Recently, vulnerabilities in SMS-based multi-factor authentication (MFA) have been highlighted in the news. While stories like these highlight individual instances showing the threat possibilities, a recent study on SIM swaps sheds light on how easy an adversary could take over your phone number. Using no previous knowledge of the user besides the name and phone number of the user, the researchers in this study swapped the sim every time without fail for the major networks like T-Mobile, Verizon, and AT&T. They also tested smaller carriers like Tracfone and US Mobile, for which some attempts failed. In some instances, they found the customer representatives gave hints on answers to authorization questions.
Researchers used previously dialed numbers as the primary method to falsify authentication to the carriers –an authentication method most users aren’t aware of. This works on all three of the primary carriers tested, T-Mobile, Verizon, and AT&T. Verizon and AT&T also accepted previous payment date. Anyone can add minutes to a phone without authorization so one could easily add minutes to the target phone then falsely authorize a sim swap with the previous billing date. Carriers used many other authentication types that security professionals don’t consider safe as well.
Sorting through a list of websites supporting some form of MFA, the researchers found 156 websites allowed SMS in their authentication method. Some websites even use one-step SMS for authentication. Meaning, if you can access the user’s SMS messages then you have access to their account without the need for a password.
The research paper concludes that the use of SMS for authentication should be discouraged. Websites should not use SMS for authentication and users should avoid it whenever possible. We fully agree on this. Alternative MFA methods exist, like Authpoint’s mobile push-based method. It secures the connections so no one can listen in and swapping to a new phone requires administrative intervention to ensure only authorized users have access. So long as the administrator in charge of the MFA app follows best practices this eliminates almost all vulnerabilities found in using SMS for MFA.