The National Institute of Standards and Technology, which assesses the security of products and services in the government and private sector, recently confirmed something security professionals have known for a number of years, that SMS is not totally protected.
NIST, the non-regulatory agency of the Commerce Department specifically singled out the risk of SMS when used in two-factor authentication in its latest draft of the Digital Authentication Guideline. NIST stated that SMS messages are vulnerable to interception and redirection.
NIST made it clear in a blog that it was not yet banning use of SMS, only dissuading its use. The final guidelines, however, might discourage the use of SMS-based authentication for out-of-band verification.
“Since two-factor authentication became the norm for web services that care about securing your accounts, it’s started to feel like a security blanket, an extra layer keeping your data safe no matter whether your password is as strong as 8$&]$@I)9[P&4^s or as dumb as dadada,” the NIST draft stated. “But, a two-factor setup—which for most users requires a temporary code generated on, or sent to, your phone in addition to a password—isn’t an invincibility spell. Especially if that second factor is delivered via text message.”
2FA refers to the accepted security protocol of confirming a user’s claimed identity by using two different attributes: a combination of something the user knows (for example, a PIN number), possesses (maybe an ATM card) or is inseparable from them (such as biometrics).
“Digital authentication is the process of establishing confidence in user identities electronically presented to an information system. E-authentication presents a technical challenge when this process involves the digital authentication of individual people over a network,” NIST explained in its draft.
The ongoing authentication of subscribers is central to this process. Subscriber authentication verifies that the claimant controls one or more authenticators associated with a given subscriber. “A successful authentication results in the assertion of an identifier, either pseudonymous or non-pseudonymous, and optionally other identity information, to the relying party,” NIST wrote.
OOB verification is the use of two separate networks to authenticate a user such as when members forget passwords and have temporary passwords texted to their phones. This method, in theory, makes fraud more difficult to commit because two disparate authentication channels need compromising for attackers to gain access.
However, in practice, NIST said, SMS is a vulnerable 2FA method, and determined criminals can exploit it. Because the possession of a person’s mobile device is not required, SMS vulnerabilities can expose information through man-in-the-middle attacks or forwarded messages.
Further, criminals can attempt to substitute their own phone number for their victims’ number prior to attempting access. The effectiveness of this technique depends on the organization’s strict adherence to security protocols in changing account information.
For these and other reasons, fraudsters often specifically target SMS as a potential access point. Malicious software can exploit SMS functionality to send fraudulent text messages or fake incoming SMS messages for phishing, also known as SMiShing.
Despite these vulnerabilities, the industry has long accepted them for lack of an alternative because fraud and authentication professionals have struggled to find the right replacement.
Instead of SMS, the NIST guideline recommends the use of tokens, one-time code type generators, and software cryptographic authenticators to prevent fraud. With these tokens in place, changing the pre-registered telephone number is not possible without two-factor authentication at the time of the change, blocking one potential access point from fraudsters.