Two-factor authentication is rapidly becoming a “must-do” in this era of rampant cyber threats. I’ve discussed and encouraged two-factor authentication here and in Learning Tree’s cyber security introduction course. But it must be done correctly.
Some organizations use hardware tokens that display numbers that change every thirty seconds or so. Apps such as Google Authenticator perform a similar function. (The main difference is that the numbers on the token are entered as part of a password – e.g. mypassword409678 – while the value on the Google Authenticator is entered separately. Thus, the former is called two-factor authentication, while the latter is called two-step authentication.)
Many web sites use a technique where a code is sent to a user’s mobile device via SMS, the “Short Message Service” generally used for text messages. There is a potential issue with that, though: the wrong people could receive the message.
SMS messages are sent to users’ phone numbers. It is assumed that only the authorized user has access to the phone corresponding to the numbers. Attackers have found ways to move the numbers to other phones. The number is associated with the phone via the SIM (subscriber identification module) card, a tiny electronic device embedded in plastic or cardboard.
There are two predominant ways attackers move a number to a device they control and both rely on social engineering. The first way is to contact the victim’s mobile service provider, pretend to be the victim, and get the number re-assigned. The second way is for the attacker to pretend to be an employee of the service provider and gain access to the provider’s subscriber management database.
Attackers have used these techniques to steal cash and bitcoin. One theft was alleged to be in the tens of millions of dollars. But many are smaller and the victims are not just individuals; the attackers may want access to corporate or government systems. The problem has become significant and US Senators and Members of Congress have sent a letter to the FCC asking it to take action.
My concern is that web sites and others use messages sent by SMS to validate password changes. If an attacker has access to the SMS messages of a victim, not only can the attacker receive access codes, but can also reset account passwords.
If SMS can be used as an authentication step, mobile service providers must take two important steps. The first is to train their employees about the dangers of social engineering attacks. Specifically, they must be taught to accurately authenticate number change requests. Secondly, there needs to be mechanisms deployed that prevent a single employee from making a change without actual confirmation from the subscriber.
Some providers – e.g. T-Mobile – allow users to enable a process where number changes can only be made when the user appears in person with proper identification. At least at T-Mobile, the process is voluntary and may have some issues. Many providers have a feature where a PIN number is required for a change.
The best solution is to use a different second step such as Google Authenticator, but with ubiquitous SMS capabilities on mobile devices, sending a number via a text message is attractive to website designers. If using another option is impossible or unavailable, enabling all possible account protections is essential.