Multifactor authentication that uses SMS messaging as a second factor is vulnerable to simple hacks. User education is the best defense. Credit: Michael Simon/IDG As our world moves away from password-based authentication to multifactor authentication (MFA) and other authentication solutions, different threats have appeared. One of the most interesting is that of unauthenticated short message service (SMS). SMS is the technology behind most of our default text messaging on cell phones. SMS has become the new killer app, quickly replacing email and voice calls as the primary method most people use to connect to each other.There is a huge, growing security problem with SMS. It has become the root behind many types of cybercrime. People have lost hundreds of millions of dollars and access to their most critical, trusted services and accounts because of it. The key problem is that SMS accounts are tied to people’s cell phone numbers. That is the extent of SMS’s authentication — no more, no less — and that’s the problem.Attackers can execute several types of cyberattacks through SMS. I discuss two of them here. One requires moderate sophistication to pull off. The other is child’s play.SIM swappingIf someone gains control to someone else’s phone number, they gain access to their SMS messaging. This didn’t used to be a huge deal, but now the most popular type of MFA is using SMS messages as the second factor of authentication. It’s hard to sign up for a bank account, email service or even security service where they don’t want your phone number for MFA via SMS. One of the popular types of this attack is called SIM swapping. SIM stands for subscriber identity module. SIMs, either stored virtually on a cell phone’s non-transient memory or on a secondary micro-SD memory card, contains the information that ties your cell phone to your cell phone provider’s cellular network. It contains your phone’s unique identifying number (a 64-bit value called the international mobile subscriber identity, or IMSI), the currently associated phone number, and other relevant information. It can also store other data, such as your calling lists and app data.We’ve all been involved with our phone’s SIM information, when we either had to swap out old and new SIM cards between phones, when we got a new or replacement phone. Either you move the old SIM card to the new phone and then activate it; or you have your cell phone provider transfer the necessary SIM information to the new phone or new SIM card by calling technical support and following a standard activation process. Either way, at the end of the SIM information transfer, the newly activated phone accepts calls (and SMS messages) on the new phone. The old phone no longer gets calls or SMS messages. Attackers have long tricked cell phone network providers into doing unauthorized SIM swaps. The attackers have usually phished the intended victims to learn enough information so that they can fake being the legitimate cell phone account holder. This usually means they get the victim’s phone number, cell phone provider company name, and their logon name and password/PIN for the victim’s account on the cell phone provider’s network. Then they call the cell phone provider’s tech support and pose as the legitimate subscriber requesting that the SIM information and service be redirected to a new phone that the attacker has. Sometimes the attacker just pays an inside person to transfer the SIM information. This sort of crime has been committed hundreds of thousands of times around the globe.The victim doesn’t notice anything right away. Their phone just stops ringing and getting messages. During that time, the attacker is usually putting one of the victim’s SMS/MFA-protected accounts into recovery mode or simply requesting the normal SMS/MFA-logon code, which they then use to logon to the user’s SMS/MFA-protected account. They then steal the user’s identity or assets.Here are some examples of real-world SIM swap crimes:Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor SetupFlorida Man Arrested in SIM Swap ConspiracySmartphone Crypto Hack: The $24 Million AT&T SIM Swapping MistakeTell Your Dad to Give Us Bitcoin SIM swap crimes are so rampant that the U.S. government, in NIST Special Publication 800-63-3, said not to use SMS-based MFA two years ago. That said, SMS-based MFA is the most popular second-factor authentication on the internet, and with most services you cannot opt out of it.Fake SIM recovery messagesSIM swap attacks take a little bit of attacker sophistication. Fake SIM recovery messages takes none. All the attacker has to know is your cell phone number (which they can find on the internet) and your username for any service that you rely on that uses SMS as a secondary logon recovery method (e.g., Gmail, O365, Facebook or Twitter). The fake SIM recovery attack relies on the fact that SMS has no authentication other than phone number.Here’s how the attack goes: An attacker sends you a fake text message claiming to be from your legitimate service and tells you to expect an SMS code that you need to send back in reply to the message: Roger GrimesSample phishing text messageThe attacker then starts a logon attempt at your legitimate service, but then acts like they do not know the right password: Roger GrimesAttacker makes a logon attemptThen the attacker tells the service to send them an SMS “recovery code”: Roger Grimes Roger GrimesAttacker requests an SMS recovery codeThe service sends the legitimate recovery code to the legitimate user’s phone: Roger GrimesLegitimate recovery code sent to user’s phoneThe tricked user then sends that recovery code back to the attacker: Roger GrimesUser sends recovery code to attackerThe attacker then enters the code into the user’s legitimate service’s recovery code prompt, gets authenticated to the account, and then takes control of it.The reason this type of attack works is that the user has no way to distinguish between what SMS messages (or phone numbers) are or aren’t from the legitimate vendor. If you look at the message sent by Google in step 4, is there any indication that the message really is from Google? That’s the problem. SMS is not authenticated beyond a phone number, and unless you know the legitimate phone numbers, you’re out of luck. Ironically, you can’t Google Google’s phone numbers used by its SMS recover service.Google (and many other providers like Microsoft) know that SMS is a weak authentication choice and offer additional choices for account recovery. However, in this case, the user is being socially engineered to accept an expected SMS message from the start, and the hacker can force the legitimate service to allow SMS recovery because it’s still an available recovery option.How to defend against unauthenticated SMS attacksHow could a user avoid this last attack? Start with education. Let users know that the unauthenticated nature of SMS allows different types of hacking attacks. Users should train themselves to not allow unexpected SMS recovery methods (especially if other, better alternative methods exist). For the fake SIM recovery attack, users should know that when they get a SMS recovery code from the vendor, that code is usually typed into a browser logon session requesting that information and not in response to the SMS message.Regarding SIM swap attacks, realize you cannot trust any critical part of your life (e.g., banking or investing) to any SMS-based MFA method. Thousands of people have lost their life savings trusting SMS-based MFA methods. Second, use non-SMS-based MFA methods when you can, such as authentication applications (like Google Authenticator) or FIDO keys. They each have their own hacks, but it will take other, less popular, types of attacks. The ultimate answer is that the cell phone industry, in concert with the financial industry, needs to come to grips with how bad SMS-based MFA and recovery methods are and do something about it. They know it’s a problem. There are better solutions, some of which have been widely implemented in some countries, but in general the poor authentication of SMS remains a widespread problem.Cell phone users beware. Related content news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Botnets Botnets news Hackers book profit by scamming Booking.com customers Malicious elements are using Vidar infostealer to gain access to Booking.com’s management portal and defraud customers. By Gagandeep Kaur Dec 04, 2023 4 mins Cyberattacks Cybercrime Security opinion Proactive, not reactive: the path to ensuring operational resilience in cybersecurity The experience of the financial sector in dealing with threats is instructive to anyone in the cybersecurity space — there’s no substitute for getting out ahead of potential risks and problems. By Cameron Dicker Dec 04, 2023 6 mins Financial Services Industry Financial Services Industry Financial Services Industry feature 4 budget-savvy strategies for building an effective purple team Building a purple team is not only for organizations with a generous budget. From the shoestring one-person operation harnessing open-source power to the well-oiled machine of a comprehensive team, organizations of all sizes have a pathway to heighte By Maril Vernon Dec 04, 2023 14 mins Threat and Vulnerability Management IT Training Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe