KuppingerCole’s newest report on “Passwordless and Authentication Solutions” includes FUTURAE! The right time to integrate the future is now. Start here!

We value your privacy

We use cookies to improve your experience on our site through website traffic analysis. To find out more, read our updated privacy policy.

Tips

ASK DR. SECURITY: Why you should not use SMS for authentication

Dr. Security gives tips and answers questions related to cyber security. This time, it is about the security of the SMS method.

Doctor Security

Question

I heard that using Two-Factor Authentication with the SMS method is not secure anymore. That surprises me. What is against it? (Roland, Uster)

Answer

Hi Roland,

The 2FA method using SMS provides various possibilities for an attacker to intercept the channel and steal sensitive data, such as an authentication code sent to you by your bank.
For example, through social engineering which means that the attacker has convinced the mobile operator to redirect the victim’s mobile phone to the attacker. Also, the underlying network used for sending SMS messages (SS7) does not have any authentication. What this means is that anyone with access to the network (which can be achieved for a very low price in some countries) can get access to SMS messages that are sent to a particular phone number.
Although these types of attacks might be harder to achieve in countries like Switzerland, it is always possible for a perseverant attacker to get access to the codes sent to you over the GSM network. All the attackers need is a so-called Software Defined Radio module (which costs around CHF 1000.- or less) and locate themselves close to the victim. Today’s phones “lock in” the strongest signal. The attacker can emit a very strong signal that mimics that of the network operator, the phone connects to it and the attacker is then able to read all the messages that arrive to the user’s phone via GSM (such as SMS).
If you are interested in more details, you can find some
here,
here
and here.

I am happy to answer your questions, so do not hesitate to write to the Doctor at: doctor@futurae.com.