sign up log in
Want to go ad-free? Find out how, here.

Why you should not use two-factor authentication that relies on an SMS message - hackers are on it this and could access all your passwords, especially if you are using Android credentials

Banking
Why you should not use two-factor authentication that relies on an SMS message - hackers are on it this and could access all your passwords, especially if you are using Android credentials

By Syed Wajid Ali Shah, Jongkil Jay Jeong, and Robin Doss*

It’s now well known that usernames and passwords aren’t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone.

As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system.

It works too. Figures suggest users who enabled 2FA ended up blocking about 99.9% of automated attacks.

But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user’s smartphone.

Yet many critical online services in Australia still use SMS-based one-time codes, including myGov and the Big 4 banks: ANZ, Commonwealth Bank, NAB and Westpac.

So what’s the problem with SMS?

Major vendors such as Microsoft have urged users to abandon 2FA solutions that leverage SMS and voice calls. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks.

For example, SIM swapping has been demonstrated as a way to circumvent 2FA. SIM swapping involves an attacker convincing a victims’s mobile service provider they themselves are the victim, and then requesting the victim’s phone number be switched to a device of their choice.

SMS-based one-time codes are also shown to be compromised through readily available tools such as Modlishka by leveraging a technique called reverse proxy. This facilitates communication between the victim and a service being impersonated.

So in the case of Modlishka, it will intercept communication between a genuine service and a victim and will track and record the victims’s interactions with the service, including any login credentials they may use).

In addition to these existing vulnerabilities, our team have found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device.

Due to syncing services, if a hacker manages to compromise your Google login credentials on their own device, they can then install a message mirroring app directly onto your smartphone. Shutterstock

If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you will receive a prompt), they can then install any app they’d like automatically onto your smartphone.

The attack on Android

Our experiments revealed a malicious actor can remotely access a user’s SMS-based 2FA with little effort, through the use of a popular app (name and type withheld for security reasons) designed to synchronise user’s notifications across different devices.

Specifically, attackers can leverage a compromised email/password combination connected to a Google account (such as username@gmail.com) to nefariously install a readily-available message mirroring app on a victim’s smartphone via Google Play.

This is a realistic scenario since it’s common for users to use the same credentials across a variety of services. Using a password manager is an effective way to make your first line of authentication — your username/password login — more secure.

Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to enable the permissions required for the app to function properly.

For example, they may pretend to be calling from a legitimate service provider to persuade the user to enable the permissions. After this they can remotely receive all communications sent to the victim’s phone, including one-time codes used for 2FA.

Although multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods.

More importantly, this attack doesn’t need high-end technical capabilities. It simply requires insight into how these specific apps work and how to intelligently use them (along with social engineering) to target a victim.

The threat is even more real when the attacker is a trusted individual (e.g., a family member) with access to the victim’s smartphone.

What’s the alternative?

To remain protected online, you should check whether your initial line of defence is secure. First check your password to see if it’s compromised. There are a number of security programs that will let you do this. And make sure you’re using a well-crafted password.

We also recommend you limit the use of SMS as a 2FA method if you can. You can instead use app-based one-time codes, such as through Google Authenticator. In this case the code is generated within the Google Authenticator app on your device itself, rather than being sent to you.

However, this approach can also be compromised by hackers using some sophisticated malware. A better alternative would be to use dedicated hardware devices such as YubiKey.

The YubiKey, first developed in 2008, is an authentication device designed to support one-time password and 2FA protocols without having to rely on SMS-based 2FA. Shutterstock

These are small USB (or near-field communication-enabled) devices that provide a streamlined way to enable 2FA across different services.

Such physical devices need to be plugged into or brought into close proximity of a login device as a part of 2FA, therefore mitigating the risks associated with visible one-time codes, such as codes sent by SMS.

It must be stressed an underlying condition to any 2FA alternative is the user themselves must have some level of active participation and responsibility.

At the same time, further work must be carried out by service providers, developers and researchers to develop more accessible and secure authentication methods.

Essentially, these methods need to go beyond 2FA and towards a multi-factor authentication environment, where multiple methods of authentication are simultaneously deployed and combined as needed.


Syed Wajid Ali Shah, Research Fellow, Centre for Cyber Security Research and Innovation, Deakin University; Jongkil Jay Jeong, CyberCRC Research Fellow, Centre for Cyber Security Research and Innovation (CSRI), Deakin University, and Robin Doss, Research Director, Centre for Cyber Security Research and Innovation, Deakin University. This article is republished from The Conversation under a Creative Commons license. Read the original article.

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.

18 Comments

Fantastic article.

Up
0

Ffs. Everything is getting more online and then more complicated. Maybe if you are tech savvy you can stay ahead of the bad people, but what if you are like most people that aren't. It's like you are one of the flock of sheep with the wolves on the perimeter.

Up
0

For the old farts perhaps. Young people are generally tech savvy and more aware of tech security. We don't need boomers dictating how tech is used and of its moral implications.

Up
0

Everyone who is careful gets to be an old fart. Maybe you too JC. But anecdotally, of the people I know that have been hacked or scammed, most were in their 20's.

Not everyone can be expected to be tech savvy, just like not everyone can fix a car, or play a musical instrument. But the difference is that you aren't forced to fix a car or play an instrument. But you are forced to go online for just about everything now.

Up
0

People at the bottom ARE getting a lot more savvy with cyber security. Credit/debit cards are a horrendous security risk.. mobile phones are pretty much tracking devices at this point.. open-source mobile-operating-systems are slowing developing.

Things will improve.

Up
0

For the hackers yes. More data collection & reliance on it, weak company security (physical and online), and now even third party attack software and cloud hacking services that come with better customer service than most internet providers and indeed our own govt branches like the IRD, or Healthline. Technically it is improving just not for the potential victims. WTF Open source mobile operating systems have been with us for more than a decade now... How far back are you living? One downside is planned obsolescence, OS lockin and restricted device warranties have only gotten worse. But hey many people don't get choice with their companies often dictating devices and OS used.

Up
0

This is why you will always be an easy target for hackers. Too oblivious to modern risks and not suspicious of systems that literally are gapping open security wounds leaking pus and private data.

Up
0

Isn’t YubiKey vulnerable to the very same social engineering attacks? In the example given of a close family member with access to your phone would they not also have access to your key?

Up
0

Depends, they often don't allow password changes or logins without the 2fa and in general you don't need 2fa except for certain operations. Unless you have the key taped to the phone, on a keyfob or on a desk etc the risk drops. However there is still a problem that the phone is logged in to mail accounts and exporting data and enough account details to hack several private accounts becomes a matter of minutes. Even fingerprint and face scans can be easily got around. But a real worry is the human factor. If you cannot trust family then the real problem is leaving them with anything not just the phone for a few minutes. What about the car keys, bills & receipts or objects of value. If they want to steal something at all or stalk where you go etc then that is always a bigger problem that changing 2fa will never fix. Plus there are some very valid cases where you want family to have access e.g. in medical distress, in emergencies etc Hence why it becomes very difficult to stop and prevent elder abuse when a person needs someone else they can trust for important tasks or emergencies.

Up
0

Perhaps showing up in person at the bank would had solved a lot of technologically induced security problems.

Nothing like the old school way.

Up
0

Because walking around with a $100k cash in a sports bag is an excellent idea...

Up
0

That depends who's escorting you.

Up
0

Yes it would. Even in person managing important account operations (open, change authority, loans, cc, amount transfers over x), people rarely carried large sums of cash, (what moron thinks that unless they are a drug dealer) and there was better governance policies and protection of private data. Especially also protection against identify theft. But it costs more to have staff and be accessible to customers. Also so much better to allow anyone with a stolen drivers license and stolen mail to open accounts under your name without seeing you once accurately at all.

Up
0

I pity the fool who hacks into my accounts just to find all they can do is repay my mortgage. No money ftw!

Up
0

Thanks for publishing a how-to for the aspiring hacker.

Up
0

Both SMS and E-mail are unencrypted - very susceptible to man-in-the-middle attacks. Everyone should be using Signal for SMS like services.

From a 'State Security' perspective Hillary Clinton's e-mail server should have landed her in prison. E-mail should NOT be used for sending bank statements or medical records. Utility bills shouldn't really be sent to e-mail addresses either, as they contain contact information.

Mobile carriers ideally should face multi-million-dollar fines every time they sim-swap without verification. Consumers should have the option to disallow sim swapping of their number(s).

Up
0

See if you have been compromised https://monitor.firefox.com/

I am aware that some banks hand out actual hardware tokens in NZ, this is much better.
If you have a many character passphrase like "Countdown is low on stock this week 4587#" and a hardware token, you are reasonably OK.

As Zack mentioned if you are not using Signal.org and Protonmail already, please do your family a favor and make the switch.

Yubikey is great, support not so much is my understanding.
Wish my bank would support it.

Also https://nextdns.io/ is a real easy way to use encrypted DNS, with parental control and ad/track filtering added, but we are going off topic now.

Up
0

Sure, SMS based 2 factor auth isn't perfect and go for more secure alternatives such as security keys if you can, but SMS based 2fa is still a heck of a lot better than no 2fa.

All these steps are much harder and involved than just getting someone's username and password from a leak somewhere.

If you don't have 2fa turned on for an important account such as your email or bank, turn on SMS based 2fa is still a significant increase in security.

Up
0