Second Factor SMS: Worse Than Its Reputation

A family friend of ours recently fell victim to a phishing attack perpetrated by an attacker who paid for Google Ads for a search term like "BANKNAME login". The site was an immaculate knock off, with a replay attack in the background. She entered her 2fa code from the app on her phone but the interface rejected the code and asked her for another one. In the background, this 2nd code was actually to authorise the addition of a new "pay anyone" payee, and with that her money was gone[0].

I have accounts with 2 banks, one uses SMS 2fa and the other uses an app which generates a token. I had thought that the app was by default a better choice because of the inherent lack of security in SMS as a protcol BUT in the above attack the bank that sends the SMS would have been better because they send a different message when you're doing a transfer to a new payee than when you're logging in.

So really the ideal is not just having an app that generates a token but one that generates a specific type of token depending on what type of transaction you're performing and won't accept, for example, a login token when adding a new payee. I haven't seen any bank with that level of 2fa yet, has anyone else?

I guess perhaps passkeys make this obsolete anyway since it establishes a local physical connection to a piece of hardware.

[0] Ron Howard voice: "she eventually got it back"

I've long suspected that companies which force SMS 2FA don't really care about security, they just want your phone number, and 2FA is a convenient bit of security theatre to make you give it to them.

NIST has explicitly said you shouldn't use SMS 2FA for a while now:

NIST SP 800-63B §5.1.3.3. https://pages.nist.gov/800-63-3/sp800-63b.html#pstnOOB

And unfortunately almost every bank forces me to use them, because their apps refuse to run on my rooted phone. Nice security win there!

The article conflates two issues that have different security implications.

The "1-click login" links are a concern and just having access to the SMS would be enough to take over things like WhatsApp.

But 2FA codes seem notably less worrying. They are the second factor and require an attacker to have the password too. For these cases I'm much more relaxed about the use of SMS and the risks of interception.

In the UK it seems that almost all online banking transactions are now verified by SMS. As far as I can tell this is required by law, and replaced the previous, bank card + card reader + pin verification system, which was not only more secure but also did not depend on having a working mobile phone with signal.

I hope that this will in due course be recognised as a terrible mistake and rectified. Unfortunately my hope is only faint.

Sweden solved this problem years ago with BankID

https://en.wikipedia.org/wiki/BankID

It is amazing what a little cooperation between public and private institutions can achieve. It is the only way to login and 2fa to government services and most banks (some legacy systems are still supported by banks) and it works great.

It is incredible there is no system like this for every country, heck it is incredible that there isn't a system like this for the whole EU.

Apparently the messages on the S3 bucket were updated every five minutes: https://www.zeit.de/digital/datenschutz/2024-07/it-sicherhei...

The CCC definition of this being only 2FA-SMS is incorrect though. It was not only Twilio Verify (2FA API) that was affected, it was all SMS sent through this vendor.

Hardly an SMS issue, an issue with a vendor not properly securing a sensitive datastore.

Several financial institutions I work with require 2FA with SMS, and do not offer an option for HOTP/TOTP. FML.

I think we should just ban companies from implementing SMS 2FA.

https://lorendb.dev/posts/lets-ban-sms-2fa/

Random thought I’ve been having as we keep bringing this topic up these past few weeks…

How interesting or uninteresting would bi-modal 2FA be ?

That is: you receive a code by text and you enter the code by email…

I haven’t spent any time to work out whether this significantly changes the attack surface but… At first glance it does seem like you would need to own two different account types…

… So I guess a first question would be: does this exist anywhere? Has anyone ever seen this or done this?

I like that IdentifyMobile's website[0] isn't even protected with a valid HTTPS cert. Falls back to HTTP. Oh and it's WordPress. And last updated 2015. Guess that's all telling. Nice that so many important companies used this crappy provider for such things.

[0] http://www.identifymobile.com/

Out of curiosity, I just tried with ChatGPT 4o... Screenshot of a legit banking website and asking it to describe it to me, to give me the exact URL in the screenshot and to tell me if it's legit or not.

It described me the whole page, explaining it was a login page to log in to bank X in country Y. He compared the URL with the bank's name, etc.

Then I modified one letter in the URL, changing "https://online.banking.com" (just an example) to "https://online.banklng.com" and asked ChatGPT 4o again.

He said it was a phishing attempt.

So, basically, you can, today, already have a screenshot automatically analyzed and have a model tell you if it's seemingly legit or not.

In Singapore, the banks have moved away from SMS entirely, even for notifications. Now they have to come through the app.

But for login you basically register a single phone, download a certificate to it and that becomes your second factor. If you login via web or another phone, you need to approve the login from that phone.

Of course if you lose the phone (or it's damaged) you need to go to the bank to fix it, but that seems like a reasonable approach.

The rule of thumb is that you should always avoid any services that still rely on SMS or phone numbers as an ID or 2FA. They simply don’t care about your privacy or security, even if they advertise it. A prime example is Signal.

Unfortunately, for some other services, like banks or government agencies, you don’t have any option. You can only minimize the impact by using a unique password and username and keeping them updated.

If the choice between no 2FA and SMS, which is better?

Certain financial institutions in some regions mandate telephone-network based 2FA for their customers accounts, and in the event of an account compromise attempt to pin the onus of liability on the customer. Maddening they wont give customers better options if they want to secure themselves.

It always feel useless when you get the second factor on the very device you are logging in from. I know it's not because you still have to physically have the device but instinctively, I always think true 2FA should involve different devices.

"CCC researchers had live access to 2nd factor SMS of more than 200 affected companies - served conveniently by IdentifyMobile who logged this sensitive data online without access control."

How about the login service send the code encrypted in the SMS such that it can only be decrypted on the phone of the actual user? Still vulnerable to phishing attempts, but better than relying on deficiencies of SMS technology .

The modern auth invented just to push mobile + cloud model is DISGUSTING. We have since decades smart cards for various things, from payments to IDs, why the hell not keep inserting readers in keyboards and laptops bodies, selling cheap desktop USB reader and teach people to use them? Simply because with them there is no way to force mobile computing allowing some third party to snoop a bit in end users lives.

I hope a day or another people will understand and IMPOSE an end to such crappy unsafe practice.

That's because SMS verification isn't 2FA. It's faux 2FA. You don't possess your phone app or your phone number... it can be cloned and intercepted. A key you hold on your person is 2FA.

Any push-based service would be vulnerable to this, wouldn't it? The medium doesn't matter if somewhere in the chain someone stores the message (in public).

Twilio said the data was accessible between May 10 and May 15, 2024[0].

I mean, even if we disregard the auth codes thing, which according to CCC were being generated on a static timer, if someone did get access to this bucket - they would have gotten away with a juicy list of phone numbers and names from some of the top companies, at the very least.

I'm not sure how hard it would be for an S3 scanner to guess "idmdatastore", so it is difficult to say if anyone else got in. Even if not, a live database storing live data without encryption or anything is crazy. I feel like IdentifyMobile will feel the wrath of this no matter what.

[0]: https://stackdiary.com/twilio-issues-an-alert-about-a-securi...

Wow SMS 2FA forced bullshit that suddenly got astroturfed right on the day of the Snoweden revelations is actually indeed bullshit. When will they have opt out of this or is this just the end of the web? 20 years ago I did not need or want anything more than a password (obviously cryptographic key auth would be better but not if it's brought to you by X.509). And of course all the HNers who eat this shit up and defend it like little dogs are suddenly on the other side. Email verification is fucking dumb too, and of course now every email forces phone SMS shit.

Can someone explain to me how SIM swapping actually works?

All the articles and videos I found are like:

1. Attacker calls phone companies support hotline or alternatively his confidante there

2. ** MAGIC **

3. Atacker has access to SMS messages sent to victims number

I understand that some might be deliberately vague but I don't want a step by step instructions, just a high level technical overview.

And to give another hint why this is so hard for me to understand: To the best of my knowledge, if I call my phone company with whatever scenario that I can imagine that involves my SIM, all they will do is send me a new SIM to my physical address.

I’ve recently become pretty disillusion with 2FA in general.

Google has recently started enforcing their own “click yes on already authorize mobile device” 2FA, which is very frustrating.

I have hardware 2FA keys that I keep in a safe. I deliberately do not keep them on me, and using them to re-auth is mentally an “event”.

This is not the case with my cell phone, which my kids play with, gets left on my dresser while the cleaners work, etc.

Really pushing me to run my own services again, but that obviously comes with its own challenges.

I can't think of any reason why we should not make password managers mandatory for all web authentication today, with the password manager being the 2nd factor.

Your desktop, laptop, tablet, and phone can all share a password manager. They work offline and online. Passwords generated are unique, breaking password reuse attacks. Password managers support auto-filled TOTP codes per-login. They support passkeys. There's password managers built into browsers in addition to the 3rd party ones. There are personal, family, and enterprise options. They could be installed as a system service to isolate them from userland attacks. They support advanced functionality like SSH keys, git signing and biometrics.

If you're a stickler about having a completely independent factor from your desktop/phone/etc, password managers could be used with different profiles on different devices, and allow several easy ways to pass an auth token between devices (via sound, picture, bluetooth, network, etc), ensuring an independent device authenticates the login to avoid malware attacking the password manager.

We already have the tools to do something way more secure than SMS, and it's already on most of our devices/browsers. We just have to make it the preferred factor.