Top Five (5) Risks from SMS-Based Multifactor Authentication

4th April 2023 | Advisory, Blog, Sticky

Multi-Factor Authentication

As veterans of Cybersecurity, CyberHoot vCISOs have seen the evolution of Multi-factor Authentication (MFA) techniques over the years. While SMS-based MFA has been widely used for its convenience and ease of implementation, it has several vulnerabilities that can be exploited by attackers. In this blog, we will discuss the risks associated with SMS-based MFA, including lack of encryption, network outages, SS7 attacks, social engineering, and SIM-Swapping. Additionally, we will recommend alternative MFA solutions that provide better security.

Risks Associated with SMS-based MFA:

SMS-based MFA is vulnerable to various types of attacks, making it less secure than other MFA methods. The lack of encryption on SMS messages, the risk of SS7 attacks, social engineering, and SIM-swapping are significant risks associated with SMS-based MFA.

Lack of Encryption:

SMS messages are not encrypted, and as a result, they can be intercepted and read by attackers. If the SMS message contains sensitive information, such as a six-digit authentication code, it can be used by attackers to gain access to the targeted account.

Network Outages

Mobile carrier networks are not immune to network outages which make SMS unavailable. Such outages, while rare can occur while the Internet remains up and functioning thus preventing you from accessing your critical accounts in an emergency.

Signaling System 7 (SS7) Attack:

SS7 stands for Signaling System 7, a protocol first deployed in 1988 and last updated in 1993 (30 years ago). It is used by telecommunication companies to exchange information between mobile carrier networks. Hackers can exploit vulnerabilities in SS7 to intercept and redirect SMS messages meant for the intended recipient. This attack is known as an SS7 attack. It allows attackers to intercept the MFA process and gain access to the targeted accounts 2nd factor credentials. Combined with a reused password, and hackers can gain access to critical accounts using this form of MFA protection.

Social Engineering:

Social engineering is a tactic used by attackers to trick individuals into divulging confidential information. In the case of SMS-based MFA, attackers can contact the victim’s mobile service provider and impersonate the victim to get the SIM card associated with the victim’s phone number. With the SIM card, the attacker can receive SMS messages intended for the victim, bypassing the MFA process and gaining access to the targeted account. Another form of SIM card attack is called SIM-Swapping to which we now examine.

SIM-Swapping:

SIM-Swapping is a technique used by attackers to take control of a victim’s phone number. Attackers can impersonate the victim to convince the mobile service provider to transfer the victim’s phone number to a SIM card in their possession. With control of the victim’s phone number, the attacker gains access to the 2nd factor, an SMS code, and gains access to the targeted account with the exposed, reused, or cracked account password.

These represent the top five risks to SMS-based multi-factor authentication. Let’s turn our attention to the best practices to follow if you must use SMS MFA even though CyberHoot recommends you not to anymore. We’ll then provide you alternatives MFA methods that are much safer that SMS-based MFA.

Best Practices for SMS-based MFA:

Despite its vulnerabilities, SMS-based MFA can still provide an additional layer of security when used correctly. Here are some best practices that can help mitigate the risks associated with SMS-based MFA:

Use a unique, unpublished phone number: Use a phone number that is not associated with any other accounts or services and is unpublished if possible, to reduce the risk of social engineering attacks and SIM-Swapping.
Avoid using SMS-based MFA for high-risk accounts: Avoid using SMS-based MFA for accounts that have access to sensitive information or financial assets.
Monitor account activity: Monitor account activity regularly and report any suspicious activity to the service provider immediately.

Better Alternative MFA Solutions to SMS MFA:

To enhance the security of MFA, several alternative solutions exist that are more secure than SMS-based MFA. Here are some examples:

Mobile Authenticator Apps: Authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy generate a time-based one-time password (TOTP) that changes every 30 seconds. The TOTP is used as the second factor in the authentication process, providing an additional layer of security.
Hardware Tokens: Hardware tokens such as YubiKey and RSA SecurID generate a unique code that is used as the second factor in the authentication process. These tokens are more secure than SMS-based MFA and are not vulnerable to SS7 attacks, social engineering, SIM-Swapping, or lack of encryption.
Biometric Authentication: Biometric authentication uses physical characteristics such as fingerprints, facial recognition, or voice recognition as the second factor in the authentication process. This method is highly secure, as biometric data is unique to each individual and cannot be easily replicated or stolen. Biometric authentication is also convenient as it eliminates the need for users to remember passwords or carry tokens.

Multi-Factor Authentication in CyberHoot (Image Source: Kasaya)

Multi-Factor Authentication Conclusions:

SMS-based MFA has been a widely used method for providing an additional layer of security, but it has significant vulnerabilities that can be exploited by attackers. Lack of encryption, network outages, SS7 attacks, social engineering, and SIM-swapping are all risks associated with SMS-based MFA. While there are best practices that can help mitigate these risks, alternative MFA solutions exist that provide better security, such as mobile authenticator apps, hardware tokens, and biometric authentication.

As a cybersecurity veterans, CyberHoot recommends individuals and organizations consider these alternative solutions to enhance their security posture and protect their sensitive information and assets.