Two-factor authentication (2FA) is now a part of daily life, and most of us have had first-hand experience with SMS authentication. You enter your password, then you get a prompt to enter a code or pin that’s sent to your phone number. After you type in the code, you’re in. Simple, right?
We all have access to cell phones, so it’s no surprise that SMS two-factor authentication is one of the most widespread types of multi-factor authentication (MFA). You don’t need any apps or digital keys, and it’s not tied to a specific ecosystem. Unfortunately, it’s also not a secure MFA method (and Microsoft agrees).
Four Ways SMS Authentication Opens Your Organization to Risk
The nature of SMS itself opens up your organization to a host of risks. Hackers have many ways to leverage SMS to find a way into your accounts and network. Below, we’ll look at four common attack strategies.
Hackers use good old-fashioned spoofing, often combined with phishing, to intercept and read your SMS messages. For those in the know, it’s basic tradecraft. This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access.
While some text messages are encrypted user-to-user – think iMessages between iPhones or WhatsApp messages – SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content.
By the way, if you want to check your phone’s security, use these codes to check if your phone is tapped.
Hackers also use standard phishing techniques to persuade users to install malware on their phones. The malware is meant to look for one-time SMS passcodes, as well as usernames and passwords for websites and apps on the device. Then, the malware sends the information right back to the attacker.
A more sophisticated method, SIM swapping can give hackers the virtual keys to your kingdom: control of your phone number. Through social engineering tactics, the hacker calls your phone company, pretends to be a victim, and activates a new phone with your number. Before you even notice, the hacker will have breached any 2FA that uses your phone as a second authentication factor.
For more insight into just how much havoc a SIM swapping hacker can unleash in a short period of time, read this spine-tingling conversation between a SIM hacker and his victim published in Vice a few years ago.
Remote Desktop Protocol (RDP)
Over the past 18 months, the uptick in remote work also sparked a trend of remote desktop protocol (RDP) attacks targeting SMS 2FA authentication. ESET telemetry’s research team reported a 768% increase in RDP attacks between the first and fourth quarters of 2020.
While many RDP attacks are brute-force attacks, hackers also use RDP in SIM swapping attacks to directly access internal phone company systems. First, hackers trick or bribe phone company employees into installing or activating RDP software. Then, they remotely dip into the phone company’s system and SIM swap individuals from inside the system. From there, they take over phone numbers, and the SMS authentications that go with them, until they’re caught.
Hackers can also simply pretend to be you to your mobile service provider. They obtain personal information from other sources to bypass any security questions and request a secondary SIM (they’ll claim the old one was lost, stolen, etc.).
Then, they intercept the shipment of the new SIM. Once you lose service on your own SIM, your number is under the control of the hacker, and they can request new SMS 2FA codes at will. It’s low-tech, but highly effective.
Another very low-tech but time-tested method is getting close enough to get a look at your phone. If you’ve enabled lock screen notifications, it’s all too easy to peak at passwords sent by SMS.
More recently, hackers are signing up for companies that help businesses to SMS marketing and mass messaging. For a small fee, they can reroute your SMS messages to themselves.
Alternative, More Secure Methods of 2FA
Forrester estimates that SMS 2FA stops only 76% of attacks. Although SMS is the least secure method of 2FA, there are thankfully other ways to enjoy the security benefits of 2FA with minimal hassle.
2FA Hardware vs. SMS
Many organizations opt for hardware authentication, which requires a dedicated physical device (like YubiKey or Token2) for account access. Sign in requires users to know and enter their credentials, then they are prompted to submit additional proof of identity by inserting the key and tapping it. While the device may be lost or stolen, it’s much more secure than SMS.
2FA App vs. SMS
There are also several widely-used options for software authentication, which requires authentication via a mobile app (like Microsoft Authenticator or Google Authenticator). 2FA prompts generally offer a QR code that you can scan with your phone’s authenticator app. Then, the app generates time-based, one-time passcodes (TOTP or OTP), which refresh every 30 seconds. The user needs to enter their code within 30 seconds to gain access. The short time limit means that even if an attacker did gain access to your one-time password, it won’t work after just 30 seconds.
Increasingly, IP-based controls also play a role in if or how authentication takes place. Administrators can set up authorization controls based on IP address to determine whether or not to allow access, whether or not to prompt 2FA, or to determine what type of 2FA authentication to require. This is best when used as an additional security layer in combination with other forms of authentication.
Stop Using SMS 2FA to Keep Your Data Safe
Ultimately, phones are designed for convenience, not security. Using SMS authentication for 2FA is too much of a risk for organizations looking to effectively secure access to their network and systems.
UserLock makes it easy for organizations to use secure methods of 2FA that protect access across Windows logon, RDP, RD Gateway, VPN, IIS and Cloud applications.