How Secure Is MFA Based on SMS?

In an era dominated by advanced technology and an increasing number of cyber threats, ensuring the security of our personal and professional accounts has become paramount. One of the best ways to secure our accounts is through multi-factor authentication (MFA). For those who may not know, MFA adds an extra layer of protection by requiring users to provide multiple forms of verification to access their accounts. This added layer of security has become very popular, and a recent report found that use of MFA has doubled since 2020. While MFA is undoubtedly a step in the right direction towards securing our accounts, one widely adopted MFA method, SMS-based MFA (texting), may not be as secure as many believe it to be. This is concerning as most accounts are still using SMS as their primary method of MFA. Security researchers have been warning about the risks of SMS-based MFA since 2016, but despite this over 70% of accounts using MFA opt for SMS verification. Let us explore some of the common attacks against SMS-based MFA, and some alternative MFA options that will help improve your level of security.

Common SMS-Based Multi-Factor Authentication (MFA) Attacks

SIM Swapping

SIM swapping is a method used to gain unauthorized access to a user’s mobile phone number. This technique typically involves convincing a customer service representative at a mobile carrier to transfer the victim's phone number to a SIM card controlled by the attacker. This is often accomplished by using social engineering tactics such as phishing and vishing. The attacker will first extract some personally identifiable information from their target, usually through a phishing email or smishish text message, or by simply researching the target on social media. The attacker will then use that information to impersonate their target and trick the customer service representative into swapping the SIM to their own number. In some extreme cases, the attacker might even pay off an insider at the mobile carrier to do the swap.

It might seem unlikely that it could happen to you, but I speak from experience that it is more common than you might think. While it has not happened to me personally, I did witness it with a former coworker, who we will call “Rob” for the purpose of this blog post. Rob was a big fan of cryptocurrency and frequently discussed it within online posts, assuming he was safe in his online anonymity. However, all he was doing was making himself an enticing target for malicious actors lurking out on the web. Rob was never sure exactly how he compromised, but he inadvertently provided enough information about himself that someone was able to call his mobile carrier and convince them to swap his SIM to a new number. As a result, the attacker was able to intercept the SMS message containing his multi-factor authentication code to access his cryptocurrency account and steal his investments. The attack was devastating for Rob and led to weeks of headaches as he struggled to resolve the issue.

Port-Out Scams

A similar tactic to SIM swapping, mobile number port-out scams manipulate the process of transferring a mobile phone number from one service provider to another. This attack also often involves social engineering, as the attacker’s goal is once again to gain enough information about a target to impersonate them when contacting a mobile carrier. The difference between port-out scams and SIM swapping is that the attacker’s goal is to convince the phone carrier to switch the victim’s phone service from one carrier to another instead of simply swapping the SIM card to the attacker’s phone. In both cases, the target will no longer be in control of their mobile phone, and the attacker can intercept any authentication requests their target receives via text.

SS7 Attacks

Signaling System No 7 (SS7), also known as Common Channel Signaling System 7 (CCSS7) in America or Common Channel Interoffice Signaling 7 (CCIS7) in the UK, serves as the backbone for transmitting necessary information between phone networks. It enables seamless call and text transfers between them and ensures accurate billing. Additionally, it allows users from one network to connect to another, especially during overseas travel. Originating in 1975, there have been multiple versions of this system.

However, SS7 has its vulnerabilities. These security gaps have led to SS7 attacks, where cybercriminals take advantage of the system to intercept cellular communications, both voice and SMS. A notable exposure of these flaws was in 2014 when German experts showcased how these breaches could lead to tracking mobile users and listening in on their conversations. By 2017, the risks were further highlighted when hackers managed to reroute two-factor authentication codes via SS7, resulting in unauthorized bank transfers.

While the SS7 flaws have been well-known, many telecom providers have been slow in bolstering their defenses. Thankfully, the rise of 4G and 5G networks introduced enhanced security measures. However, the challenge remains as these advanced networks still need to interact with older technologies. According to the GSMA's 2021 report, 30% of mobile connections are still reliant on 2G and 3G networks. As 5G gains traction, the SS7 threat persists as long as the older networks remain active. Although this threat is fading into history with the introduction of new technologies and protocols, a recommendation for those who are still weary of SS7 attacks would be to steer clear of using SMS for multi-factor authentication.

Protecting Yourself

In today's cybersecurity climate, millions stand at risk of becoming victims of malicious SMS-based MFA attacks. However, the good news is that there are straightforward measures to significantly reduce these vulnerabilities. It is crucial to establish strong, unique passwords for every account, even when MFA is enabled, and avoid reusing passwords across platforms.

Another effective preventative measure is sidestepping the use of SMS-based authentication altogether. It is important to leverage two-factor authentication wherever feasible. Applications such as Google Authenticator, Authy, or Microsoft Authenticator offer superior security compared to SMS-based authentication.

Additionally, enhancing security controls with your mobile carriers, such as mandating a PIN for significant service alterations, can be an effective additional layer of defense. Even in the unfortunate event of an attacker learning enough of your personal information to impersonate you, this PIN acts as a formidable barrier against unauthorized account alterations. Additionally, maintaining vigilance against social engineering threats is paramount. Many cyberattacks, some of which have been highlighted above, are often dependent on successful social engineering exploits and reconnaissance by the attacker. Recognizing these schemes is among the primary defense mechanisms.

Complacency with SMS multi-factor authentication alone is perilous. We must recognize that the exclusive reliance on SMS for MFA introduces certain vulnerabilities. Social engineering tactics are diverse and target both individual and business entities. Acquainting oneself with these strategies is key for individual safety and the protection of sensitive data. At Compass IT Compliance, we pride ourselves on providing comprehensive security awareness training programs and conducting thorough social engineering evaluations, simulating real-world threat scenarios. Contact us today to assess and enhance your organization's security posture and identify areas primed for improvement!