Practice
Computing Applications Practice

Security Analysis of SMS as a Second Factor of Authentication

The challenges of multifactor authentication based on SMS, including cellular security deficiencies, SS7 exploits, and SIM swapping.
Posted
  1. Introduction
  2. SMS vs. One-Time Token App
  3. Security Challenges of SMS-Based Authentication
  4. Final Thoughts
  5. References
  6. Author
envelope and key on smartphone display, illustration

back to top 

The internet started becoming the main reason that household PSTN (public switched telephone network) lines stayed busy sometime in the mid to late 1990s. Over the next decade, a number of online services completely changed the interaction of society with technology. From email to the dawn of e-commerce, these services increasingly tied people to technology and the Internet.

Although the concept of a password was prevalent in many technology disciplines and domains, the general public had little knowledge of it, with the exception of PINs for their debit cards. It was the Internet that introduced the concept of password security to them. From that point on, people realized they had to remember passwords to access their email accounts, favorite e-commerce sites, and so on.

At that time, a password was all it took to unlock an account, and password requirements were very loose. The cybersecurity landscape was nowhere near as challenging as it is now, particularly when it comes to the security of consumer accounts. There were exceptions for certain industries, such as banking, where password requirements were slightly more stringent and a hidden form of two-factor authentication, based mainly on IP geolocation, was used before it became an option for other sites. Nevertheless, the average consumer generally needed just a simple password to access even highly critical repositories of data, and the same password was often reused for multiple accounts.

Today Internet security requires much more attention. A good example of what can go wrong is the hacking ordeal detailed by a technology reporter for Wired who was not using two-factor authentication for his email account.8 Email accounts have become, over the years, not only large repositories of highly sensitive and private data, but also single points of failure for digital footprints on the Internet. For example, the majority of online services allow for the resetting of a password by sending an email to the user’s main email account. As a result, if an email account gets compromised, many other accounts can also be compromised in short order.

As the security-threat landscape has changed, so too have the way passwords are used and their complexity requirements. Although many online services did not really adhere to best practices, it became widely acknowledged that passwords should be highly complex in order to maximize their entropy and, thus, substantially increase the amount of time it would take to crack them.

Eventually, though, some scientific studies12,29 and a viral online cartoon30 argued that increasing password complexity was not the right solution. Pass-phrases are proven to have much higher entropy and are much easier to remember. On the other hand, forcing password rotation, in combination with a strict password complexity policy, has been shown to result in much weaker passwords. Moreover, as a rule of thumb, it is now acknowledged that a password might not necessarily have to be rotated if it is not present in any of the public repositories of leaked credentials in the wild.10

Along with the ongoing challenge of making passwords secure but still usable and easy to remember, the security industry recognized the security of an online account should not be protected only by something you know (your password). Somewhat similar to the banking approach, which requires something the user has (for example, a debit card) and something the user knows (for example, the card’s PIN), online accounts started to support, and in some cases mandate, the use of two-factor authentication. The second factor needed to be something the user has—the obvious and simple choice was clear from the beginning: the user’s smartphone.

Enabling two-factor authentication for online accounts is critical to their security. Everyone should enable this feature in (at the very least) their email accounts, as well as other accounts that store critical and sensitive data such as credit card numbers. Crypto-currency exchange accounts, which are commonly the target of cybercriminals, should also be secured by multiple forms of authentication. The potentially high monetary value of what these accounts protect makes them an interesting case study of what might be the best choice for a second form of authentication. For example, while SMS (short message service) as a second form of authentication is a good idea for certain types of online accounts, it is not the best option for those who own a large amount of cryptocurrency in an online exchange.3

SMS-based authentication tokens are popular options for securing online accounts, and they are certainly more secure than using a password alone. The history of cellular network security, however, indicates that SMS is not a secure method of communication. From rogue base stations and stingrays to more sophisticated attacks, there are a number of known methods to eavesdrop on and brute-force text messages, both locally and remotely. As such, this method is not the most reliable for accounts that store assets with a high financial value, such as cryptocurrencies.

This article provides some insight into the security challenges of SMS-based multifactor authentication: mainly cellular security deficiencies, exploits in the SS7 (Signaling System No. 7) protocol, and the dangerously simple yet highly efficient fraud method known as SIM (subscriber identity module) swapping. Based on these insights, readers can gauge whether SMS tokens should be used for their online accounts. This article is not an actual analysis of multifactor authentication methods and what can be considered a second (or third, fourth, and so on) factor of authentication; for such a discussion, the author recommends reading security expert Troy Hunt’s report on the topic.9

(Full disclosure: the author uses SMS to secure some rather vanilla online accounts, mainly those that do not require storing a credit card number or other sensitive financial information.)

Back to Top

SMS vs. One-Time Token App

For standard consumer online accounts, the two main options for providing a second factor of authentication are generally via SMS or leveraging a one-time token generated by an app on the user’s smartphone. The latter is more secure and should be used for highly secure and sensitive accounts, but the former is the most widely used option and could be a valid choice in certain circumstances. Aside from their security, however, these two options have very different advantages and disadvantages in the context of convenience and usability—important factors to consider when designing a secure system. The pros and cons of both types of authentication are summarized in Figure 1.

f1.jpg
Figure 1. Pros and cons of different types of token.

App-generated token. As noted throughout this article, a one-time token generated by an application on the user’s device is the most secure way of implementing two-factor authentication for online accounts without requiring nonstandard hardware to be used by the consumer (for example, an RSA token, a YubiKey, and so on, which are more common in an enterprise context). Aside from that, there are a number of advantages and disadvantages.

One of the main considerations for either option is network connectivity. The convenience of an app-generated token, which requires no network connectivity, contrasts with the strict requirement of connectivity to receive a token via SMS. Although network connectivity is considered a ubiquitous commodity, there are a number of scenarios in which a user could require access to an account while out of range.

Another advantage of app-based token delivery is that these apps can generally be registered and used with multiple online accounts. The main usability challenge with generating tokens with a smartphone app, however, is that administering such an app—and the cryptographic material it leverages—requires some extra effort. In general, backing up a smartphone to the cloud, the most common method, does not save such cryptographic material as part of the backup data. Nor does this material get saved on an unencrypted local backup on a computer. Even when locking a local backup with a password, not all seeds are stored with it. This can lead to users getting locked out of their accounts if their smartphones are lost or stolen, for example, or even if they get a new phone. In these scenarios, the so-called “backup codes” are important. As a rule of thumb, users should never wipe their old smartphones until the new ones have been fully set up and two-factor authentication apps have been reset.

SMS token. Two-factor authentication tokens received via text message tend to work well for standard consumer use because they’re easy for the user. There is no requirement to install an application on the user’s device, and it doesn’t require any management of backup codes or a backup plan to deal with a lost or stolen device. When a user gets a new device, there is no need to reset the two-factor authentication system, as text messaging is tied to the phone number, which generally remains unchanged on a new device.

On the downside, SMS-based authentication requires an active connection to the cellular network. Even though the majority of text message-based communication occurs over IP (for example, iMessage and WhatsApp), SMS second-factor authentication tokens are generally delivered over cellular networks’ standard SMS. Therefore, Wi-Fi connectivity alone is not sufficient; an active cellular connection is necessary. This can be challenging in certain situations where cell service is spotty or nonexistent or connectivity is constrained to 802.11 networks.

Despite their security challenges, SMS-based authentication tokens are a widely utilized option, which is currently receiving active support from device manufacturers. As an example, Apple recently announced a new feature in iOS 14 to harden SMS codes against applications attempting to trick the user into inputting the code in a malicious app (https://developer.apple.com/news/?id=z0i801mg).

Back to Top

Security Challenges of SMS-Based Authentication

Despite its convenience and use by a large number of online services, two-factor authentication via text message has significant security challenges. This section presents an overview of the main security challenges of using SMS for two-factor authentication token delivery. These range from somewhat sophisticated threats to cellular network protocols, which require an adversary to be in the vicinity of the target victim, to low-hanging fruit techniques that, despite being much less technically complex, have no range constraints and can be implemented at near-zero cost. For example, one of the biggest security threats in mobile communication systems is SIM swapping, a systemic problem related to how mobile operators authenticate users in their customer care platforms.18

The main advantages and challenges of three different methods of SMS interception are summarized in Figure 2.

f2.jpg
Figure 2. Three methods of SMS interpretation.

Cellular network security. The first generation of mobile networks (1G) lacked support for encryption. Legacy 2G GSM (Global System for Mobile Communications) networks lack mutual authentication and implement an outdated encryption algorithm. Combined with the wide availability of open source implementations of the GSM protocol stack, this resulted in the discovery of many possible exploits on the GSM radio link over the past decade23 (illustrated in Figure 3). Specifically, both the techniques and the tools necessary to deploy a malicious GSM base station and implement a full MITM (man-in-the-middle) attack against a GSM connection are commodities, although they require the adversary to be in physical proximity to a given target. Low-cost software radios and open source implementations of the GSM protocol stack can be used to intercept mobile traffic, including SMS messages.22,24

f3.jpg
Figure 3. GSM traffic eavesdropping and interception.

Over the past few years, researchers have also demonstrated how to intercept SMS traffic with less strict proximity constraints by triggering a race condition when replying to paging messages intended for another user.6 In order to geolocate a given target victim to intercept a token over SMS, privacy and location leaks have also been investigated in the context of legacy GSM networks.17

Specific efforts were made to enhance confidentiality and authentication in 3G and LTE (Long-term Evolution) mobile networks, with stronger cryptographic algorithms and mutual authentication implemented in both standards. Because of this, LTE has generally been considered secure, given its mutual authentication and strong encryption scheme. As such, confidentiality and authentication were wrongly assumed to be sufficiently guaranteed. Researchers demonstrated a few years ago, however, that LTE mobile networks are still vulnerable to protocol exploits, location leaks, and rogue base stations.14,27

Despite the strong cryptographic protection of user traffic and mutual authentication, a large number of control-plane (signaling) messages are regularly exchanged over an LTE radio link in the clear. Before the authentication and encryption steps of a connection are executed, a mobile device engages in a substantial conversation with any LTE base station (real or rogue) that advertises itself with the correct broadcast information. This results in a critical threat caused by the implicit trust placed—from the mobile device’s point of view—in the messages coming from the base station. Many operations with critical security implications are executed when triggered by some of these implicitly trusted messages, which are neither authenticated nor validated.

In the age of large-scale cyberattacks, one of the largest civilian communication systems must rely on privacy protocols far more sophisticated than just basic implicit trust anchored in the base station looking like a legitimate station. Note that the same applies in reverse, with the base station implicitly trusting all preauthentication messages coming from mobile devices.

Although a malicious LTE base station is incapable of launching a full MITM attack, several studies have demonstrated and prototyped techniques to silently downgrade a modern smartphone to a vulnerable GSM connection.13,26,27 What all these techniques have in common is they leverage and abuse such preauthentication messages.

As the industry prepares to embrace the advent of 5G, the security architecture for such next-generation mobile networks is being put under scrutiny. Several studies over the past year have highlighted the fact that most preauthentication message-based protocol exploits in LTE still apply to 5G networks.11,15,16,26 As a result, silently down-grading the connection of a smartphone to a GSM link is still possible, given the current specifications for such mobile communication systems.28 By abusing these vulnerabilities, an adversary could successfully intercept a two-factor authentication token delivered over SMS.

It is important to note, however, that intercepting tokens from SMS messages by intercepting GSM traffic is the most technologically complex option. Even though such attacks can be carried out with low-cost software radios and minor modifications to open source tools, the vast majority of fraud conducted by intercepting authentication tokens delivered via SMS leverages vulnerabilities in either SS7 or SIM swapping.

SS7 security. SS7 is a legacy architecture and protocol developed more than 30 years ago. It performs out-of-band signaling support for a number of functions in the PSTN, namely call establishment, billing, routing, and information exchange.25 From its inception in 1988, when mobile operators started leveraging it for out-of-band signaling, this protocol’s security mostly relied on the implicit trust among operators. It was regarded as a closed trusted network and had limited to no authentication built in. As a result, the security features of this network and protocol were minimal and depended on a small number of operators globally that were either state-controlled or large corporations. This is not the case anymore, as the number of operators is much larger as a result of the steep increase in mobile usage, as well as the growth in the number of MVNOs (mobile virtual network operators) around the globe over the past decade.


In the age of large-scale cyberattacks, one of the largest civilian communication systems must rely on privacy protocols far more sophisticated than just basic implicit trust anchored in the base station looking like a legitimate station.


3GPP (3rd Generation Partnership Project) added two new protocols to SS7 in the 1990s and 2000s: MAP (Mobile Application Part) and CAMEL (Customized Applications for Mobile Networks Enhanced Logic). These were aimed at supporting some of the new services that mobile networks provide, as well as new features for mobile operators.19 Among other functionality, CAMEL allows the implementation of carrier-grade value-added services such as fraud control and prepaid services. In parallel, MAP provides services to geo-locate devices globally, such as the any-TimeInterrogation service and LCS (Location Service). Discouragingly, none of these new SS7 subprotocols added authentication or security features.

Researchers have identified a number of critical security vulnerabilities in SS7 that could be exploited to geolocate users and intercept their traffic from nearly anywhere.5 In some cases, the only requirement is to have access to the SS7 network, which, despite being more restricted now than in the past, can still easily be purchased on the dark web. Researchers have also gained access to the SS7 network via hacked femtocells and, in some scarce cases, actually purchasing access from mobile operators.

To make matters worse, researchers were also able to demonstrate techniques to intercept phone calls and text messages remotely by means of exploiting flaws in the CAMEL protocol. Figure 4 illustrates this process. Such security threats in mobile communication networks came to wide public attention when a German researcher demonstrated these attacks in a news report on primetime TV.1

f4.jpg
Figure 4. Exploiting flaws in the Camel SS7 protocol.

Once the attacker has access to an entry point to the SS7 network, all it takes is one message to modify the registration for a given target in the MSC (mobile switching center), in the case of GSM. From that moment on, the MSC will reach out to the attacker instead.

Modern LTE networks largely migrated most SS7-based services over to the Diameter protocol. This new protocol, despite providing some improvements, still suffers from a number of vulnerabilities, most of which are flaws inherited from SS7.2 As a result, similar remote interception of calls and text messages could be possible in LTE. Regardless, as discussed earlier, silently downgrading a smartphone to a much less secure GSM connection is simple, given enough proximity to the target.

Exploiting security flaws in SS7 networks and their protocols is a fairly efficient way to intercept two-factor authentication tokens delivered over SMS. In general, this is an attack vector that is known for being used by hacker groups and has become so relevant that it is even considered within the MITRE ATT&CK framework, which has been widely adopted by many technology companies as part of their security postures.20

SIM swapping. Despite the effectiveness of the SMS interception techniques that exploit flaws in cellular network protocols and in legacy SS7 networks, SIM swapping is arguably the number-one security threat against SMS communications being used to deliver one-time tokens for multifactor authentication.

As illustrated in Figure 5, a SIM swap attack consists of fooling a mobile operator, usually over a phone call with customer service, that the legitimate owner of a cellular subscription needs the account to be ported to a new SIM card. The caller may claim, for example, that the phone was lost overseas and access needs to be recovered as soon as possible on a newly acquired phone and a new SIM card. The credibility of such a story is actually not that important; SIM porting attacks are frustratingly easy to accomplish.18

f5.jpg
Figure 5. SIM swap attack.

Once an attacker successfully manages to get a victim’s account ported to a SIM, the rest of the attack is fairly simple. From that moment until the victim notices the loss of coverage and calls customer service, the attacker will be the destination of any call and text message routed to the victim’s MSISDN (mobile station international subscriber directory number)—that is, the victim’s 10-digit phone number. Therefore, any two-factor authentication token requested will be received by the attacker.

This type of attack is simple to implement and accounts for a majority of breaches that require intercepting authentication tokens. Given the low cost and low effort a SIM swap attack requires, fraud and scamming rings are devising more sophisticated methods to scale up the number of accounts they can take over. For example, it was recently discovered that SIM swappers were bribing customer service employees to perform the swaps for them and even leveraging malware that targets the remote desktop technology used in call centers.4

Interestingly, fraudulent online account takeovers based on a SIM swap attack are not too complex to mitigate. Despite being a widely acknowledged security risk in America and Europe, it is a much mitigated threat in African nations.7 For example, cellular operators in Mozambique provide a means for banks to check their records for recent SIM swaps for a given account. If a SIM swap has recently occurred, the bank will deny a transaction or prevent a security token from being sent via text message.

Such a simple solution is reported to have reduced SIM swap-based banking fraud to nearly zero overnight. SIM swapping, however, is still arguably one of the biggest security risks for the average consumer of online banking and financial services. For example, the prevalence of SIM swap-driven fraud in the U.S. resulted in an official warning by New York State’s Division of Consumer Protection.21

Back to Top

Final Thoughts

Despite their popularity and ease of use, SMS-based authentication tokens are arguably one of the least secure forms of two-factor authentication. This does not imply, however, that it is an invalid method for securing an online account.

True, there are a number of services that should not be used with tokens delivered via SMS—for example, banking and financial services, cryptocurrency services, and anything containing sensitive financial information, and credit card numbers. Personal email addresses also fall into this category. An email account takeover can have devastating consequences if that account is the cornerstone to the user’s online digital identity.

On the other hand, there are many online services for which SMS-based tokens do suffice for the average consumer—for example, any vanilla accounts that store no sensitive or financial information, which attackers could not easily monetize, thereby discouraging them from trying to take over the account in the first place.

Other variables should be factored into the equation when deciding which multifactor authentication method is most appropriate. The security implications for a social media account for a well-known individual with millions of followers are very different from those for an account with just a handful of followers. Therefore, while using SMS as a second factor of authentication for some social media accounts is perfectly valid, it would be wise to opt for a different method for the account of a celebrity or politician.

The current security landscape is very different from that of two decades ago. Regardless of the critical nature of an online account or the individual who owns it, using a second form of authentication should always be the default option, regardless of the method chosen. In the wake of a large number of leaks and other intrusions, there are many username and password combinations out there in the wrong hands that make password spraying attacks cheap and easy to accomplish.

q stamp of ACM Queue Related articles
on queue.acm.org

VoIP: What is it good for?
Sudhir R. Ahuja and J. Robert Ensor
https://queue.acm.org/detail.cfm?id=1028897

Communications Surveillance: Privacy and Security at Risk
Whitfield Diffie and Susan Landau
https://queue.acm.org/detail.cfm?id=1613130

ACM CTO Roundtable on Mobile Devices in the Enterprise
Andrew Toy, André Charland, George Neville-Neil, Carol Realini, Steve Bourne, Mache Creeger
https://queue.acm.org/detail.cfm?id=2016038

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More