SMS Text Hacks and How to Defend Against Them
A standard cybersecurity best practice is to use multifactor authentication (MFA) when securely accessing bank accounts, other sites or resources that require security. Essentially MFA is means for using more than one method for authentication. It is a way to ensure the integrity of the on-line transaction, ensuring the user is the actual approved user. For some time, the Short Message Service (SMS) or the six digit code to a phone has been a primary means of authentication. However, as time and technology march on the SMS means of secure authentication has become increasingly less secure. Nonetheless, breaking the secure SMS framework, even by todays standard is not a trivial matter, and it is one that requires a focused and dedicated advisory.
The advantage of SMS authentication is its ease of use and universal application; it is the world-wide standard for most on-line banking applications. However, in its development in the early 1990s, SMS was never intended as a means for secure authentication or communication. The framework was originally developed as a way for technicians to trouble-shoot and communicate with one another. It was never designed for end-to-end encryption, there was no consideration for securing the sender ID, it was, after all, developed as a maintenance tool.
One of the issues with SMS authentication is the risk in its use. The most common risk is SIM swapping, a term used for a hack in which no sim goes anywhere. The success of this hack is completely dependent on the lax security processes of the cell phone carrier. First it is important to understand that cell phones operate with four networks, the most common are cellular and WiFi networks, the other two are Bluetooth and near field communication (NFC). The cellular network is governed by cell phone carriers it is universal and is used for SMS and voice communications, to include authentication and WiFi as a sperate channel. The WiFi network is an element of the cellular carrier network and your local broadband network, from your home or business network. To conduct a SIM swap the attacker must steal the victim’s identity, that is get enough personal information that convinces the carrier to transfer the victim’s phone number to a SIM card they control. Your phone keeps its original SIM. However, it is disabled by the carrier, and all voice and SMS communications, are switched to the SIM the criminal controls. The criminal then monitors the SIM with your phone number and waits for an authentication transaction. Once a transaction occurs they intercept the authentication and conduct a transaction, one of many bad things once someone has stolen your SIM. The best way to avoid this hack is to ensure your phone’s voice is working, however for most people a cell phone is used for everything but a phone call.
Other cell phone hacks include smishing attacks. In this instance, attackers will send fraudulent messages disguised as alerts from banks, delivery services, or government agencies like the IRS, or FBI. These texts call for immediate action to avoid some kind of disaster, avoid prison, or help a relative or child. The links that lead the victims to credential-harvesting websites that prompt them to download malware, or to enter personal information that will be used to steal their identity. Because SMS lacks authentication mechanisms, recipients will struggle to verify the legitimacy of these messages. A warning or indication that this is a hack is the emergency, or the immediate call to action. If this is a crisis and the requirement is to do something, now from a SMS message, you need a second opinion.
Another vulnerability is the Signaling System No. 7 (SS7) protocol, which provides global telecom networks to communicate across domains. This protocol has known vulnerabilities which can allow attackers with access to SS7 networks to intercept SMS messages, track users, or reroute communications. This requires the attacker to get into and the SS7 protocol and harvest the streams of data. This is a vulnerability that has been reduced through increases in access and security controls, and monitoring, but it has not been eliminated.
Finally, it is the user and their downloads of malware. In the clutter of free or very inexpensive applications often disguised as legitimate utilities or entertainment software, it is easy to download apps that often come with malware. Once installed the malware will read or forward text messages, they can capture one-time passcodes (OTPs) and other sensitive information delivered by SMS. Which is why you need to ensure that the cell phone software is current, and you run system checks on your phone.
Due to the risks associated with SMS authentication there are recommended non-SMS options (Google Authenticator, Authy, Microsoft Authenticator, etc.), there are physical security keys (YubiKey, Titan, etc.), and secure app push notifications. Despite the risks and being not the best option for MFA, SMS authentication is better than no MFA. All options have risks associated with them, and all of these options will be compromised at some point in time. What is most important is user awareness, that includes the understanding that no business or government is going to threaten you. It is knowing that if your cell (voice calling) stops working and the WiFi continues work there is a problem or risk with the SMS communications. As with most things related to system security it is the user that is primay in