I Hope That No One Gets My (SMS) Message in a Bottle...

Andrew Showstead, August 2, 2016

The news is in that the National Institute of Standards and Technology has finally stated what both security professionals and hackers alike have known for years: SMS is insecure, and is no longer suitable as a strong authentication mechanism.  SMS Messages are not protected from the wrong eyes seeing them, and there is no assurance that they will actually go to the intended recipient.  So everyone knew this day was coming, yet scores of applications deployed SMS as a security mechanism, and the question is, "Why?"

It's quite simple: as people began to lose trust in password-protected services, in the rush to give users a 'sense of security' (in other words, "We're secure, so keep using our service, pretty please!"), SMS texts provided a cheap, ubiquitous, and easy-to-understand process.  In the best of cases, SMS was used for low-risk web-site access; in the worst of cases, misplaced trust saw it leveraged for access to highly-targeted intellectual property, “secure” networks, and even some credit card issuers and financial institutions.  Oh, the SMS peddlers without suitable alternatives talked it up with various buzz-phrases, like "out-of-band" and "step-up" authentication, but the reality now is that SMS security does not deliver as a true “second factor”, as some may have claimed; attacks against SMS are no longer theoretical but wide-spread.

smartcardWhat was the problem with SMS from the beginning, and what has changed?  Well, SMS has always provided a “logical” link between your user’s phone number and the actual device they hold in their hand.  Before smart-phones and must-have apps, the point of compromise was the user’s wireless account; change the phone registered to an account, and voila! You are receiving the messages without actually hacking the account being attacked.  Basically, you were relying upon the cellular companies to maintain your security.  In some cases, the providers have increased the security of these types of device changes, and so maybe we delayed the inevitable….

Many, many, people innocently believe the only way for someone to see their SMS messages is if they are in possession of their phone, and have a false sense of added security if they are using a passcode or fingerprint to protect their phone access.  They couldn’t be more wrong!  What’s here now is the ability to attack the phone directly.  A user downloads all sorts of apps, usually granting various permissions without giving it a thought.  Downloading apps from untrusted app stores, using jailbroken or rooted phones, or in-general, just acting like users, clueless to the risks they face day-to-day.

Now consider the variety of apps available for "legitimate" use.  Want to really see who your kids are socializing with by monitoring their texts? Want to help your aging parent by monitoring their SMS messages from one of the various services they might use? Simply install a hidden SMS utility on their phone and remotely see all their incoming and outgoing messages.  So if these apps can do these things at your command, what makes you think a hacker can't hide these malicious tools in an app without your knowledge?  Application repackaging, code injection, screen overlays, rogue keyboards…..Are you downloading the latest viral App?  You might just get a few extra bells and whistles that you are not interested in, and they will most likely be stealing your login credentials.

So what now? Alternatives exist, and your application can be protected by run-time self-protection, true transaction security, and device-binding technologies, allowing your mobile to still be used as a great second factor.

Unfortunately, for years we have heard "Passwords are dead!" yet most of us can't get around typing passwords all day; knowledge-based authentication is equally vulnerable.  And now that we have heard "SMS Authentication is dead!" we need to go where the user and their devices are, and truly secure them!  We must stop relying upon the SMS "message-in-a-bottle" approach to security, or we'll be re-learning this lesson again, and again, and again....

Andrew Showstead is the Director of Technical Consultancy and Market Solutions at OneSpan. In this role, Andrew oversees engineering and product implementation aspects of multi-factor authentication and application security projects for large enterprise clients in North America.