SMS logins: an illusion of security

The IT security world is still reeling from the impact of the OpenSSL Heartbleed bug. Thanks to the bug, many experts have been reviewing other technologies to try and find similar risks.

While Heartbleed was hidden away in the depths of the OpenSSL code base, another major security risk has been hiding in plain sight: SMS authentication for web site logins.

Remarkably, a number of firms have started giving customers the ability to receive single-use passwords over SMS for logging into their secure web sites. Some have even insisted that customers can no longer log in without it, denying customers the right to make an important choice about their own security preferences.

Unfortunately, SMS is no substitute to the one-time-passwords generated using proper authentication tokens or the use of other strong authentication schemes such as cryptographic smart cards. Even telephone companies themselves advise that SMS should not be used to secure financial transactions.

Ocean's 11 in real life: exploiting the weakest link in the chain

To deliver single-use SMS passwords, the SMS must travel through various networks from the firm's headquarters, to a wholesale SMS gateway, international SMS network and finally down the line of the local phone company.

In comparison, properly certified token devices generate a code inside the device in the palm of your hand. The code only travels from the screen to your eyes.

In a litany of frauds coming in all shapes and sizes, telephone networks have been exploited over and over again because they are almost always the weakest link in the chain. Using the mobile SMS network for authentication is not building on solid ground - some experts even feel it is downright stupidity.

One of the most serious examples was the theft of $150,000,000 from a pension fund deposited with JP Morgan: it was described as a real-life case of Ocean's 11. The authentication was meant to be a phone call rather than an SMS: a phone company employee who was in on the scam duly ensured the call never reached the correct place.

The insecurity of traditional telephone networks has been on display for all the world to see in the ongoing trial of News Corporation executives for phone hacking. If journalists from a tabloid newspaper can allegedly hack a dozen phones before their first cigarette of the day, is it really wise to use an insecure technology like SMS as the cornerstone of a security system for authorizing transactions?

A fraud recently played out on many credit card holders in the UK exploited a low-tech feature of the phone system to trick people to believe they were safe by "calling back" to their bank.

A plethora of new attack vectors

The staggering reality of the situation is that attackers don't even have to directly hack their victim's phones to access SMS messages.

As the Android API documentation demonstrates, SMS reception is notified to all apps in real-time. Apps can process the messages even when the phone is sleeping and the message is not read by the user.

Just consider all the apps on a phone that have requested permission to read incoming messages. There was an uproar recently when a new version of the Facebook app started demanding permissions to read incoming SMS. The app can't be installed if the user doesn't agree to these new permissions. WhatsApp, another popular app that has SMS access rights, was recently exposed in a major security scandal which revealed they use a phone's IMEI number as the password. When people install an app like Tinder (which does not yet request SMS access) is the security of their bank account likely to be at the front of their mind?

Even if Facebook intends no harm, they have opened the floodgates by further de-sensitizing users to the risks of giving apps un-necessary access to their data.

These companies are looking for every piece of data that could give them an edge in their customer profiling and marketing programs. Having real-time access to your SMS is a powerful way for them to understand your activities and feelings at every moment in the day. To facilitate these data analysis techniques, replicating and archiving your messages into their cloud databases (whether you can see them there or not) is par for the course.

The cloud, of course, has become a virtual smorgasboard for cyber-criminals, including both hackers and occasionally insiders wanting to peek at private data or harvest it en-masse. Social networking and communication sites are built on a philosophy of sharing data to create interaction and excitement. Unfortunately, this is orthogonal to the needs of security.

In this context, the telephone network itself may no longer be the weakest link in the chain. The diligent attacker only needs to look for the cloud operator with an unplugged security hole and use their system as a stepping stone to read any SMS they want, when they want.

Would you notice a stray SMS?

Maybe you feel that you would notice a stray SMS carrying a login code for your bank account. Would you always be able to react faster than the criminal however?

Thanks to social networks, or location data inadvertently leaked by other apps the attacker can easily work out whether you are on holiday, at the gym, at a party or sleeping or in some other situation where you are not likely to check messages immediately.

If you receive a flood of SMS spam messages (deliberately sent by an attacker) in the middle of the night and you put your phone into silent mode and ignore it, you may well miss one message that was a login to your bank account. SMS technology was never designed for secure activities.

The inconvenience of SMS

While security is a headline issue these days, it is also worth reflecting on the inconvenience of SMS in some situations.

Travel is at the top of the list: SMS doesn't work universally when abroad. These are usually the times when the only way to access the bank is through the web site. After dealing with the irritations of the hotel or airport wifi registration, do you really need more stress from your bank's systems too? For some networks, SMS can be delayed by hours or days, sometimes never arriving at all.

Many people swap their SIM cards when travelling to avoid the excessive roaming charges and there is extra inconvenience in swapping SIM cards back again just to log in to a bank account. Worst of all, if you are tethering with a SIM card from the country you are visiting, then it is impossible for you to receive the SMS message from the bank on your regular SIM card while simultaneously maintaining the SSL connection to their web site over your new SIM card.

Other problems like a flat battery, water damage or PIN permanently blocked by children playing with the phone can also leave you without access to your bank account for varying lengths of time.

Is there any up-side to SMS authentication?

The only potential benefit to SMS authentication is that it weeds out some of the most amateur attempts to compromise your bank account, but this is a false sense of security and it opens up new attack vectors through the cloud as we have just demonstrated. For all other purposes, it smells like a new form of security theater.

A more likely reason why it has become popular amongst some firms is that many lenders want to ensure they have mobile phone numbers to contact customers when loan or credit card payments are missed. Making the mobile phone number mandatory for login ensures they almost always have the correct phone number for almost 100% of customers. It is not clear that this benefit justifies the failure to provide proper security and the inconvenience when travelling though.

Opting out

Next time you log in to a web site, if the firm does try to enrol you in an SMS authentication scheme, it may be a good idea to click the "No thanks" option.

If you have already been registered into an SMS authentication scheme, fill out the online complaint form and inform the firm that you will only accept a proper authentication token or cryptographic smart card. These solutions are tried and tested and they are the correct tool for the job.

Comments

It turns out that any kind of second factor, even if it is not cryptographically secure, makes reuse of obtained credentials so much harder. There is a difference between being able to unwrap the unsalted password hash obtained from a retailer's bad website and stuff it into random login forms on the web and being able to intercept the SMS infrastructure a bank uses.

Yes, a targeted attack will still work and might phish your second factor. But then it is also entertaining that you list proprietary tokens when RSA got its seeds stolen and used for a high profile attack.

The RSA issue was obviously quite damaging but hopefully it has also forced people in the industry to think more carefully about the risks of putting all their eggs (keys) in the one basket. If the lessons are learnt, genuine OTP solutions will emerge stronger. On the other hand, low cost and inconvenient solutions based on SMS may actually have the opposite effect, letting people feel that other shortcuts and compromises are acceptable or deterring them from using two-factor authentication completely.

Do you think the OpenSSL disaster will make people think more carefully? There are so many situations where we compromise. Barring people from getting a net increase in their account security seems backwards to me. Sure, in an optimal world we will all have smartcards or their equivalent. In fact a big company is already working on it: http://www.wired.com/2013/01/google-password/ (Full Disclosure: I'm currently employed by Google — and this is just my own opinion.)

So there are valid concerns about those poorly thought out two factor systems, but I do not see them here. PayPal allows one to use SMS verification but falls back to insane pre-selected security questions. You have to solve two to get equivalent account access. Banks routinely do not present what is being signed with the SMS token but instead just show an order number that is not even per user. And it might well be that the Android API needs to grow restricted access to received messages as well as sending (the latter was realized in 4.4) to reduce possible leakage of the tokens.

But I still contend that you should turn on two-factor authentication wherever possible and wherever it does not reverse liability (SecureCode / Verified by VISA being a sad counterexample that's sort of unavoidable these days). HOTP/TOTP are certainly to be preferred over SMS, but if SMS is the only way it still increases the cost for those black hats a lot.

I also prefer TOTP, but I think you're very quick to dismiss the upsides to SMS, especially from the perspective of a big company. For example:

  • SMS doesn't require any setup on the user's behalf. TOTP/HOTP requires users to use a third-party app (Google Authenticator? "Why am I using Google to authenticate for X"?) or the first-party app (in which case every app has the auth token in a different place).
  • If you lose/reset/drain your phone, you can still continue to receive SMS authentication on any phone with your old/reissued SIM card

I asked Alex Stamos (new CISO at Yahoo!) about Yahoo's use of SMS instead of TOTP after a security talk he gave recently, and I think he had a reasonable argument for Yahoo's use of SMS.
Basically, the UX for TOTP is a failure for the average user, while SMS auth provides most of the benefits.

(Of course, I still agree that TOTP is superior for a user who knows what they're doing.)

I ranted about that very idea in 2010: http://seegras.discordia.ch/Blog/credit-suisse-security-idiots/ (in german).

SMS authentication is not very secure, but from a website perspective, what's worse is that it is also generating high friction. First, some people won't give their numbers. Or they don't understand how the SMS authentication works (like elderly population). If they do give the number, some will change the number later on and never bother letting the website know, or they don't have the regular phone with them when the SMS is sent (e.g. if they travel abroad and use a different SIM). Then in certain cases the battery is dead, or the phone has poor reception, or the SMS is delayed... Banks report north of 20% failures. And for every failure, you have a customer who is now walking to the branch or calling. For eCommerce websites it can even be worse: if you can't access your account, you may abandon the purchase altogether. Finally, the world is moving to Mobile and the whole notion of SMS authentication in mobile is quite ridiculous. So it's not just fraudsters that websites worry about: it's all the genuine users who can't cope with SMS authentication.

You are mistaken by using the term "elderly population". Many elderly are computer savvy so don't make that statement. Maybe you mean those who are not acclimated or computer literate.