13

In my web app (everything works with HTTPS), I send the user an SMS with a unique 5-digit code to a cellphone number he provides. I then ask the user to enter in the browser the code he received. Apart from the pure luck of guessing the 5 digits, is it 100% secure or is there a way to temper with this method?

Thanks.

frenchie
  • 1,101
  • 2
  • 12
  • 17
  • 2
    Are you using TOTP to generate the 5 digits or are you randomly generating a 5 digit number of what? – Ryan Kelso Nov 07 '16 at 18:27
  • 2
    Here's an article I read recently about someone who got their entire online identity taken over after a hacker socially engineered their phone company into transferring their phone number to a burner phone controlled by the attacker: https://medium.com/internet-creators-guild/getting-hacked-as-an-internet-creator-982d03637e86 – Ajedi32 Nov 07 '16 at 21:55
  • 2
    I find the questions (and there are many) which ask "Is X 100% secure?" always (correctly) have the answer "No". No matter how secure they are, there is going to be the weakest point in the chain somewhere... – Tim Nov 07 '16 at 23:10

5 Answers5

17

I'm going to say no. While SMS is a generally accepted 2nd factor, there have been a number of cases where an attacker has used social engineering to break into a user's carrier account and pick up the verification code and use it. So to answer your question, is it 100% secure aside from guessing, no.

EDIT: To add to this information, even NIST is removing SMS as a valid 2nd factor from their standards for security.

Ryan Kelso
  • 1,230
  • 9
  • 14
12

What you describe is absolutely not a secure approach. SMS messages are broadcast over the air without guarantee of encryption.

They can be intercepted and recorded.

In addition, your SMS messages are only as secure as your provider. Hackers can execute a social engineering attack: such as convincing a cellular carriers tech support to send messages to a device the hacker controls.

It's a public, insecure channel and should be treated as such. Adding come kind of SMS verification is better than nothing, but there are risks that may not be acceptable in the context of your application. If we are talking about authentication there are much better methods.

More:

https://www.ckn.io/blog/2015/11/29/gsm-sniffing-sms-traffic/

Antonius Bloch
  • 517
  • 2
  • 9
4

Of course it is not 100% secure. In addition the NIST is updating it's digital authentication guideline and is about to ban SMS.

You should use other means of 2FA when the user registers. You might even use a Smartphone App, although this sucks, too.

You will not get 100%, but if you want to get real high, you need to ship smartcards with x509 certifiactes or at least a self initialized Yubikey.

cornelinux
  • 2,023
  • 8
  • 11
  • "although this sucks, too" What the link details, requires the user to knowingly give someone else access. – jobukkit Nov 08 '16 at 09:05
  • You are right. While SMS is still only sent to **one** device (although you can not be sure, to which ;-), the TOTP with Google Authenticator can be copied, without the system or the IT department knowing it. This might be fine if you trust the user. But if you have a large setup, where you also want to avoid that users are sharing passwords, then TOTP with Google Authenticator is not a good choice! Also printing out the QR Code without being aware of it is a possible attack vector. The OTP secret should have been bound to the smartphone in the first place. – cornelinux Nov 08 '16 at 12:37
  • Then the rogue user can just lend out their phone. Nothing at all will secure against deliberate access-giving. – jobukkit Nov 08 '16 at 13:00
  • You are totally right. And even if you use biometrics, I can ask my colleague to come over with his thumb. But the point is, lending the phone or the thumb is more inconvenient. If the colleague is not at the same place. You need to call him. This is simply to educate the users to go the way of least effort. Till then the way of least effort was to share passwords or share TOTP scanned tokens. Then the way of least effort will be to use your own smartphone or token. It's that simple. – cornelinux Nov 08 '16 at 18:07
2

It offers a certain level of security but is as secure as your Carrier's customer service. E.g. one can know some basic info about you such as address, mother maiden name etc... call the carrier, transfer the number and hijack whatever the intent was...

user129923
  • 21
  • 1
2

About 4 months ago there was a wave of popular internet personal (and their mobile phone operators) getting socially engineered into blocking and reissuing their SIM cards to third party. From there, with the 2-step verification sending SMS to their phones, the bad guys managed to alter other people's social media and other accounts.

A video on this from H3H3Productions (possibly nsfw language).

So, technical issues of cell phone communication aside, adding SMS as a verification option creates and opportunity for social engineering.

user1306322
  • 916
  • 7
  • 15