Why you should STOP using SMS for multi-factor authentication
SMS for multi-factor authentication (MFA) is an awesome and easy method to add one more layer of security. As cyber security awareness is increasing, people are using different methods to secure accounts by using a different methodology. Generation of OTP via SMS is one of the popular methods used for MFA. But this method is not SECURE now.
National Institute of Standard and Technology (NIST), a government agency of the US, strongly suggests to stop using the generation of OTP via SMS for MFA. This blog discusses why should you stop using SMS for MFA and what measures should be taken by developers to reduce the likelihood of exploitation of SMS.
Why should you stop access using SMS for MFA?
Here we will discuss threats of using SMS for MFA. Below are the scenarios of leaking OTP generated via SMS:
(1) Interception in the Air
Encryption is not implemented in telecommunication and whole communication is in cleartext. This attack seems to be difficult but actually, it may be possible by exploiting known vulnerabilities (e.g. abuse of femtocells) in telecommunication networks.
This type of issue is addressed by using the latest technologies in communication.
If you have missed OTP via SMS, some app developers allow receiving of OTP on a phone call. If somehow you missed OTP, that will send to voicemail. If an attacker is able to access voicemail then OTP will access the user's account.
This issue may be mitigated by setting up OTP in voice call never go in voicemail.
(3) Installation of malicious app
If you have installed the malicious app on your mobile, the app may be forwarded SMS to the attacker or backend database.
This issue will be addressed by raising awareness among users and advise not to install a malicious app.
(4) SIM SWAP Attacks
If an attacker somehow swaps the SIM of the victim by compromising employee of the telecom service provider. This will allow attackers to access of SMS of the victim and include access to authentication factors.
This type of attack is very difficult to address. But still, the whole responsibility lies with the telecommunication company.
Now it is high time to use alternate methods of multi-factor authentication. The alternate method is to use hardware or software tokens and push notifications in combination with PKI and local authentication.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.