NIST Softens Guidance on SMS Authentication
What a difference a year makes. As related in AppDev Magazine’s recent newsletter, just one year after NIST, the National Institute of Standards and Technology issued guidance that found SMS insecure and no longer suitable as a strong authentication mechanism; it has backpedaled to reduce their previously strong statements and instead offers a new, softer recommendation.
According to this article, NIST proposed “deprecating” SMS 2FA last year because of vulnerabilities as an out-of-band factor in multi-factor authentication environments. “The term ‘deprecation’ confused people,” said Paul Grassi, senior standards and technology adviser at NIST, “because it wasn’t clear if SMS 2FA was disallowed or remained allowed.” Following a proposal informed by guidance from the telecommunications, financial and security industries on how to use SMS successfully, NIST applied these changes and while in draft form SMS was ‘deprecated,” ultimately it fell under ‘restricted’ — that organizations or users would be taking a risk using SMS 2FA.
While NIST’s target audience is federal government agencies, many commercial entities have embraced NIST guidance. Additionally, even though SMS delivery of one-time passwords is “restricted” under NIST, that doesn’t mean organizations should avoid 2FA. In fact, other approaches, for example, push-based OTP (sending a code to a mobile device via app such as Google Authenticator), which is cryptographically signed and not delivered via the SMS channel, avoids those vulnerabilities.
This new thought process doesn’t mean, however, that SMS has become any more resilient. SMS messages are (still) not protected from prying eyes. There is (still) no assurance that they will actually go to the intended recipient. And, for the most part, they are (still) perceived as being insecure.
The attacks on SMS and what is commonly referred to as "SIM Swap" date back nearly ten years. Today, the attacks are commonplace and are perpetrated on every carrier in the US, including Verizon, AT&T, T-Mobile, Sprint, and others.
SMS Exploits Go Mainstream
Awareness of the shortcomings of SMS messaging isn’t limited to tech publications or security professionals alone. Increasingly, SMS exploits are going mainstream.
Case in point: a recent article in the New York Times, describing how identity thieves are hijacking cellphone accounts to go after virtual currency. It goes on to describe how a virtual currency wallet (and the investor it belonged to), was drained of its contents of nearly $150,000 within minutes of hackers having gained control of his phone.
As described in the Times article by other victims of cryptocurrency losses, SMS — required by most financial firms for tying customer online accounts to phone numbers in order to confirm their identity — remains the elephant in the room. The system will allow someone with the right phone number to reset passwords on accounts, even without knowing the original passwords. A hacker merely hits "Forgot Password" and instantly has a new code sent to the phone (and phone number) they've hijacked.
Depending on the telecom company, the hacker can do this in person or by phone or even via online chat. Once the hacker has the new SIM, it's easy to have the SMS sent to the new phone and for the accounts to be compromised. Moreover, once a bad actor controls the phone number, they can also reset the passwords associated with every other account that uses that phone number as a security backup.
A Higher Level of Authentication
Today, most users rely on SMS authentication as their backup authentication method for allowing secure transactions, such as password changes and, it’s a fine form of two-factor authentication when used for low value transaction. Still, if you are using it (or relying on it exclusively) for higher risk transactions such as credit card changes, ACH, or wire transfers, consider implementing a stronger form of authentication. In this case, if a user is attempting to perform something that’s considered to be more risky (e.g. a transaction), they will need to be prompted to satisfy a higher level of authentication in order to complete the riskier task.
However, even “step-up” SMS authentication mechanisms are problematic. Typically, they’re randomly generated, stored in the backend and sent on to the registered web service. No validation of the phone number occurs, nor is there further validation of who is holding the phone, or even some confirmation that an app on that particular phone actually generated the request that's being processed.
Putting SMS in Perspective
While NIST may have backed down on their strong stance against using SMS as a true two-factor solution, every security team should evaluate their organization’s use and reliance on it and put into place the proper controls to make sure SMS doesn’t become a hole in their security framework.
As the Times article illustrates and as experience shows, SMS is rapidly evolving into a mainstream exploit that has extended well beyond hardcore hackers. Even criminals with little (if any) technical acumen can, with a smile and a virtual handshake, exploit SMS and often for significant monetary gain.
As a community, we need to evaluate how SMS is used and what types of communication should be used with this protocol. Learn more on how biometric authentication, (e.g. behavioral, face and fingerprint), out-of-band transaction signing, push notification and risk analysis address and overcome weak SMS security.