As veterans of Cybersecurity, CyberHoot vCISOs have seen the evolution of Multi-factor Authentication (MFA) techniques over the years. While SMS-based MFA has been widely used for its convenience and ease of implementation, it has several vulnerabilities that can be exploited by attackers. In this blog, we will discuss the risks associated with SMS-based MFA, including lack of encryption, network outages, SS7 attacks, social engineering, and SIM-Swapping. Additionally, we will recommend alternative MFA solutions that provide better security.
SMS-based MFA is vulnerable to various types of attacks, making it less secure than other MFA methods. The lack of encryption on SMS messages, the risk of SS7 attacks, social engineering, and SIM-swapping are significant risks associated with SMS-based MFA.
SMS messages are not encrypted, and as a result, they can be intercepted and read by attackers. If the SMS message contains sensitive information, such as a six-digit authentication code, it can be used by attackers to gain access to the targeted account.
Mobile carrier networks are not immune to network outages which make SMS unavailable. Such outages, while rare can occur while the Internet remains up and functioning thus preventing you from accessing your critical accounts in an emergency.
SS7 stands for Signaling System 7, a protocol first deployed in 1988 and last updated in 1993 (30 years ago). It is used by telecommunication companies to exchange information between mobile carrier networks. Hackers can exploit vulnerabilities in SS7 to intercept and redirect SMS messages meant for the intended recipient. This attack is known as an SS7 attack. It allows attackers to intercept the MFA process and gain access to the targeted accounts 2nd factor credentials. Combined with a reused password, and hackers can gain access to critical accounts using this form of MFA protection.
Social engineering is a tactic used by attackers to trick individuals into divulging confidential information. In the case of SMS-based MFA, attackers can contact the victim’s mobile service provider and impersonate the victim to get the SIM card associated with the victim’s phone number. With the SIM card, the attacker can receive SMS messages intended for the victim, bypassing the MFA process and gaining access to the targeted account. Another form of SIM card attack is called SIM-Swapping to which we now examine.
SIM-Swapping is a technique used by attackers to take control of a victim’s phone number. Attackers can impersonate the victim to convince the mobile service provider to transfer the victim’s phone number to a SIM card in their possession. With control of the victim’s phone number, the attacker gains access to the 2nd factor, an SMS code, and gains access to the targeted account with the exposed, reused, or cracked account password.
These represent the top five risks to SMS-based multi-factor authentication. Let’s turn our attention to the best practices to follow if you must use SMS MFA even though CyberHoot recommends you not to anymore. We’ll then provide you alternatives MFA methods that are much safer that SMS-based MFA.
Want more information on SMS Notifications, ITNIO TECH Verification SMS? Click the link below to contact us.