Why Using SMS Text Messages For Two Factor Authentication Is A Bad Idea
Signalling System 7 or SS7 is the communication system that telephone carriers, both cellular and land line, use behind the scenes to route calls.
Originally developed in 1975 – way before the Internet was popular – SS7 has virtually no security in it. It counts on securing the connections between telephone company switches, which, in this day, is a really bad concept.
Hackers have demonstrated before that they could hijack text messages by exploiting SS7, but the white hat hacking group Positive Technologies wanted to see if they could empty a customer’s Bitcoin wallet starting only with the person’s name and their phone number – not exactly secret pieces of information.
Their objective was to break into someone’s Bitcoin wallet and steal their money. Spoiler: they succeeded.
How did they do it?
Using Google’s find a person service, the researchers were able to find the user’s GMail email address.
Then, using hacks that they had created earlier, they were able to hack into a carrier’s network in Europe. Once inside the carrier’s network, they were able to route text messages in America to themselves.
That done, they were able to request a password reset for the user’s GMail account. Now that they “owned” the user’s GMail account they were able to do password resets on other accounts such as Bitcoin wallets and Bank accounts.
Both of these hacks were possible because the second factor being used was an SMS text message. Since the hackers were inside the carrier’s network, they were able to read text messages at will.
Once they had the user’s password and had intercepted text messages destined to the user’s phone, they can log on to the user’s bank accounts or Bitcoin wallet and empty them out.
Lets say that you are security conscious and you choose another option for your second factor – say a voice call to your land line. Ignoring for a moment that the same SS7 hack will allow the bad guys to call forward your land line and obtain the verification code, there is yet another security problem.
The carriers or web site operators want to be customer friendly. Friendly and secure are usually at odds with one another. This is one such case.
Have you ever seen a web site that says “we offer an online password reset feature that will allow you to reset your password from (say) your phone, but since you are a security conscious user and understand that this feature is a security nightmare, we will give you the option to permanently disable this feature”? I didn’t think so. Therefore, even though YOU choose not to use SMS messages as a second factor, it doesn’t mean that the web site won’t let a hacker use that option.
These tests were done with demo accounts and no money was harmed in the creation of this hack – but that’s because these guys were the good guys. There are a lot of variables to consider, but the purpose of the test was to demonstrate what is possible.
In fact, using SMS text messages as a second factor is considered so weak that the National Institute of Standards and Technology (NIST) has said that no new government systems are allowed to use SMS text messages as the second factor to authenticate a user.
It will take a while to get web site operators to get the message, but the more pressure we apply to those web site providers, the quicker this problem be fixed.
All that being said, even a text message based two factor authentication is way better than using just a password.
Information for this post came from The Register.