Why unauthenticated SMS is a security risk

As our world moves away from password-based authentication to multifactor authentication (MFA) and other authentication solutions, different threats have appeared. One of the most interesting is that of unauthenticated short message service (SMS). SMS is the technology behind most of our default text messaging on cell phones. SMS has become the new killer app, quickly replacing email and voice calls as the primary method most people use to connect to each other.

There is a huge, growing security problem with SMS. It has become the root behind many types of cybercrime. People have lost hundreds of millions of dollars and access to their most critical, trusted services and accounts because of it. The key problem is that SMS accounts are tied to people’s cell phone numbers. That is the extent of SMS’s authentication — no more, no less — and that’s the problem.

Attackers can execute several types of cyberattacks through SMS. I discuss two of them here. One requires moderate sophistication to pull off. The other is child’s play.

SIM swapping

If someone gains control to someone else’s phone number, they gain access to their SMS messaging. This didn’t used to be a huge deal, but now the most popular type of MFA is using SMS messages as the second factor of authentication. It’s hard to sign up for a bank account, email service or even security service where they don’t want your phone number for MFA via SMS.

One of the popular types of this attack is called SIM swapping. SIM stands for subscriber identity module. SIMs, either stored virtually on a cell phone’s non-transient memory or on a secondary micro-SD memory card, contains the information that ties your cell phone to your cell phone provider’s cellular network. It contains your phone’s unique identifying number (a 64-bit value called the international mobile subscriber identity, or IMSI), the currently associated phone number, and other relevant information. It can also store other data, such as your calling lists and app data.

We’ve all been involved with our phone’s SIM information, when we either had to swap out old and new SIM cards between phones, when we got a new or replacement phone. Either you move the old SIM card to the new phone and then activate it; or you have your cell phone provider transfer the necessary SIM information to the new phone or new SIM card by calling technical support and following a standard activation process. Either way, at the end of the SIM information transfer, the newly activated phone accepts calls (and SMS messages) on the new phone. The old phone no longer gets calls or SMS messages.

Attackers have long tricked cell phone network providers into doing unauthorized SIM swaps. The attackers have usually phished the intended victims to learn enough information so that they can fake being the legitimate cell phone account holder. This usually means they get the victim’s phone number, cell phone provider company name, and their logon name and password/PIN for the victim’s account on the cell phone provider’s network. Then they call the cell phone provider’s tech support and pose as the legitimate subscriber requesting that the SIM information and service be redirected to a new phone that the attacker has. Sometimes the attacker just pays an inside person to transfer the SIM information. This sort of crime has been committed hundreds of thousands of times around the globe.

The victim doesn’t notice anything right away. Their phone just stops ringing and getting messages. During that time, the attacker is usually putting one of the victim’s SMS/MFA-protected accounts into recovery mode or simply requesting the normal SMS/MFA-logon code, which they then use to logon to the user’s SMS/MFA-protected account. They then steal the user’s identity or assets.

Here are some examples of real-world SIM swap crimes:

• Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup
• Florida Man Arrested in SIM Swap Conspiracy
• Smartphone Crypto Hack: The $24 Million AT&T SIM Swapping Mistake
• Tell Your Dad to Give Us Bitcoin

SIM swap crimes are so rampant that the U.S. government, in NIST Special Publication 800-63-3, said not to use SMS-based MFA two years ago. That said, SMS-based MFA is the most popular second-factor authentication on the internet, and with most services you cannot opt out of it.

Fake SIM recovery messages

SIM swap attacks take a little bit of attacker sophistication. Fake SIM recovery messages takes none. All the attacker has to know is your cell phone number (which they can find on the internet) and your username for any service that you rely on that uses SMS as a secondary logon recovery method (e.g., Gmail, O365, Facebook or Twitter). The fake SIM recovery attack relies on the fact that SMS has no authentication other than phone number.

Here’s how the attack goes:

1. An attacker sends you a fake text message claiming to be from your legitimate service and tells you to expect an SMS code that you need to send back in reply to the message:

   Roger Grimes

2. The attacker then starts a logon attempt at your legitimate service, but then acts like they do not know the right password:

   Roger Grimes

3. Then the attacker tells the service to send them an SMS “recovery code”:

   Roger Grimes

   Roger Grimes

4. The service sends the legitimate recovery code to the legitimate user’s phone:

   Roger Grimes

5. The tricked user then sends that recovery code back to the attacker:

   Roger Grimes

6. The attacker then enters the code into the user’s legitimate service’s recovery code prompt, gets authenticated to the account, and then takes control of it.

The reason this type of attack works is that the user has no way to distinguish between what SMS messages (or phone numbers) are or aren’t from the legitimate vendor. If you look at the message sent by Google in step 4, is there any indication that the message really is from Google? That’s the problem. SMS is not authenticated beyond a phone number, and unless you know the legitimate phone numbers, you’re out of luck. Ironically, you can’t Google Google’s phone numbers used by its SMS recover service.

Google (and many other providers like Microsoft) know that SMS is a weak authentication choice and offer additional choices for account recovery. However, in this case, the user is being socially engineered to accept an expected SMS message from the start, and the hacker can force the legitimate service to allow SMS recovery because it’s still an available recovery option.

How to defend against unauthenticated SMS attacks

How could a user avoid this last attack? Start with education. Let users know that the unauthenticated nature of SMS allows different types of hacking attacks. Users should train themselves to not allow unexpected SMS recovery methods (especially if other, better alternative methods exist). For the fake SIM recovery attack, users should know that when they get a SMS recovery code from the vendor, that code is usually typed into a browser logon session requesting that information and not in response to the SMS message.

Regarding SIM swap attacks, realize you cannot trust any critical part of your life (e.g., banking or investing) to any SMS-based MFA method. Thousands of people have lost their life savings trusting SMS-based MFA methods. Second, use non-SMS-based MFA methods when you can, such as authentication applications (like Google Authenticator) or FIDO keys. They each have their own hacks, but it will take other, less popular, types of attacks.

The ultimate answer is that the cell phone industry, in concert with the financial industry, needs to come to grips with how bad SMS-based MFA and recovery methods are and do something about it. They know it’s a problem. There are better solutions, some of which have been widely implemented in some countries, but in general the poor authentication of SMS remains a widespread problem.

Cell phone users beware.