July 22, 2014 at 14:10Two-factor authentication: once again about the risks when using SMS and voice calls
About a week ago, journalist Christopher Mims published a password on his Twitter account in an article on two-factor authentication. It was bold enough, if not stupid.
In just a couple of days, Christopher was forced to not only change his password, but also change his mobile phone number. The reason is simple - after entering the password, Twitter shows which phone number the one-time code is sent to (by the way, many other services do not do this, hiding some numbers). That is, the phone number is known, and it can be used: for example, send someone a message from this number. When Christopher received an SMS where his own number appeared in the sender’s field, he realized that he had acted stupidly. He changed the phone number, fearing that attackers could take advantage of him and “substitute” him - for example, send a message on his behalf.
Later in his article, he recommends using applications for generating one-time passwords, illustrating with his example that the authentication method over the phone is not so secure. In this he is absolutely right, but, in fact, the risks here are on a completely different scale - he risked not only the possibility of impersonation using his mobile phone number, but also directly hacking his account.
Consider all the risks in more detail.
Christopher was most afraid of this, but the consequences are minimal, it can only be used for the rally (although the rally can have serious consequences). The fact is that SMS gateways, of which there are a great many on the Internet, allow you to specify an arbitrary set of characters as the name of the sender - this is mainly used for the sender's alphabetic name, but you can substitute a number, and any. Of the several SMS gateways that I tested, only one had a “moderation” procedure for the sender’s name, but as I understand it, it doesn’t mean checking the ownership of the number - I added the friend’s number to the sender’s field without problems and sent him a test SMS.
In all banks, the identity verification procedure is quite strict (sometimes it reaches the point of absurdity). But this is not so with mobile operators, despite the fact that many online banking systems use a mobile phone number to confirm transactions. I will give an example from my experience: this year I ordered duplicate SIM cards twice (we needed nano-sims) and in both cases I asked only the phone number and no identity, and this, mind you, for a post-paid contract. Not later than yesterday, for the sake of interest, I did the same operation in a neighboring country already with pre-paid, and the situation repeated exactly - no documents were asked. In all the above examples, the action took place in the countries of central Europe.
Many two-factor authentication systems, including the Google system, offer, in addition to SMS, a regular phone call with which the robot sends one-time password numbers. This is convenient if there is no cell phone, or there are problems with the signal level in the room. However, if voicemail is enabled on the number, this leads to the risk of interception of the voicemail. This, for example, happened in 2012 with Cloudflare CEO Matthew Prince. In this incident, social engineering was partially used, but you can do without this method: using the services of changing the caller’s number (for example, SpoofCard) The attack is based on the fact that when accessing voicemail, many operators do not require additional verification if the caller-ID of the caller matches the subscriber number. The Australian security expert Shubham Shah conducted a fairly extensive study , and found out that the problem existed (for some, it still exists) for resources such as Linkedin, Facebook, Google, etc. As of today, many people have fixed the problem, but, for example, Google and Yahoo do not consider this a vulnerability and are not going to do anything. So, a tip - if anyone has the voice call selected as the main method on these services, it’s better to change it to SMS, or even better: choose a method with a mobile application.
SMS and voice calls are certainly convenient, but as it turns out, they are not as safe and reliable as the same mobile applications or hardware keys. By the way, mobile applications are also not ideal, but the risks there are orders of magnitude less.
And yet, for many, it seems like a common truth, but nevertheless we recall that the password is still important: the advantage of two-factor authentication is precisely in two factors, removing the password from the process we will get one-factor with other, but still, risks.
In just a couple of days, Christopher was forced to not only change his password, but also change his mobile phone number. The reason is simple - after entering the password, Twitter shows which phone number the one-time code is sent to (by the way, many other services do not do this, hiding some numbers). That is, the phone number is known, and it can be used: for example, send someone a message from this number. When Christopher received an SMS where his own number appeared in the sender’s field, he realized that he had acted stupidly. He changed the phone number, fearing that attackers could take advantage of him and “substitute” him - for example, send a message on his behalf.
Later in his article, he recommends using applications for generating one-time passwords, illustrating with his example that the authentication method over the phone is not so secure. In this he is absolutely right, but, in fact, the risks here are on a completely different scale - he risked not only the possibility of impersonation using his mobile phone number, but also directly hacking his account.
Consider all the risks in more detail.
Impersonation
Christopher was most afraid of this, but the consequences are minimal, it can only be used for the rally (although the rally can have serious consequences). The fact is that SMS gateways, of which there are a great many on the Internet, allow you to specify an arbitrary set of characters as the name of the sender - this is mainly used for the sender's alphabetic name, but you can substitute a number, and any. Of the several SMS gateways that I tested, only one had a “moderation” procedure for the sender’s name, but as I understand it, it doesn’t mean checking the ownership of the number - I added the friend’s number to the sender’s field without problems and sent him a test SMS.
Sim card duplicate
In all banks, the identity verification procedure is quite strict (sometimes it reaches the point of absurdity). But this is not so with mobile operators, despite the fact that many online banking systems use a mobile phone number to confirm transactions. I will give an example from my experience: this year I ordered duplicate SIM cards twice (we needed nano-sims) and in both cases I asked only the phone number and no identity, and this, mind you, for a post-paid contract. Not later than yesterday, for the sake of interest, I did the same operation in a neighboring country already with pre-paid, and the situation repeated exactly - no documents were asked. In all the above examples, the action took place in the countries of central Europe.
Voice mail
Many two-factor authentication systems, including the Google system, offer, in addition to SMS, a regular phone call with which the robot sends one-time password numbers. This is convenient if there is no cell phone, or there are problems with the signal level in the room. However, if voicemail is enabled on the number, this leads to the risk of interception of the voicemail. This, for example, happened in 2012 with Cloudflare CEO Matthew Prince. In this incident, social engineering was partially used, but you can do without this method: using the services of changing the caller’s number (for example, SpoofCard) The attack is based on the fact that when accessing voicemail, many operators do not require additional verification if the caller-ID of the caller matches the subscriber number. The Australian security expert Shubham Shah conducted a fairly extensive study , and found out that the problem existed (for some, it still exists) for resources such as Linkedin, Facebook, Google, etc. As of today, many people have fixed the problem, but, for example, Google and Yahoo do not consider this a vulnerability and are not going to do anything. So, a tip - if anyone has the voice call selected as the main method on these services, it’s better to change it to SMS, or even better: choose a method with a mobile application.
conclusions
SMS and voice calls are certainly convenient, but as it turns out, they are not as safe and reliable as the same mobile applications or hardware keys. By the way, mobile applications are also not ideal, but the risks there are orders of magnitude less.
And yet, for many, it seems like a common truth, but nevertheless we recall that the password is still important: the advantage of two-factor authentication is precisely in two factors, removing the password from the process we will get one-factor with other, but still, risks.