Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Encryption Security Communications Network Technology

Why You Shouldn't Use Texts For Two-Factor Authentication (theverge.com) 102

An anonymous reader quotes a report from The Verge: A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The group targeted a Coinbase account protected by two-factor authentication, which was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn't actually steal anyone's bitcoin, although that would have been an easy step to take. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces. The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"
This discussion has been archived. No new comments can be posted.

Why You Shouldn't Use Texts For Two-Factor Authentication

Comments Filter:
  • by Anonymous Coward on Tuesday September 19, 2017 @08:04AM (#55224695)

    End to end encryption easily solves this and other problems related to government spying.

    First of all, these are not cellular network "vulnerabilities." These are "features." And these "tools" are not Proof-of-Concepts for finding weaknesses in the networks. They are "products" that are sold to government for the purpose of spying on YOU and ME.

    • by AmiMoJo ( 196126 )

      Why even bother trying to transmit the code? Just use time based codes.

      • Agreed. Just use a proper hardware or virtual MFA device.

        Codes sent via SMS don't really count as a second factor (it's another "something you know" like your username and password and not a "something you have") and they can be captured during transmission. NIST has been recommending against them since July of 2016.

    • by Strider- ( 39683 )

      Said someone who doesn't now the history of these protocols. SS7 has been around for a long, long time, longer than the IPv4 we all love to hate. It was developed in the days of yore, before the breakup of Ma Bell, when there were only a handful of telephone companies, and they all had reasonably tight control over their signalling networks (having started to learn their lesson from Captain Crunch, blue boxes, and the other phreakers. It was never intended to be used as it is today.

      Besides, if the national

      • SS7 ISUP, yes, is very old. Other parts of SS7 are not so old. In fact, SS7 allows you to extend it to do custom things and pass vendor specific data in proprietary formats, and many vendors have done this. Some SS7 extensions fell into common use, others didn't. But SS7 has been changing a lot over the last few decades as voice and data services have evolved and many proprietary extensions have become commonly used.

        Most of this advancement though has pretty much ended at this point. These days the

    • by antdude ( 79039 )

      I am waiting for everyone to use Signal!

  • My bank uses text messages to verify transactions. Would that be vulnerable in some way as well?

    • Re: (Score:3, Funny)

      by Anonymous Coward
      No. I mean, you might have your account drained of all money, but your bank would be just fine.
    • Re:bank? (Score:4, Insightful)

      by nine-times ( 778537 ) <nine.times@gmail.com> on Tuesday September 19, 2017 @08:38AM (#55224827) Homepage

      Basically SMS isn't secure, and shouldn't be treated as a method of securely transmitting data.

      • How about automated voice calls? Are they any more secure - my bank offers me a choice between text and voice call.
    • My bank uses text messages to verify transactions. Would that be vulnerable in some way as well?

      FDIC insurance says everything about the give-a-shit level of most banks.

      • by Anonymous Coward

        That's not what the FDIC is for. FDIC covers bank failures only. Also the cost of FDIC is very very low because even a bankrupt bank as a net asset value of approximately zero, so the FDIC just has to kick in a little cash to get a buyer.

        You shouldn't really post if you have no idea what you are talking about.

      • by bws111 ( 1216812 )

        What is that even supposed to mean? The FDIC doesn't protect the bank against anything, it protects you in case your bank becomes insolvent. It does not protect you or the bank from fraud, robberies, or anything else.

    • It probably could. The method you are depicting could also be used by intercepting your SMS message from the reset of your password as well as a transaction confirmation method. Once they reset your password, make a transaction, okay it all while still intercepting your SMS, and viola. All unbeknownst to you, they have drained your account. Are there other safeguards in place to ensure that this does not happen? I do not know at this point, but that is a good question to ask.

      This I hope actually does r

  • Apps (Score:4, Funny)

    by Anonymous Coward on Tuesday September 19, 2017 @08:10AM (#55224721)

    Only LUDDITES use text messages for two-factor authentication. Modern app appers app authentication apps for authentication through apps.

    Apps!

  • For a moment I was worried that I'll have to use binary or hex for two-factor authentication rather then plain "texts".
  • Why do we keep seeing this being reported incorrectly by security "professionals"? Using SMS has always been two STEP, not two factor. You need to use the correct words describing a system if you are going to rag on that system.
    • by TheRaven64 ( 641858 ) on Tuesday September 19, 2017 @09:12AM (#55224983) Journal
      SMS is intended for two-factor authentication when the phone is a thing that you have and is separate from the thing that you know. The problem that TFA points out is that 'having the phone' and 'being the only one who can receive SMS to that number' are not even slightly the same thing. The other problem is that an increasing amount of stuff is done on the phone, so the phone stops being a separate 'something you have' and is just your terminal, which is as likely to be controlled by the attacker as any other terminal (probably more so, given how many run unpatched operating systems with known vulnerabilities).
    • Probably because you are clueless, and it is indeed two factor auth.
  • This is just a rehashed article from over a year ago. Same exact examples are referenced. That SS7 site on tor has been reported a few times now as being fraudulent. The bitcoin wallet on there had like 2 transactions into it. This is a serious threat for sure but they are grossly overestimating the effects of this in the wild. It's not exactly 'easy to attack SS7' for the non telecom enthusiast. If it was, people would be selling the service and telecom would've moved on by now.
    • The exactly same attack "false roaming request" has been in the wild since 2003 or 2004. Literally millions of people loose money due to having their phone number hijacked and being used to send SMSes to paid numbers.

      Same trick is being used by Russian spies to regularly steal online accounts of European politicians

    • telecom would've moved on by now

      They already did. It's called Diameter [wikipedia.org]

  • by Anonymous Coward

    If you're paranoid or actually at risk of being hacked, buy a burner phone and use that for your 2 step authentication.
    Nobody can social engineer or cell tower hack your number because they don't know it.

  • by MightyYar ( 622222 ) on Tuesday September 19, 2017 @09:09AM (#55224961)

    So... still better than password-only. That's probably good enough for my purposes.

    • by Solandri ( 704621 ) on Tuesday September 19, 2017 @10:48AM (#55225487)
      No, it's worse than password-only. If your account is only protected by a password, then there's no password recovery. You forget your password and you're locked out of the account, permanently. OTOH that means anyone trying to get into your account has to guess/know your password in order to get in.

      With this SMS intercept exploit, they can get into your account without knowing your password.

      You're thinking of using a SMS in addition to your password in order to login to an account - i.e. 2FA. Yes in that case it's better than password-only (unless it lulls you into picking a poor password because you think you're being protected by the SMS). But that's not what this exploit is about. It's about resetting your password by intercepting a SMS that was supposed to go to your phone. The SMS is used to bypass your password, not to augment it. (In your defense, TFA conflates the two as well, leading to the confusion.)

      In other words, it's stupid using 2FA to login, if your password reset procedure is 1FA. Attackers will simply ignore the stronger security to target the weakest link - the 1FA step.
      • Yes, the article (and summary) confused me. On my Google account, to do a password recovery I believe they'd need to compromise my second email account and know a security question to recover my Gmail account. If they do all that, then yeah I'm screwed but frankly that is a lot of work and they could just steal my identity instead :)

        • Replying to myself. Apparently Google discontinued the secret question method so honestly I have no idea what happens when you try to recover your account and I'm not in the mood to try it :)

      • But you're not considering security through obscurity. And while we all know that's a bad idea, there is still significant overhead when it comes to knowing enough about my personal details to break into my banking website. In no particular order:

        What bank do I use?
        What is my login to that bank?
        What phone number do I use?
        Do I have 2fa using text turned on?

        An attacker needs to know all of that in order to leverage this sort of attack. Even getting into my email requires the phone number when

    • IMO, currently the user definable Security Question/Answer is a better choice over SMS. This way you do NOT have a set of predefined questions to establish a pattern off of (e.g. Mother's maiden name, high school attended, street you grew up on, etc..), you know, anything that are public record based. Could your phone number also be considered "public record" considering most everyone asks for it as a point of contact on about EVERY document you have to sign on (which they now have your signature as well)

  • by Carewolf ( 581105 ) on Tuesday September 19, 2017 @09:11AM (#55224973) Homepage

    It is just an excuse to harvest your phonenumber.

    • It is just an excuse to harvest your phonenumber.

      For what purpose?

      Personally, I think you're nuts. I've been around the security business for the last 20 years, working for and consulting with many organizations that have set up 2FA for their users... and I have never, once, heard anyone suggest that it is useful for phone number harvesting. Moreover, knowing peoples' phone numbers really isn't all that useful. I suppose there may be some rare situation in which it could be used to correlate information from various sources to create a more comprehensiv

      • It is just an excuse to harvest your phonenumber.

        For what purpose?

        To sell it to Rachel from Cardholder Services, I expect.

        Personally, I think you're nuts. I've been around the security business for the last 20 years, working for and consulting with many organizations that have set up 2FA for their users... and I have never, once, heard anyone suggest that it is useful for phone number harvesting.
        Moreover, knowing peoples' phone numbers really isn't all that useful.

        All information about a consumer is useful information, if you have enough of it. You may not know yet when it will be useful, or what it will be useful for, but if you're a big info corporation harvesting info, you want to harvest all the info you can: it will be useful someday, and once people understand how giving that info to you was a bad bad idea, they will stop giving it to you-- so you want to get it now, before they realize it.

        • It is just an excuse to harvest your phonenumber.

          For what purpose?

          To sell it to Rachel from Cardholder Services, I expect.

          What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.

          Personally, I think you're nuts. I've been around the security business for the last 20 years, working for and consulting with many organizations that have set up 2FA for their users... and I have never, once, heard anyone suggest that it is useful for phone number harvesting. Moreover, knowing peoples' phone numbers really isn't all that useful.

          All information about a consumer is useful information, if you have enough of it. You may not know yet when it will be useful, or what it will be useful for, but if you're a big info corporation harvesting info, you want to harvest all the info you can: it will be useful someday, and once people understand how giving that info to you was a bad bad idea, they will stop giving it to you-- so you want to get it now, before they realize it.

          All information about a consumer is also a liability. Lots of organizations haven't figured this out yet, but I think pretty much all of them savvy enough to be implementing 2FA understand it.

          • It is just an excuse to harvest your phonenumber.

            For what purpose?

            To sell it to Rachel from Cardholder Services, I expect.

            What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.

            I don't know where Rachel from Cardholder Services got my cell phone number, but she certainly got it from somewhere.

            Basically, what you posted in this thread can be summarized "oh, just trust them with the information, they won't misuse it. And anyway, I can't think of how I would misuse it, so obviously some corporation couldn't think of a way either."

            ...All information about a consumer is also a liability. Lots of organizations haven't figured this out yet,

            Right the first time: Lots of organizations haven't figured this out yet.

            but I think pretty much all of them savvy enough to be implementing 2FA understand it.

            The historical record does not back you up on this.

            https://www.comparitec [comparitech.com]

            • It is just an excuse to harvest your phonenumber.

              For what purpose?

              To sell it to Rachel from Cardholder Services, I expect.

              What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.

              I don't know where Rachel from Cardholder Services got my cell phone number, but she certainly got it from somewhere.

              What makes you think it's from some 2FA? Seriously, what organizations do you give your number to for 2FA? Your bank. Your email provider (e.g. Google). Can you think of one that not suffer more by being discovered to sell those numbers than they would gain?

              The historical record does not back you up on this.

              Red herring. Those links are about data breaches, not sales. The claim here is that organizations offering 2FA ask for your number specifically to misuse it.

              • Red herring.

                Your entire post is a red herring. You're basically saying "I don't think they'd do anything bad because we can trust giant corporations."

                You haven't put forth any reason to think that, you just do.

                I don't. The entire history of the web tells us that you can't trust corporations with personal information.

                And, I really don't care whether they gave my number to Rachel at Card Services (and everybody else in the world) because of a data breach or because they sold it. That's a distinction without any differenc

          • by ebyrob ( 165903 )

            All information about a consumer is also a liability.

            Tell that to Equifax... If what you say is even slightly true they should be out of business 10 times over.

            Dollars to donuts in 2 years it'll be business as usual.

            • All information about a consumer is also a liability.

              Tell that to Equifax.

              Well, in their case information about consumers is their entire business. Which means they should be crazy paranoid about security, because it literally is their entire reason for existence, to securely gather and disseminate -- but only when and where it's proper -- highly-personal information.

              Dollars to donuts in 2 years it'll be business as usual.

              Yeah...

              I'm generally pretty laissez-faire, but this is an area that I think we need regulation. There should be specific, and severe, penalties for data breaches. And even more severe penalties for hiding data brea

          • It is just an excuse to harvest your phonenumber.

            For what purpose?

            To sell it to Rachel from Cardholder Services, I expect.

            What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.

            I was talking more about "free" services than corporate authentication. There are many of them that would like you to give them your phonenumber, it used to be for password recovery, but now they claim it is for extra security. Steam pesters me all the time, I tried installing the mobile app to see if that was enough, but no, they want my phonenumber, even though it is less secure than my email, I can only imagine it is for selling on.

  • by jellomizer ( 103300 ) on Tuesday September 19, 2017 @09:14AM (#55224987)

    There is always a way in. For Apples face ID that states there is a 1 in a million chance of breaking it. That means they are probably over 6,000 people in the world that could get into your phone with their face alone. And being that close relatives and people with similar generics often live closer by, so some of these 6,000 people may be rather close.
    Humans actually make worse assumptions when granting access to security. They can often be conned into thinking you are someone who you are not rather quickly. Being most effective hacks are social hacks where someone actively gives the bad guy access to their computers.
    Using text as part of the two factor authentication isn't as bad as most. Being that most security problems don't come from someone hacking into your account, but getting in the backdoor and getting your info that way. So the two factor with the text is probably good enough for rather secure methods to protect your account for sites that they wouldn't bother targeting just you. Just because if they stole a password table they wouldn't spend the time trying to hack the text response if they have a million more passwords to try.

  • People using SMS for security are hoping that it is difficult to impossible to potentially tie together the data, but of course it's not foolproof. Texts and be easily intercepted and put together if data from the other side can be acquired. It was made for convenience. Simple as that. which is why we have other apps and methods of encrypting sms or equivalent (Whatsapp for example although in theory there are ways to attack that too but is harder, can't remember details). Even GMS seems a bit weak to me an
  • "If transmissions were being monitored during battle, no uncoded messages were to be transmitted on an open channel."

    And yet even though they were aware enough to draft a regulation, their mobile communicators didn't come with a secure messaging system either.

  • by Anonymous Coward

    I happen to have a YubiKey from YubiCo but there are probably other vendors. The cheap version is just USB-A. The expensive version has NFC so you can use it with most modern smartphones to authenticate. It works with Google, which is probably what you care most about. Facebook also supports it, although it's not as important. I haven't used it in months; it only matters if you're on a "new" device and leaves you alone otherwise. Incidentally, Facebook will also encrypt your password-recovery requests with

  • Just don't give out your phone number. Google has no reason to know my phone number. I don't have to disable 'two factor authentication by text message' if they don't have my phone number.

  • For some applications one wants multiple ways to verify identity. Any one of those ways can be hacked, so does that mean multi-"channel"-verification should be done away with altogether, leaving one stuck with weak single-channel verification? What are the alternatives? Humans knocking on doors and taking finger-prints? Even ignoring the cost of personal visits, finger-prints can be hacked also with with rubber facades and bribery. It sounds like the nothing-is-perfect-so-do-nothing argument. The fetal posi

  • For some reason my phone does not get the SMS with just a five digit number sender. A regular phone number works, but most of these sms from credit card activity etc comes from a five digit number. My phone does not get them.

    I changed the number to google voice number. I get the alert in email to my gmail account, and also a message to the phone. But not the default SMS application, but to some google+ messenger kind of thing. Frankly I thought they were dead. But they give me the alert.

    Does this also us

  • The video shows just the unlock process plus a (possibly fake) web page with SS7 printed in big letters. Looks much like a PR stunt These guys of Positive Technologies might want to read at least Wikipedia about SS7. Even if old protocol, it still has common things with OSI 7 layers. You can compare SS7as a sort of IP; the layers above like MAP are used in mobiles and there is no xml encoded for humans to read but XER/BER. In all networks I know there is no SS7 but all is SCTP. An attack of grabbing SMS
  • by bradley13 ( 1118935 ) on Tuesday September 19, 2017 @01:34PM (#55226485) Homepage

    The thing is: Using texts is a lot better than nothing.

    The other thing: Using texts is practical. I just had my phone die, with all sorts of authenticator apps on it: for Google, for my credit cards, for my bank, etc.. To get those all replaced is an absolute PITA. Whereas anything using texts was automatically moved to my new phone, just by moving the SIM card.

    Security has to be practical, or people won't use it. Texts are very practical. Instead of encouraging people to do something else, why not improve texts? Just as an example, how about if texts were encrypted ("Signal" or some similar protocol)?

An Ada exception is when a routine gets in trouble and says 'Beam me up, Scotty'.

Working...