51

Security experts are constantly discouraging users from using SMS-based 2FA systems, usually because of worries the auth code could be intercepted by an attacker, either through a SIM swap or a MitM attack.

The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service. Attacks like the one that breached Reddit last year, where a Reddit administrator had his SMS 2FA token intercepted.

You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider). The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent. The way I interpret this, the only people who should actively avoid SMS-based 2FA systems are those who are likely to be targeted for specific attacks, but those are few and far between.

Consider an average Joe, who has about 100 accounts, but doesn't use a password manager (so he has password reuse). He doesn't have special access to any major services. He doesn't have any celebrity status or special usernames anywhere. He is a regular, non-management employee at his office with no special access to his company codebase or product. Put a different way, he's unlikely to ever be the target of an attack specifically targeted at him.

In this context, should Joe be concerned that the SMS-based 2FA he uses for Facebook, Twitter, Google, Dropbox, Slack and Nest has theoretical vulnerabilities?

Nzall
  • 7,373
  • 6
  • 30
  • 45
  • In my opinion, NO, he do not have to feel concerned. And it's the case of the vast majority of internet users, if It was not the case I guess most services providers (Google/FaceBook/DropBox...) would have stopped providing/supporting 2FA – Soufiane Tahiri Sep 20 '19 at 08:25
  • 2
    @SoufianeTahiri Actually no, it's _not_ terribly secure, but it's still better than _nothing_, and the vast majority of people with online accounts have a way to receive SMS. TOTP is better, but there are more barriers to getting people to use it (have to install an app, have to actually open the app to use it instead of getting a notification with the code, etc). This doesn't mean SMS it's good enough and you shouldn't be worried, it just raises the bar a bit for attackers. – AndrolGenhald Sep 20 '19 at 13:46
  • 1
    @AndrolGenhald, Yep I know it's not terribly secure, but as Nazll said there is no "known" way to scale the attack, so except if you're a high-profit target, there is almost NO need to worry about SS7/SIM swapping or any other similar attacks... The question was not which is better TOTP or 2FA (and yes I agree with you, TOTP is more secure) – Soufiane Tahiri Sep 20 '19 at 14:53
  • @SoufianeTahiri My point is that even if attacks could be scaled, that doesn't mean websites will stop using it (because it's still better than nothing). Whether or not SMS is a common option for 2FA doesn't tell you much about whether it's still a good option. – AndrolGenhald Sep 20 '19 at 15:03
  • I missed the point and yep I'm totally in phase with you – Soufiane Tahiri Sep 20 '19 at 15:10
  • 4
    Even though Alice is not a high-value target, if by attacking Alice's Slack account, the attacker gains access sufficient to reveal that Bob is a high-value target, the attack was of value. Many attacks against "average" people, are not about the person attacked, but gaining the ability to attack someone that person knows, so its hard to make a value judgement about an attack against an "average user with no special access rights." – Randall Sep 20 '19 at 19:35
  • 3
    The main problem with weak second factors like SMS and even email is when it is used as the sole factor for things like account recovery. This can’t be turned off on some larger services because they don’t want to deal with the recovery support. This is why for example Google for their high security setting severely restrict the recovery options and require redundant second factor tokens to begin with. – eckes Sep 21 '19 at 14:09
  • *"Security experts are constantly discouraging users from using SMS-based 2FA systems"* - Citation, please. –  Sep 23 '19 at 02:35
  • 1
    As a comment, there have been widescale attacks against SMS 2FA protecting German bank accounts. The banks in general have moved to more secure proprietary 2FA mechanisms. – Martin Bonner supports Monica Sep 23 '19 at 09:10
  • "He doesn't have special access to any major services" - it's not special access that matters, but the _amount of money_ that is available. Even for "ordinary people", the bank or brokerage account with the retirement savings may well contain 100,000+ $, which is very much worth stealing. – sleske Sep 24 '19 at 08:22
  • This isn't theoretical and SMS 2FA has been intercepted before. SMS is vulnerable because, among other vulnerabilities, the backbone of landline and cellular networks is SS7 and SS7 is vulnerable. – JW0914 Sep 24 '19 at 13:58

5 Answers5

50

There is no real concept of an "average user with no special access rights". From the perspective of an attacker the main point is if the effort needed for an attack is less then the gain of the attack. Even an "average user" might have crypto wallets or precious twitter accounts. Sometimes the gain of an attack is also not that obvious, like when a seemingly unimportant target is hacked as the initial step in a larger delivery chain attack against a more precious and better protected target.

For some examples of successful attacks see

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 3
    Yes, but what I mean is, why would an attacker bother trying to social engineer a CS rep into swapping a sim out or try and intercept an SMS through a MitM attack by being at the right place, when the average service has millions of other accounts that are probably not 2FA secured? – Nzall Sep 20 '19 at 14:32
  • 5
    @Nzall: because (to cite myself) *"the main point is if the effort needed for an attack is less then the gain of the attack"*. If the other less protected accounts have nothing interesting to offer then why waste precious time? Sure, if there is another less protected account which is a similar worthy target then one would likely attack this one first. – Steffen Ullrich Sep 20 '19 at 14:47
  • 2
    Also: https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124 – Andrew Savinykh Sep 21 '19 at 01:33
  • 2
    So what's your answer to the question? All users should worry about this? [I find answers with a clear answer or conclusion to be clearer overall and less ambiguous] – NotThatGuy Sep 21 '19 at 14:51
  • @NotThatGuy: The attacks are targeted and take some effort to do. This means that you likely will be attacked only if you have something valuable to steal (direct attack) or if you have the trust or connection to somebody who might be a worthy target (attacking you as the first step in attacking others by using trust relationships). You probably better know than me if you are a worthy target then. – Steffen Ullrich Sep 21 '19 at 19:16
  • @NotThatGuy: *"I find answers with a clear answer or conclusion to be clearer overall and less ambiguous"* - unfortunately security is usually not that way. Security is about keeping the risks low at acceptable costs and not about having no risk at all. *"All users should worry about this?"* - There is no yes and no to this. Some users should worry more than others. The more valuable a victim is the more likely it gets attacked. – Steffen Ullrich Sep 21 '19 at 19:54
  • It should probably be noted that SMS swap over the phone or anything, but in person, is not a thing everywhere. Where I live the only way you can SIM swap is physically go to your mobile provider service center, have them verify your national id and sign a paper permitting then to do it. Unless obviously you have a prepaid anonymous card not tied to your name. – Gnudiff Sep 22 '19 at 05:03
  • @Gnudiff: That assumes that the only way to get a secondary SIM is to get the issuing provider to create one. But IIUC it is relatively simple to clone a SIM if you have physical access -- and if that is possible, it wouldn't surprise me if it can also be done over the air, by impersonating a cell tower while the victim is in range. – hmakholm left over Monica Sep 22 '19 at 12:09
  • @HenningMakholm: Well, you cannot just clone a SIM even with physical access - they are specifically designed to not be copyable (at least not easily). However, you may not need a SIM card: There was a vulnerability in SS7, a telephony signaling protocol that telecom providers use. It was successfully exploited to intercept SMS messages carrying TANs. [Wikipedia](https://en.wikipedia.org/wiki/Signalling_System_No._7#Protocol_security_vulnerabilities) has details. – sleske Sep 25 '19 at 07:07
16

Like many things, there is a tiny bit of truth in there, but overall it is a non-issue in practice and incidents are reported/perceived totally out of perspective.
Most stuff, including every new system that comes up every few months and that completely obsoletes everything else is usually based on personal financial interests, dogma, belief, and snake oil. So, recently, SMS-TAN was obsoleted. And the world didn't stop.

How dare I say it's a non-issue? There's some very real security breaches!

First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such (which is usually the first factor).
Without providing the first factor, you do not even get to trigger the SMS to be sent. If the legitimate account owner triggered it, then he is currently in the process of logging in, i.e. he has a TLS connection going. The TAN won't work for anything but for the action it was triggered for either, so it's not really useful for much.

You eavesdrop my SMS? Well go ahead. What are you going to do? Unless you also have a gun so you can force me to step away from the keyboard, or you can spoof my IP address and have subverted TLS so much that you can successfully take over the connection (really, WTF? who do we defend against in this threat model?), there is not much you can do. I mean, there's reasonable things to expect, and unreasonable things. Do I need to defend against the possibility of a 2km large meteor hitting my house? If someone can take over my TLS connection, then I have more serious problems than SMS being interceptable.

Unless of course it was you who initiated the SMS-TAN in the first place, which means you must already know my password.

So a reddit sysadmin gave away his admin password or had such a pathetically bad password that it was easy to social-engineer. Or, something else that is outright face-palm scary, whatever. Took a girl he met in the bar the night before to his workplace to impress her, logged in, and walked away? Something the like?
Wow, clearly the fact that SMS can be intercepted was the problem!

SMS 2FA is the same as every other 2FA. It is a little extra hurdle that an attacker has to take, once they have the first factor. It's not much, but it's better than nothing. For the casual attacker on a random target, that little extra makes the difference between "doable" and "not doable". For example, you may get to know my Google password by chance, but you do not know my phone number (or where I even live). So, technical difficulties aside, how are you going to intercept my SMS at all?

Will 2FA stop a targetted attack by a determined attacker? Well no, it probably won't. But what will? I can always tie your girlfriend to a chair and have you watch me cut off fingers until you perform the authentication. Make it five factor authentication if you will, it won't take more than two or three fingers.

On the basis that SMS-TAN is insecure, my bank replaced TAN via SMS with a totally insecure pair of custom-made apps that will allow a transaction to be initiated, and confirmed, without ever a password or such being entered. Android's biometry API telling it "yeah, OK" is enough. It's been demonstrated that facial recognition is easy to trick.
So yeah, this is definitively so much better and more secure than having to enter a password over TLS (which is stored in Keepass) and to receive a TAN via SMS, which is worthless to anyone else.

The simple truth is, sending SMS-TAN costs money, and that stupid little app doesn't...

Damon
  • 5,211
  • 1
  • 20
  • 26
  • 3
    Obligatory [xkcd](https://xkcd.com/538/). – TemporalWolf Sep 20 '19 at 22:21
  • 19
    "First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such" <-- this is **blatantly false**. In practice, basically every single service that allows and encourages SMS "2FA" is actually delivering SMS 1FA: they allow account recovery via just the phone number/SMS, without requiring the password. – R.. GitHub STOP HELPING ICE Sep 21 '19 at 01:16
  • You are not questioning the weakness of SMS as a second factor but you are basically saying that if the users would take better care that their first factor was strong enough than it would not matter if the second factor is weak. By this you are essentially questioning why any kind of 2FA is needed at all, since users should just use strong enough 1FA. – Steffen Ullrich Sep 21 '19 at 10:30
  • 1
    @R.: That may be true, but it is irrelevant. Not few services will email you a password reset link, or worse, a plaintext password (which means they have a plaintext password stored). So, yeah, some people just get it wrong. Does that have any implications to **proper** 2FA? No. This is like the recommendation back in 2018 to no longer encrypt email because some exploits in the mail client _could_ (maybe) allow an attacker to read them. Sure, no encryption _at all_ is a good solution! Why not deliberately leave your door wide open because someone _could_ drive a truck into it to break in. – Damon Sep 21 '19 at 16:50
  • 1
    @SteffenUllrich: Some truth in it, but what I meant to say is that the first factor is not perfect. Nothing is perfect. A second factor (or third) is not perfect either, but to the average wannabe hacker it's undefeatable. It won't stand against a targetted governmental attack or organized crime, sure. But like I said, you do not even know my phone number, so how are you going to intercept my SMS? Neither do you know my password, so how do you get them sent? That's assuming a no-shit implementation that doesn't just send out SMS like that, or displays "Sending confirmation to 01234567890"_. – Damon Sep 21 '19 at 16:54
  • 2
    @Damon: Even an *"average user with no special access rights"* (whatever this is) might be a worthy target of a targeted attack because he has valuable stuff himself or might be a step to get access to valuable stuff (delivery chain attack). And SIM swap is actually not that hard to do as several examples from the past show, i.e. no need for *"governmental attack or organized crime"* but all what is needed is a determined hacker with some social skills. And the phone numbers itself are usually not kept like a very valuable secret nobody should know: most don't have a number only for 2FA. – Steffen Ullrich Sep 21 '19 at 17:10
  • @R..: Not, not necessarily. For example, in Germany many online banking systems use SMS as the second factor, but they absolutely do _not_ allow a password reset via SMS, as they well know that would be terrible security. – sleske Sep 24 '19 at 08:25
  • @sleske: Except now (which I find so upsetting) they no longer use SMS. At least mine uses a pair of two apps (one for initiating the transfer, the other as "second factor", the former invokes the latter transparently), and **both** unlock with the same fingerprint. Which is _any_ registered fingerprint on the device, by the way. Technically they're violating ZAG as they've reduced authentication to _one_ factor. – Damon Sep 24 '19 at 17:03
10

"Should I worry?" is not a technical question-- you can worry about anything you want. For Information Security purposes it is more helpful to consider specific threats, balancing their probability and risk against cost and inconvenience.

A different question you could ask is whether SMS 2FA is sufficient mitigation against criminal teams working on mass harvesting of credentials (and, for example, posting them for sale on the dark net). The answer to that is-- yeah, it's pretty good. Even if they were able to obtain a 2FA SMS code, it would not have any resale value since it is only good for a few minutes. So in terms of criminal networks reselling credentials, it is a decent mitigation. That is one kind of threat.

Another kind of threat is a criminal team or malicious user targeting you as an individual and in real time. In that scenario, SMS is completely inadequate, for reasons that I think you already understand. It is much too easy to get that code if they have the necessary resources.

That being said, NIST, FFIEC, PCI, ISO-27001, and other forms of security regulation/compliance/guidance are all moving away from SMS 2FA in favor of other options that are becoming more available as the technology evolves. But the public will take time to catch up. Heck, 90% of gmail users don't use any 2FA, let alone a securID token! That is why SMS two factor authentication isn't perfect, but you should still use it..

John Wu
  • 9,181
  • 1
  • 29
  • 39
4

Although SMS 2FA is not as strong as TOTP base MFA or the use of a hardware security key (e.g. yubikey) it still offers a significant amount of protection against the typical attacker who's just trying to make use of weak or compromised passwords.

mhr
  • 329
  • 3
  • 10
3

The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service.

[...]

You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider).

[...]

The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent.

You don't always need SIM swap or MitM. Some simple attacks like phishing are already automated and that applies to 2FA codes too.

Now this kind of attack would also bypass other kinds of one-time passwords like smartphone authentication apps, and maybe even login prompts. They would be stopped by token-based 2FA like Yubikeys, since the browser would check that the domain is correct.

Also, I guess it would not be impossible for someone to hack into a phone network and run an untargeted attack while intercepting 2FA SMSs for a while until they get caught.

Hey
  • 1,915
  • 1
  • 17
  • 24