Update: This article on HotForSecurity was meant to raise awareness on the issues and challenges posed by SMS-based two-factor authentication and why users should consider replacing it with something else (app-based token generators, security keys or already-authenticated devices).
A missing paragraph on better alternatives to SMS 2FA has modified the original message in a way that it seems we recommend that users disable SMS2FA altogether. This has been flagged by several community members on Twitter and we have taken the necessary steps to address it.
Bitdefender highly encourages users to adopt two-factor authentication as an additional mechanism to prevent unauthorized logins. If no alternative is available, SMS-based 2FA is still a better option than none. We have strongly advocated the necessity of 2FA in the past and we developed several guides to help users set up two-factor logins for their accounts.
Most wireless carriers in the United States are vulnerable to SIM swapping attacks and lack proper procedures to fend off hackers and other bad actors, Princeton researchers have found.
SIM swapping became a popular attack method during the Bitcoin boom as hackers targeted Bitcoin wallets protected by SMS two-factor authentication (2FA). It took off and is now used in other scenarios as well, although other forms of multi-factor authentication (MFA) are slowly taking over, providing a more secure environment.
Even though SMS-based authentication is no longer considered safe, plenty of online services out there continue to offer it at least as an alternative for authentication, if not the primary method.
As the Princeton study shows, the major wireless carriers in the United States, including AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless, have weak security procedures that attackers can overcome with minimal effort.
“To quantify the downstream effects of these vulnerabilities, we reverse-engineered the authentication policies of over 140 websites that offer phone-based authentication. We rated the level of vulnerability of users of each website to a SIM swap attack,” state the researchers of the study.
Researchers were also able to go through the entire attack chain, allowing them to perform a SIM swap attack, but accounts on 17 websites could be compromised by using the information strictly from the SIM swap alone.
In a SIM swap attack, the attacker impersonates the owner of a phone number and places a call to the carrier. The goal is to change the number from an existing SIM to a new one. The carrier has a few security procedures to make sure the caller is the owner of the SIM.
And this is where things go wrong, as the Princeton researchers pointed out. While there are several security questions and hoops, most can be bypassed with just the help of data aggregators. Wireless carriers usually stop if one of the questions is answered correctly. At the very least, they should require that all questions are answered correctly.
Just like in all situations involving bad actors, security is only as good as the weakest link in the attack chain. In this instance, there are several weak links along the way, starting with the mobile carriers who don’t perform their due diligence and ending with websites that still used SMS-based authentication despite its proven vulnerabilities.
People should use more secure multi-factor authentication solutions such as authenticator apps or security keys, whenever possible. It’s also a good idea to pay attention to SMS messages with security codes that are not generated at their request.
While SMS 2FA is broken as a security solution, it’s still better than not having anything at all as it can act as a deterrent if no other solution is available for that particular service.