16

Google, Facebook and most of the important websites (banks, payment sites, etc...) use SMS as the major method for 2FA or for controlling the account (password reset, etc..). However, GSM was proven long ago to have vulnerabilities:

A) That surely tells the world that SMS-enabled services are really hackable (yes, it needs some money and resources, but as time goes, everything becomes cheaper). So, if you are an important figure, or even if a hacker targets you specifically, or even some bulk-hacker software might be written (who intercepts all SMS within radius), then your SMS can be intercepted easily.

B) That also means, that in some cases, having 2FA using SMS can be worse than being without 2FA at all.

So I have 3 questions:

  1. What is the foreseeable future? Will worldwide GSM providers fix all the vulnerabilities and upgrade the technologies easily?

  2. Who can force the major technology giants (Google, Twitter, Facebook, eBay, Amazon, etc...) to allow us to use 2FA without SMS? (At this moment, only Google and FB allow users to remove their phone number as 2FA, if you remove the phone number entries from all places in your account, but such critical services, as LastPass, Authy, etc... do not allow this yet)

  3. Before GSM providers or websites will upgrade technologies, what steps can we do to avoid our SMS being intercepted? Can we have some "protected SIM number" or program that will prevent auto-switching or detecting interception, or blocking it or whatever?

schroeder
  • 125,553
  • 55
  • 289
  • 326
T.Todua
  • 2,707
  • 4
  • 20
  • 29
  • 2
    Good question. Also, many better 2 step authentications will fallback to SMS, making them equally unsecure. – Esa Jokinen Feb 02 '19 at 10:22
  • 2
    [TOTP](https://www.youtube.com/watch?v=ZXFYT-BG2So&app=desktop), [hardware tokens](https://cloud.google.com/titan-security-key/) and [Web Authentication API](https://blogs.windows.com/msedgedev/2018/07/30/introducing-web-authentication-microsoft-edge/) have already started to act as an alternative to SMS token. But changes take time to be adopted as new standards. – defalt Feb 02 '19 at 19:01
  • @defalt yes,thats problem, that "it takes time...". I think tech-giants should have a eay to disiable (as an user-option) sms based recovery... maybe they should implement other alternatives too,like unique voice recognition, fingerprint, whatever... i dont know... – T.Todua Feb 02 '19 at 22:46
  • Any new implementation will take as much time as the current implemented standards. Current standards have been verified by cryptographers and engineers so they are ready to replace SMS-OTP. – defalt Feb 03 '19 at 05:39
  • SMS-based 2FA has been actively being replaced for a while now since the official recommendations are not to use it. I'm thinking that this question has been answered for a while now. – schroeder Feb 03 '19 at 15:55

3 Answers3

6

Bruce Schenier talks about this issue here.

To quote the article.

Here are two new active attacks we're starting to see:

  • Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
  • Trojan attack. Attacker gets Trojan installed on user's computer. When user logs into his bank's website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.

See how two-factor authentication doesn't solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in.

The problem with 2fa is that the password and the otp are both sniffed. Or just the password is sniffed and then the user taps the 'tap here to login' prompt. Either one allows the attacker in.

As mentioned by defalt. The proper way to authenticate a user (mathematically speaking) is to use strong mutual authentication like how yubikey's security key does.


1) What is a foreseeable future - is it going to happen, that worldwide GSM providers will soon fix all the vulnerabilities and upgrade the technologies easily? And if they don't plan this, then what should we do?

Things take a very long time to change because of lock-in . Ipv4 was predicted to be dead by 2010. In 2019 ipv6 usage is about 25%. Rolling codes were created back in the 1980s but fixed code systems are still around in 2019. So sms will stick around for a long time to come.

The best thing you can do is utilize the strongest authentication that a website has available. There's not much an individual user can do beyond that. It's really up to the website to implement strong authentication.

2) What is a foreseeable future of internet - does GOOGLE, BANKS and all others tend to deprecate SMS authentication soon, or that's not gonna happen, and we are will be still sticked with #1 problem?

Google and Yubico are working hard on upgrading user authentication for the internet in 2 ways. 1. delivering hardware based tokens and 2. making it easy for web servers to implement webauthn. These 2 ways are really just different sides of the same coin.

3) And as a last note, of course,in our reality, 2 step auhorization(SMS based) increases security from most of hackers(i.e. in case our passwords are stolen) , but the reality turnes out to be, user who uses 2-step sms authorization (or, doesn't use 2step, but has entered own mobile number in his profile, as a recovery method) has increased security threat - for example,when hacker doesnt know your password, but is capable to hack sms (as opposed to the first category of hackers, when you have increased security instead). Quite a problematic dilemma.

A chain is only as strong as it's weakest link. If it's easier to hack someone's account directly or by "recovering" the account. The attacker doesn't care. A website needs a strong primary way of authenticating it's users, and if it chooses to implement recovery. That needs to be secure too.

silverduck
  • 271
  • 1
  • 2
  • wouldnt installed trojan able to access or sniff the connected hardeare, like yubikey? – T.Todua Feb 03 '19 at 21:06
  • 1
    A yubikey uses challenge-response authentication instead of shared-secrets. The gist is that the server sends a challenge and the yubikey signs that challenge and then sends it back to the server. The signature is only valid for that session and for that website. The Google authenticator app just generates 6 digit codes but it's up to the user to verify that the website he/she is on is using tls and that the domain name matches character for character. This is a bit over simplified. If you want to know more you can start here (https://fidoalliance.org/how-fido-works/) – silverduck Feb 03 '19 at 23:33
1

I think it will keep its place because there is no "buy-in" on the user's end, i.e. they don't need to complete any actions on their device prior to using it. I haven't come across any data suggesting that using SMS 2FA decreases security over not using 2FA.

schroeder
  • 125,553
  • 55
  • 289
  • 326
they
  • 923
  • 1
  • 5
  • 7
  • here is data: https://security.stackexchange.com/questions/216624/2-step-authorization-using-sms-is-less-secure-than-having-2-factor-disabled-at – T.Todua Sep 02 '20 at 19:35
1

And if they don't plan this, then what should we do?

I will share my experience while implementing 2FA for ERP software:

  • Provide Authenticator-app based 2FA.
  • If possible, integrate 2FA with mobile fingerprint if you support the mobile app.
  • If for some legacy reason or requirement, you need to provide SMS-based 2FA, make it clear that App-based 2FA is a better choice by displaying messages during the setup process to the end-user. (Yes, there are companies that don't allow smart devices to be carried inside office premises)
  • For B2B, usually, such policy is decided by IT team of the company. Make sure to convey the pros/cons/security risk of using SMS-based 2FA clearly.
  • For banks, It would be great to use App-based or hardware tokens for 2FA.
  • Example: DBS in Singapore gives their customer a hardware device to generate tokens. First, an SMS text will be sent to your phone with 6-8 digit OTP. You need to enter this OTP into the device to generate another OTP, which will be used to validate the second factor.

That being said, all the above methods have some tradeoffs. (Usability vs Security)

If there is too much security, it might decrease the usability which in turn would decrease the security if users are not aware.

  • I remember, while I was an intern in a company for few months where users were forced to change their password every month with a strong policy as 8 letter password with 1 lowercase, 1 uppercase and 1 special character and cannot reuse one of the last 10 passwords. This resulted in users having a pattern in the password like Jan012018. Some users even had a sticky note with their password on it.

I would suggest considering all possibilities and adapt based on the use case.

does GOOGLE, BANKS and all others tend to deprecate SMS authentication soon

As said above, banks have started moving towards more secure ways of implementing a second factor. Of course, it would take time for it to be universal.
(From what I remember, Google also supports App-based 2FA, hardware tokens and other methods of 2FA)

schroeder
  • 125,553
  • 55
  • 289
  • 326