for many reasons, not only because of SIM swap frauds that happen at scale. Anyway, it is still better than only using a password.
“Using this type of authentication method is becoming increasingly dangerous because of threats like SMS hijacking (SS7 attack), social engineering, device malware, and SIM swap fraud. Most people also still use weak passwords or reuse their passwords for different services with different risk profiles, further compounding the issue,” cybersecurity expert Jean Loup P. G. Le Roux told CyberNews.
SIM swap attack happens when a fraudster convinces a cell phone provider to give them access to a phone number and swap it to a new SIM card or phone. These attacks are now occurring at scale because they are lucrative and mostly automated, therefore hard to combat.
“SIM swap attacks are happening at a massive scale against everyday users, and are the number one fraud concern of many cellular providers and financial institutions,” John Whaley, Founder and CEO at UnifyID, told CyberNews.
How dangerous is SIM-based 2FA?
“SMS-based OTP (one-time-passcode, those six-digit codes they text you that you need to type in) is not secure for many reasons, not just limited to SIM swapping,” John Whaley said.
For example, a number porting attack is similar to a SIM swapping attack. In this attack, the fraudster signs up under a different mobile service provider and requests to port your number to the new carrier.
John Whaley explained that protocols used for SMS are not encrypted and not authenticated, and threat actors can intercept and read messages even without access to the user's phone number.
“SMS messages travel through many third-party servers that are not secured. It was exposed by an episode last year where many text messages were delayed for months,” he explained.
What is more, SMS-based OTP doesn’t solve the problem of phishing or account takeover.
“If a user is convinced enough to enter a password on a phishing site, they are very likely to also enter the SMS 2FA code,” John Whaley explained.
Furthermore, the code you receive via SMS does not contain any of the context of the action you are trying to authenticate, leading to additional attacks.
“You may think you are providing the SMS for something innocuous like checking your balance, but that code may be used instead for resetting your password to lock you out of the account or for transferring all of your money out of the account,” he said.
A common scam is to receive a phone call that appears to be from your bank's fraud department, convincing you to read off a code from a text message to verify your identity.
Due to the above reasons, institutions like NIST (National Institute of Standards and Technology) and the FBI recommend not using SMS-based 2FA. Yet, it is still a commonly used 2FA method.
How often does this occur?
“High profile cases of SIM-swap fraud (like we saw with Jack Dorsey) haven't just brought the attack technique to the attention of the media, hackers around the world have taken to the technique like ducks to water. I've seen reports of this technique globally increasing of late, and it doesn't look like it's going to stop”, Matt Boddy, CTO of Traced Mobile Security, told CyberNews.
According to Jean Loup P. G. Le Roux, there’s a definite lack of reliable sources on statistics about SIM swap attacks. However, there’s been an escalation in SIM swap attacks in recent years, and this problem is getting a lot more airtime among cybersecurity professionals and security organizations like the FBI than it did before.
“One of the only things keeping SIM swapping attacks from becoming more prevalent is the fact that it’s near impossible to fully automate. Adopting a threat-based approach, we can see why targeted attacks have far more chances to succeed when SIM-based 2FA is used. They still have relatively low chances to succeed in fully automated attack scenarios because a human component is still required to trick your phone provider to “swap” your SIM,” he said.
Although phishing and malware are some of the most talked-about threats today, SIM swapping is a much more widespread problem than most people realize, Jean Loup P. G. Le Roux argues.
In the FBI’s 2019 Internet Crime Report, they highlighted a particularly high-profile case where a US-based cybercrime ring stole around $40 million in cryptocurrency this way.
Should I trust the retailer that uses 2FA?
“Don't dismiss a retailer that uses SMS-based 2FA, since it's better than no second factor at all. But where there is the option (which there often is), choose a second factor that relies on an authenticator app on your phone instead, or a security key like Yubikey,” Matt Boddy said.
The best approach for users is to use multifactor authentication (MFA) whenever possible, choose authenticator apps instead of SMS based MFA, and, of course, stop reusing passwords.
The attacks against SMS-based OTP are so numerous and well-known that institutions that are looking to newly implement 2FA are not considering SMS-OTP, Mr. Whaley explained. Instead, they are looking at other alternatives like push-based authentication or behavioral biometrics.
“The continuing use of SMS-OTP today are mostly legacy implementations from 2019 and earlier. We will see SMS-OTP start being phased out over the next few years,” he predicts.
Jean Loup P. G. Le Roux recommends adopting healthy practices and sticking to them, regardless of 2FA support.
“Use password managers like BitWarden to do all the heavy lifting, never reuse your passwords on different sites, and never share passwords. Stick to it, apply it over and over, and don’t question or change the routine. You’ll avoid about 80% of existing risks this way,” he explained.
How to choose a mobile service provider
A SIM swap attack occurs once a fraudster outwits a telecom employee. How to choose a reliable mobile service provider in that case?
“Be upfront! Ask if there are additional security controls in place to prevent an unauthorized SIM swap. Be specific, you may be able to set a “recovery PIN” to authenticate you with customer service should you ever need to legitimately re-issue your SIM,” suggested Jean Loup P. G. Le Roux.
John Whaley said.
John Whaley explains that most major mobile service providers allow you to specify a wireless passcode, passphrase, or set up a port freeze on your account.
“You should be careful not to reuse an existing passcode or passphrase, as that makes it much easier for someone to guess or steal. You are much safer coming up with a new one and writing it down in a safe place. The same goes for so-called security questions, like mother's maiden name or street number of the house you grew up in. They are often easy to guess. It is a matter of when, not if, the answers get leaked,” he told CyberNews.
Even if you take all of these precautions, you are not 100% safe because it is not that difficult to socially engineer, experts agree.
“Social engineering is a tricky beast. We are talking about humans, and there will always be the possibility that someone can be bribed or coerced into assigning a SIM to someone they should. In the past, some mobile service providers have been caught out by watchdogs for high levels of SIM-swap fraud, so search for reports on the internet. These providers are likely to have put in stronger measures to combat fraud. Be aware, though, that the more specific a provider is in explaining their measures, the more likely that hackers and fraudsters have found a way to circumvent them,” Matt Boddy explained.