85

I did some research about how secure and private SMS messages are.

Providers and governments can see these SMS messages in plaintext,
but what is weird is that these messages are not encrypted in transit.

According to my knowledge, that makes the service vulnerable to MiTM attacks: a semi-skilled hacker who knows my location can intercept the connection and get a code to reset my Google account's password for example.

psmears
  • 900
  • 7
  • 9
Mohamed Waleed
  • 1,179
  • 1
  • 5
  • 13
  • 15
    _SMS is built-in feature on mobile phones, you don't have to install it and you can not uninstall it intentionally or accidentally_ . As @user10489 mentioned in his answer, a risk assessment could be a way to choose or not using SMS. For further understanding check this https://security.stackexchange.com/a/197187/21144 – elsadek Jul 06 '21 at 12:52
  • 11
    I work on an SMS app. Sending an SMS from any arbitrary number is outright _trivial_. There is nothing more insecure than SMS. – Mooing Duck Jul 07 '21 at 00:09
  • @MooingDuck will you get disconnected and/or sued if you abuse the feature? – user253751 Jul 07 '21 at 08:16
  • 6
    Related: [How hard is it to intercept SMS (two-factor authentication)?](https://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication) – sleske Jul 07 '21 at 11:09
  • 29
    @MooingDuck Yes sending to any number you want is easy. Sending from any number is also easy. But both of those are irrelevant here. What matters here is being able to receive messages that are meant for any number. This isn't trivial afaik. – Jory Geerts Jul 07 '21 at 12:44
  • @JoryGeerts how is it easy to send a sms from any number ? – Mohamed Waleed Jul 07 '21 at 22:31
  • 2
    @MohamedWaleed Pretty much any SMS gateway provider (which is what for instance governments use to actually deliver the messages) allow you to set any number you want as the sender (including setting letters instead of digits). It isn't something you can do from your phone, but and API key (from a free trial that most providers offer) and maybe 10 lines of code and you're good to go. – Jory Geerts Jul 08 '21 at 07:50
  • @JoryGeerts isn't it weird that you can impersonate anyone by this ? – Mohamed Waleed Jul 08 '21 at 22:47
  • 5
    @MohamedWaleed: it's no different than sending a letter and signing like someone else. It has been doable for millennia. The tricky part is to intercept the reply. – Martin Argerami Jul 09 '21 at 04:56
  • 4
    @MohamedWaleed https://abcnews.go.com/Technology/wireStory/cyberstalker-years-prison-war-woman-72018611 This ...person... sent himself spoofed threatening text messages and then used that to get a restraining order and ultimately get his ex arrested and jailed (twice). I believe he eventually was caught because he sent a spoofed message while she was in jail. (And of course at the same time there are many people who really are being sent threatening text messages and need immediate police response to protect them, so everyone does have to take that seriously.) – user3067860 Jul 09 '21 at 14:22

7 Answers7

74

Yes, you're right. SMSes are not recommended in any two-factor authentication (2FA) process nowadays. They can be easily intercepted and modified.

That's why a lot of companies are recommending other alternatives:

SMSes are considered obsolete when talking about a secure way to verify your identity. They are also affected by SIM Swapping attacks. That's why some 2FA apps that use TOTP, like "Google Authenticator", are gaining more popularity in the market.

There are many examples on the Internet exploiting these weaknesses:

Even with all these examples, SMSes are still used because:

  • The infrastructure for SMSes is already implemented worldwide and changing it would be really expensive.
  • They are a relatively easy and cheap way to implement 2FA.
  • They can be used without special software / apps in any cellphone.
  • For old cellphones, this may be the only way to receive a 2FA code.

But no matter what technology are you using, attackers always take advantage of the weakest link, in this case, people, so they will use social engineering techniques to try to trick you so you end up sending the 2FA code to them.

galoget
  • 1,444
  • 1
  • 10
  • 15
  • so, sooner or later SMSs should be not used and service providers like Vodafone should implement a technology for short messages considering the implmentation of something like SSL in HTTP Protocol ? – Mohamed Waleed Jul 06 '21 at 11:35
  • 66
    The SMS will stay there for a long time. It is simple and it works in most cases. Intercepting SMS requires being in range of the victim so the attacks are easy only in theory. Social engineering is still a bigger concern that actual black-hats driving around in a ice-cream truck to intercept your paypal authentication code. – nethero Jul 06 '21 at 11:39
  • 31
    "Google Authenticator" is just a brand name for the open standard [TOTP](https://en.wikipedia.org/wiki/Time-based_One-Time_Password). Unbranded open-source compatible apps are [available](https://fossdroid.com/a/freeotp+.html). – A. Hersean Jul 07 '21 at 08:00
  • 9
    @nethero Sim swapping does not require to be in range of the victim. You do not even have to be in the same state as the victim to intercept SMS. You might be confusing with IMSI-catchers used to intercept all mobile communications (including vocal) at proximity. – A. Hersean Jul 07 '21 at 11:48
  • @A.Hersean so you've decided to ignore the "social engineering part" of my comment. – nethero Jul 07 '21 at 12:36
  • 1
    @nethero: sure, because the correction was about the other part. – Paul D. Waite Jul 07 '21 at 15:07
  • 1
    @PaulD.Waite sim swapping is a social engineering attack which is a bigger concern than any interception, so where exactly I'm being corrected? – nethero Jul 07 '21 at 20:37
  • 1
    Also, companies offering custom service like to get a hold of mobile numbers for fraud prevention and marketing reasons. (Of course they might not admit it ,) – eckes Jul 07 '21 at 21:07
  • @eckes how do these companies prevent fraud by getting hold of mobile number ? – Mohamed Waleed Jul 07 '21 at 22:39
  • Bye making it hard to sign up multiple times – eckes Jul 07 '21 at 22:44
  • @eckes you mean that number of "phone numbers" that one user can has is limited than number of emails that the user can has ? – Mohamed Waleed Jul 07 '21 at 23:05
  • 3
    The problem with TOTP is that most big services that support TOTP also allow SMS as a backup (I'm looking at you Google & Amazon). It completely nullifies the security benefits of TOTP. – zakinster Jul 08 '21 at 09:30
  • 15
    With SMS being unarguably the worst way of implementing 2FA, it's worth highlighting that even the worst 2FA is infinitely more secure than no 2FA. – René Roth Jul 09 '21 at 11:24
  • @MohamedWaleed no I dont say that, but at scale it makes it much harder for end users to open unlimited number of socket puppets (and you have a better law enforcement handle for the worst case). Of course that protection is not perfect, but it is rather low cost/complexity. – eckes Jul 16 '21 at 21:55
  • 1
    @zakinster agreed. especially annoying for AWS where you can actually un-bind the 2FA when you have access to email and SMS. Especially in a cooperate scenario where you used company email and phone system this totally allows ransomeware crews to delete your AWS presence despte TOTP or WebAuthn on the root account. – eckes Jul 16 '21 at 21:56
51

SMS is not exactly plaintext.

The network operator has it in plaintext, but the attack surface there is limited and both organizational and technological measures limit the exposure.

Over the air, it is pretty much encrypted, unless one uses 2G which can be optionally unencrypted and vulnerable to downgrade attacks. Most modern phones can be forced to use 3G and above.

And yes, these encryption methods are considered weak in relation to e.g. TLS and sucessful attacks do exist. But these attacks require equipment, skills and have their own prerequisites (like a great deal of exchanged data, etc...).

SIM swapping and other social engineering attacks are also possible, but they are - again - attacks and they require luck, skills and effort. They are not ready to use access channel. They can fail miserably as well - all the way down to being arrested and prosecuted.

In short, SMS is not that bad for use as a second factor.

edit: There is no good and bad (by itself) method.

There are good and bad methods in relation to the risk spectrum, the stakes and the user base involved. SMS is bad for launching nukes, but good enough for the average Joe's online payments. It is bad as well in regard to the order of an attractive toy use in a kindergarden.

In the security field, "good enough" is quite often the best method, because the security always cripples the usefullnes of the resource in question.

Edit2: As per @Steve comment: the worst second factor is one that users refuse to use because it's "too complicated" or "doesn't work on my system". This will either lead to users having only single-factor authentication, or becoming ex-users as they cancel their service or similar. In that context, a "bad" second factor is still good, because it's better than losing customers or relying on only a single factor. Even more customers can be kept by offering a stronger alternative to SMS (or other weaker second factors) for those customers who appreciate the technical differences and prefer stronger security.

fraxinus
  • 3,458
  • 6
  • 20
  • 8
    I agree with everything but the last part. SMS is still a bad second factor despite of the available protections. – ThoriumBR Jul 06 '21 at 21:45
  • i thinks SMS is a bad second factor, but it performs good ( not the best ) at phone number verification. – Mohamed Waleed Jul 07 '21 at 00:29
  • 7
    There is no good and bad (by itself) method. There are good and bad methods in relation to the risk spectrum, the stakes and the user base involved. SMS is bad for launching nukes, but good enough for the average Joe's online payments. – fraxinus Jul 07 '21 at 06:26
  • 17
    "Good enough" doesn't mean no incidents happen. "Good enough" means that incidents are on small scale and are manageable (from the viewpoint of the decision-maker). And, the whole 2FA thing is about allowing a margin of error. If it wasn't for the margin of error, the password alone can be "good enough", too. In a lot of cases the 2FA is imposed by the regulation and not because too much and too big incidents happen. – fraxinus Jul 07 '21 at 08:59
  • 4
    Security is about risk management, not being a inconquerable forteress. As I am no security experts, I won't comment if the SMS is "good enough" for the average Joe, which by "good enough" mean, the risk/cost associated are low enough. – Walfrat Jul 07 '21 at 09:10
  • 2
    Security is also making it "hard enough". Even though most people wearing basic boots can kick through a door, you still put a lock on your door. A 2FA will make majority of hackers simply move on instead of making more of an effort. Criminals are lazy too. – Nelson Jul 07 '21 at 15:46
  • 1
    What does this mean? "It is bad as well in regard to the order of an attractive toy use in a kindergarden." – Robert Jul 07 '21 at 20:09
  • 7
    @ThoriumBR - the worst second factor is one that users refuse to use because it's "too complicated" or "doesn't work on my system". This will either lead to users having only single-factor authentication, or becoming ex-users as they cancel their service or similar. In that context, a "bad" second factor is still good, because it's better than losing customers or relying on only a single factor. Even more customers can be kept by offering a stronger alternative to SMS (or other weaker second factors) for those customers who appreciate the technical differences and prefer stronger security. – Steve Jul 08 '21 at 09:08
  • @Steve saved your comment in my answer to prevent the comment rot killing it, because it touches important points. – fraxinus Jul 08 '21 at 09:15
28

SMS has significant advantages to the user:

  • It's universal - every mobile phone can handle it, even the dumbest feature phone. Users may not be able to afford a smartphone and associated data plan, or may have no need for something so complex. Even many landlines can receive SMS - I got one recently.
  • Similarly, a new phone but the same number, and it just keeps working.
  • It's accessible - if you can't see to read a notification but your phone can use text-to-speech, it still works. Not all apps respect the device's font size setting either.
  • It takes essentially no storage on a phone (unlike installing one app for every provider - my bank would use its own app, and last I checked, so would paypal, for example)
  • It doesn't demand unreasonable permissions (e.g. Microsoft authenticator has things like delete accounts, precise GPS location, prevent phone from sleeping, broad access to files, etc.)

As yet there's no single standard to replace that across such a wide range of accounts and providers

Chris H
  • 4,375
  • 2
  • 16
  • 23
  • 4
    It's a point that a lot of IT depts overlook. Digitial poverty is very real, and not everyone has access to a smartphone that can have access to a "dumb" phone. I like to make this point a lot more clear for people to understand why SMS, while insecure, is still very valid. – schroeder Jul 07 '21 at 09:04
  • 3
    And nice text-to-speech point. That's a more difficult point to raise as a lot of people can't imagine a visually impaired person using a phone with a screen. – schroeder Jul 07 '21 at 09:06
  • 2
    @schroeder Yes, vision is very variable, and a specific authenticator app may not lend itself well to text-to-speech (via google assistant) or even to enlarged fonts (as may be done in a browser) – Chris H Jul 07 '21 at 09:08
  • 3
    - portable to a new phone. Google Authenticator at least doesn’t let you transfer to a new phone. And especially if you lose your phone, you’re stuck. (One of many reasons I don’t use Google Authenticator). – Tim Jul 07 '21 at 18:32
  • 1
    Thanks @Tim, added. I use a Firefox plugin on desktop which works on home and work machines for some stuff, and SMS or automated phone calls for others, so no authenticator on my phone at all. – Chris H Jul 07 '21 at 19:17
  • @Tim Google Authenticator has a feature to transfer accounts but you have to export them from your old phone, so the only problem is when you lose your old phone. I think the main problem with Google Authenticator is that it requires a med-skilled user to use it safely and manage some cases like losing the phone – Mohamed Waleed Jul 07 '21 at 22:54
  • @MohamedWaleed looks like that was added in late 2020 - that’s after I switched! And it seems somewhat limited - only 10 at a time, and doesn’t work when you lose your phone (no cloud backup). But good to know anyway – Tim Jul 07 '21 at 22:55
  • @ChrisH but authenticators are the recommended method for 2FA – Mohamed Waleed Jul 07 '21 at 22:58
  • @Tim yes, you are right. This feature is relatively new, and somehow limited like you mentioned. So I said that it is not recommended for most users and it is better for a med-skilled user that knows how the authenticator works and how to store and deal with these kind of data. – Mohamed Waleed Jul 07 '21 at 23:01
  • 1
    @MohamedWaleed personally I use my password manager as my 2FA system. This has upsides and downsides, but the big one is (like SMS) it’s hard to lose access. Authenticator may be the recommended method, but that doesn’t make them the best method in all situations… e.g. perhaps Chris doesn’t use a smart phone! – Tim Jul 07 '21 at 23:08
  • 1
    @MohamedWaleed for what I use, the desktop browser plugin is equally recommended, and is usually more convenient for me (except if I get logged out of my work emails on my personal phone when away from my desks for a long time). My smartphone is selected for being cheap, waterproof, and having good battery life, so it's tight on internal storage, & I'm very reluctant to install things with excessive permissions especially over accounts and device lock/sleep. recommendations based on a very narrow view of the user's situation aren't worthy of much consideration. – Chris H Jul 08 '21 at 07:35
  • I disagree about "universal". Phone verification is *truly* universal because it works with all phones, including *real* phones (landlines). Email verification is as well since that's universally accessible. SMS does not meet the criteria for being dubbed "universal", it is a closed format incompatible with many devices. – InterLinked Jul 08 '21 at 20:31
  • 2
    @InterLinked universal in the context of cellphones, which globally is the majority of phones. Then you can add in landlines that can receive SMS (I don't know if mine still can, but it used to be able to). SMS is far closer to universal than email in a global context, considering the large parts of the world where a feature phone or basic smartphone may be the only electronic device people own – Chris H Jul 08 '21 at 20:57
  • @InterLinked but when you create an email account, most services will ask for a phone number to prevent spam accounts and it will send you an SMS or a phone call to verify that you own this phone number. In my opinion SMS is more universal than emails. Some people do have a phone number but don't have an email account. – Mohamed Waleed Jul 08 '21 at 23:00
  • 1
    @MohamedWaleed Even so, (though I disagree), phone verification is more universal than SMS. – InterLinked Jul 08 '21 at 23:57
13

One aspect of SMS as 2FA authentication that I feel isn't as covered is the availability of the method itself; you don't need a wifi connection or a data plan to run a SMS 2FA setup, nor do you need a 2FA specific app to set it up.

If you're working from an Ethernet connection in a remote area that has cellular reception, but would be considered roaming in your current mobile plan, a single SMS message is a cheaper cost than the data plan enabling you'd otherwise need.

It's also compatible with cheaper phones that don't have a full app store capability (i.e. flip phones and other non-smart phones).

Furthermore, if the phone/SIM card is stolen, it's revocable - you simply set the system to never send to that number again, and there's nothing an attacker can do from that point onwards short of social engineering to get the number added again.

  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/127399/discussion-on-answer-by-alexander-the-1st-why-is-sms-used-as-a-way-of-verifying). – schroeder Jul 10 '21 at 17:40
10

In an early draft of NIST SP 800-63-3, SMS was listed as a deprecated 2FA mechanism. When the final draft was released, this paragraph was removed, but examples remain in 800-63B of compromising SMS via collusion with the mobile phone operator. Although not deprecated in the final publication, SMS (and PSTN out-of-band authentication in general) is listed as a "restricted" authentication method, meaning that more secure alternatives are supposed to be offered.

It is generally accepted that password + SMS is better than password alone. It is also generally accepted that SMS is not extremely secure, as it can be stolen virtually fairly easy, although efforts have been made to make this harder. (SIM swapping is only one method to do this.)

Intercepting SMS by physical means might actually be harder than other methods, as it requires close physical presence, sophisticated (but inexpensive) hardware and software, and good timing.

The general advise on SMS for 2FA (as with any security measure) is to carefully evaluate risks and determine if SMS is appropriate for your uses.

jimfenton
  • 3
  • 1
user10489
  • 1,305
  • 1
  • 3
  • 13
4

We use SMS as "something you have" authentication factor for the same reasons we are still using keys to unlock doors.

All our doors could have keyless smart locks with access history, clone proof tags and video surveillance, but security may not be the only concern. There is user-friendliness, maintenance, emergency/backup/shared access and possible more things to consider.

Of course, SMS is not the safest channel.

Possible attacks

From easy to very hard/unlikely:

  • Physical access to your phone, unlocked or locked with visible notifications
  • SIM Swapping, someone pretends to be you and asks for a new SIM card from your mobile operator
  • Porting Fraud, someone pretends to be you with another mobile operator and initiates the attack immediately after the number portability process completes
  • Remote access to your phone, like the recent news regarding the Pegasus spyware, but there are other less sophisticated ways of exploiting phone vulnerabilities
  • Service providers, in which category I would include everyone transiting the 2FA code, from the SMS aggregator with a HTTP API that the bank is using to send the 2FA code to transit carriers and, finally, to your mobile carrier.
  • Low level SS7 attacks against your carrier network, tricking the network to pass the communication to a third party, like the 2013-2014 reports about a foreign agency candidly snooping the German chancellor's phone.
  • Lawful intercept, when not happening legally

Possible solutions

You can protect yourself from physical access by locking your phone and from remote access by paying attention to what you install or visit online.

For SIM Swap/Port Fraud, the entity generating the 2FA code could do a web API call to a service like the ones provided by the company I'm currently working for, TMTAnalysis (shameless disclaimer, proud of my coworkers, we are not the biggest fish in this pond), that checks with the mobile carrier if the number had been recently ported/swapped before sending the code. If the API result says number is high risk, stronger/alternative solutions could be triggered instead of SMS.

For the remaining attack types, well, there is not much you can do about those. Mobile carriers and government agencies have strict, audited policies regarding access to your communication. Also, there is great effort in firewalling the signaling networks, especially SS7, the attacks currently happening there will keep making interesting articles here on SE in the following years (spam,smishing,tracking,interception,bypass,fake ussd,dos,imsi disclosure,location/ati fraud,..).

claudiuf
  • 141
  • 2
2

I think it's worth mentioning that the second factor here is proof of "something you have" (as opposed to "something you know", or "something you are").

Simple TOTP applications (like Google Authenticator) allow you to prove that you physically have a device you had when you set up the security, by storing on that device a generated secret, and they deliberately don't allow you to transfer that "physical" thing to another device. Some TOTP applications weaken that slightly and allow you to back up that secret in an online account - so it's available across all your devices, or if you lose the original device - but fundamentally it's still proof of possession, the only difference is where that possession is stored. It's not the same as "something you know" because you're not expected to memorise the secret, you're expected to store it somewhere that others can't access.

SMS is proof of "something you have", but the thing you have is not a secret stored on a device, it's access to your own phone number / service. You could probably argue that's "something you are", but it's definitely not "something you know". Regardless of encryption, if you have access to someone else's phone service (because you can look over their shoulder or get a hold of their unlocked phone), you can prove that you have access to that phone number. Of course all the other (much harder) attacks that allow sniffing the SMS in transit exist as well. But all of that just means that the proof is less trustworthy, and all MFA proofs exist on a spectrum of trustworthiness (of which "no MFA at all" is at one end).

Why is it used at all? Because access to someone's phone service is easy to prove (both for users and services) and non-trivial to cheat.

MrCranky
  • 121
  • 3