SMS for 2FA security – who are they kidding?

SMS 2FA
Image by Artur Charkin | Bigstockphoto

Twitter announced that it will only allow its users to secure their accounts with SMS-based two-factor authentication (2FA) if they pay for a Twitter Blue subscription. This surprised a number of people (e.g. Davey Winder here in Forbes) for a number of reasons. First, and most obviously, because making people pay for security could backfire because many users will not pay. Oh, and (there will therefore be more account takeovers) but secondly, and more surprisingly, because as has been obvious for years, no one should be using SMS for “security” in any circumstances. Not banks, not fintechs, not payment companies, not governments, not anyone.

SMS was deprecated as an authentication more than a decade ago

SMS was deprecated as an authentication more than a decade ago. Here is what the US Department of Commerce’s National Institute of Standards and Technology (NIST) said about out-of-band (i.e. 2FA) authentication in their Digital Authentication Guidelines back in July 2016 – SMS is deprecated and will no longer be allowed in future releases of this guidance. I remember that at the time, I looked up “deprecated” to make sure I understood the nuance since I assumed it meant something other than general disapproval. According to my dictionary, it means “(chiefly of a software feature) be usable but regarded as obsolete and best avoided, typically because it has been superseded: this feature is deprecated and will be removed in later versions”.)

Anyone who uses the phrase “SMS security” clearly does not understand the subject

Charles Brookson, then the head of the GSMA’s security group, made this point 15 years ago. I was there. He gave a talk about the use of SMS for mobile banking and payment services and made the point that SMS has, to all intents and purposes, no security whatsoever. Yet, as of today, the default 2FA option for all kinds of services remains SMS! 

(This is why M-PESA, which became the most successful African fintech of all time, made the design decision to encrypt and sign all SMS messages using a SIM Toolkit application. This was a very gutsy decision at the time because it meant they had to reissue all of the Safaricom SIM cards, but the choice paid off big time.) 

We are still using SMS for a purpose for which it was never designed

Yet here we are still using SMS for a purpose for which it was never designed, and it is completely unsuitable.

It seems to me to be borderline negligence for companies to use it for that purpose. Even “simple” notification services, let alone transactional services, can be a problem. If you get a text message when you use your credit card for a purchase, you’ll undoubtedly get used to seeing these messages all the time. So when a message arrives purporting to be from your bank (after all, it has their originating number, so it appears on your phone display as your bank) and asking you to call a number to check on a transaction, you’ll call and give your account number, mother’s maiden name and whatever else.

You think you are talking to your bank when you are actually talking to fraudsters. In other words, because people believe SMS to be secure, even though it isn’t, they will believe the identity of the caller, which is one of the reasons why authorised push payment (APP) fraud over Zelle in the USA and Faster Payments in the UK is so out of control.

Why is anyone still using SMS for 2FA?

Why is anyone still using SMS for 2FA? A couple of years ago, the well-known security researcher Brian Krebs said that we should stop treating mobile phone numbers as identifiers (for which they were never intended) and avoid selecting SMS or phone calls for 2FA or one-time codes. Yet SMS 2FA is at the heart of the “SIM swap” frauds that continue to plague both traditional financial services and cryptocurrencies.

In a SIM (Subscriber Identity Module) swap attack, fraudsters convince their target’s mobile operator to move the target’s phone number from the SIM card inside the target’s handset to the SIM card inside the criminal’s handset. The criminal can then pose as the target and have service providers (e.g. cryptocurrency wallets) send password reset links or authentication codes to the criminal’s handset. It is far too easy to do this.

When Princeton University researchers made 50 total attempts to have employees at five different mobile service providers (ten attempts per provider) complete SIM swaps that shouldn’t have been authorised, they were successful in pulling off the scam 39 of those 50 times and, in many cases, were only asked to provide the easiest authentication details.

One example

To give just one example, in December last year, a chap from Florida was sentenced to 18 months in prison for his involvement in a SIM swap attack that allowed fraudsters to transfer roughly $24 million in cryptocurrency from cryptocurrency investor Michael Terpin.

I can’t wait for the death of SMS 2FA. Hopefully, it won’t be too long because, as of today, Google has turned on passkeys for personal Google Accounts, which means that Google will not ask for a password or 2FA when you sign in. Hurrah!

(Passkeys is the new standard for passwordless login, using the FIDO Alliance’s standard, and follows Google, Microsoft and Apple’s decision to support passkeys. Apple introduced Passkeys at WWDC last year and Google will support them on Android 14, which is expected to be released later this year.)

Passkeys are going mainstream

Passkeys are going mainstream. The password manager that I use, 1Password, is going all-in on “passkeys” starting this summer, as the company announced today that its users would soon have the option of using passwordless logins. I’m sure the same will be true for other offerings in the sector and there is a reasonable chance that, within a year or so, I will never have to remember a password for the overwhelming majority of online interactions in my life.

But back to Twitter. As it happens, I’d never bothered turning on 2FA for my Twitter account until I saw Mr Musk’s announcement about charging for SMS 2FA, at which point I did wonder why it is that, as Rolling Stone’s headline on the subject said, “Twitter to Allow Only Blue Subscribers to Use Worst Form of Authentication”. So I went to my Twitter account right away and turned on 2FA using Google Authenticator. Now I feel better, and so does my wallet.

Related article: Telstra exchange fire inadvertently proves that SMS is a terrible security token

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.