iTnews

A US$100k reminder as to why SMS 2FA isn't secure

By Juha Saarinen on May 29, 2019 12:24PM
A US$100k reminder as to why SMS 2FA isn't secure

Beware of SIM porting attacks.

Two-factor authentication via Short Messaging Server codes continues to be used despite being shown to be eminently compromisable and better alternatives being available.

Software engineer Sean Coonce of digital assets storage company BitGo in California is a recent example of how dangerous it can be to rely on a "security feature" that is easily bypassed.

Coonce rues not putting better security measures in place after unknown attackers ported his phone number to a new Subscriber Identity Module (SIM) and were able to steal large amounts of money by capturing two-factor authentication codes for his accounts.

He said the attack cost him US$100,000 last week, with the funds evaporating from his Coinbase crypto exchange account over a 24-hour time period.

Coonce said the money's gone for good and said people need to be aware that SMS-based 2FA isn't not enough, as it is vulnerabile to porting attacks.

He suggests using Google Authenticator and Authy time-based one-time password codes along with hardware solutions such as Yubikey that can't be spoofed and are under people's physical control insead of SMS 2FA.

Google also has the ability to use voice 2FA and the online giant's Voice service has phone numbers that can't be ported, Coonce said.

Secondary email addresses for critical online services are also a good idea, if they're not used for anything else and kept private, and backed up with hardware-based 2FA. Coonce suggested.

Coonce said he never took his online security very seriously as he had never experienced an attack.

"... I was simply to lazy to secure my assets with the rigour they deserved," Coonce ended his lament with.

How insecure is SMS 2FA? Is it even 2FA?

Insomnia Security researcher Adam Boileau said this is yet another example of why SMS is one of the least robust 2FA options.

He noted that in the the case of a password reset, the SMS code functions as the single sole factor of authentication; and, the codes can be snagged by bad people.

“There are many ways attackers can capture the SMS codes, including SIM porting.

Other options include obtaining them from the end device, from the SMS transmission application programming interface, logs, in the telco itself, or in some cases over the radio network," Boileau said. 

Attackers can also target the number porting system itself, and employees of the telco or its agents.

“Telcos vary in the level of checking they undertake when porting numbers or SIMs around, which ideally involves in-person checks of photo ID. 

However, this often takes place in smaller retail stores that are not owned by the telcos in question, and it’s difficult to ensure that they check that the porting request is legitimate.

Plus there are opportunities for insiders to assist in bypassing checks for profit or under duress” Boileau added. 

There are some measures tested around the world that our telcos could take, so as to prevent porting attacks, he said.

"Preventing the SIM swap is one approach; a complementary one is detecting that it has occurred.

We've seen some success in Africa, where such fraud was endemic.

In Mozambique, the phone carriers provide an API which lets online services query the relative age of the SIM.

This lets services use this in their risk calculus, and choose to require other authentication if the mobile number's account has suspicious changes.

Ideally we'd start to see this taken up elsewhere," Boileau suggested.

Getting multi-factor authentication right is difficult however.

“Using hardware U2F keys and devices, or being prompted on another machine for permission the way Apple does it make it substantially harder for attacks to succeed, than with SMS 2FA,” Boileau added.

"But adding extra defences to normal authentication just means attackers move to other scenarios, such as password reset.

Designing an authentication system that handles the nuance of the real world - where people lose phones, change names, or move countries - and also degrades gracefully when passwords are forgotten is a hard problem, " Boileau warned.

“Ultimately though, the issue here seems to be that it’s ill-advised to keep US$100,000 on your computer - or any device - no matter which type of 2FA is used.

Having Coinbase as the bank means there’s only a slim chance of getting a refund for the fraud, thanks to the transaction being immutable on the blockchain,” Boileau concluded.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
2fa coinbase insomnia metlstorm security sms

Partner Content

Putting cyber security basics in place
Partner Content Putting cyber security basics in place
As Australian companies lean more heavily on the cloud, edge security is finding its stride
Partner Content As Australian companies lean more heavily on the cloud, edge security is finding its stride
One way SD-WAN can save business leaders' time
Partner Content One way SD-WAN can save business leaders' time
COVID puts agile IT under the microscope
Promoted Content COVID puts agile IT under the microscope

Sponsored Whitepapers

The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training
Your guide to application security solutions
Your guide to application security solutions
State of Software Security: Open Source Edition
State of Software Security: Open Source Edition
Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • [iTnews and Micro Focus] Navigating the cloud modernisation minefield
By Juha Saarinen
May 29 2019
12:24PM
0 Comments

Related Articles

  • Telstra to block Services Australia SMS phishing scams
  • 86 400 looks to strengthen customer sign-up process
  • Britain's GCHQ cyber spies embrace the AI revolution
  • Critical remote code execution bug found in VMware vCenter
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

Telstra InfraCo opens up telco's own fibre network

Telstra InfraCo opens up telco's own fibre network

Transport for NSW data stolen in Accellion breach

Transport for NSW data stolen in Accellion breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.