Dr. Security gives tips and answers questions related to cyber security. This time, it is about the security of the SMS method.
I heard that using Two-Factor Authentication with the SMS method is not secure anymore. That surprises me. What is against it? (Roland, Uster)
The 2FA method using SMS provides various possibilities for an attacker to intercept the channel and steal sensitive data, such as an authentication code sent to you by your bank. For example, through social engineering which means that the attacker has convinced the mobile operator to redirect the victim’s mobile phone to the attacker. Also, the underlying network used for sending SMS messages (SS7) does not have any authentication. What this means is that anyone with access to the network (which can be achieved for a very low price in some countries) can get access to SMS messages that are sent to a particular phone number. Although these types of attacks might be harder to achieve in countries like Switzerland, it is always possible for a perseverant attacker to get access to the codes sent to you over the GSM network. All the attackers need is a so-called Software Defined Radio module (which costs around CHF 1000.- or less) and locate themselves close to the victim. Today’s phones “lock in” the strongest signal. The attacker can emit a very strong signal that mimics that of the network operator, the phone connects to it and the attacker is then able to read all the messages that arrive to the user’s phone via GSM (such as SMS). If you are interested in more details, you can find some here, here and here.
I am happy to answer your questions, so do not hesitate to write to the Doctor at: firstname.lastname@example.org.