Discover more from In the future, everyone will be famous for 15Mb
There's No Such Thing As "SMS Security"
Hey Hey 2FA, How Many Frauds Did You Stop Today?
Dateline Toronto, 4th May 2023.
Twitter announced that it will only allow its users to secure their accounts with SMS-based two-factor authentication (2FA) if they pay for a Twitter Blue subscription. This surprised a number of people (eg, Davey Winder here in Forbes) for a number of reasons. First, and most obviously, because making people pay for security could backfire because they many users will not pay and (there will therefore be more account takeover) but secondly, and more surprisingly, because as has been obvious for years, no-one should be using SMS for “security” in any circumstances: Not banks, not fintechs, not payment companies, not governments, not anyone.
SMS was deprecated as an authentication more than a decade ago. Here is what the US Department of Commerce’s National Institute of Standards and Technology (NIST) said about out-of-band (ie, 2FA) authentication in their Digital Authentication Guidelines back in July 2016: SMS is deprecated, and will no longer be allowed in future releases of this guidance. I remember that at the time I looked up “deprecated” to make sure I understood the nuance, since I assumed it meant something other than a general disapproval. According to my dictionary it means “(chiefly of a software feature) be usable but regarded as obsolete and best avoided, typically because it has been superseded: this feature is deprecated and will be removed in later versions”.)
Anyone who uses the phrase “SMS security” clearly does not understand the subject.
Charles Brookson, then the head of the GSMA's security group, made this point 15 years ago. I was there. He gave a talk about the use of SMS for mobile banking and payment services and made the point that SMS has, to all intents and purposes, no security whatsoever. Yet as of today, the default 2FA option for all kinds of services remains SMS!
(This is why M-PESA, which became the most successful African fintech of all time, made the design decision to encrypts and sign all SMS messages using a SIM Toolkit application. This was a very gutsy decision at the time, because it meant they had to reissue all of the Safaricom SIM cards, but the choice paid off big time.)
Yet here we are still using SMS for a purpose for which it was never designed and it completely unsuitable.
With kind permission of Helen Holmes (CC-BY-ND 4.0)
I've written before that seems to me to be borderline negligence for companies to use it for that purpose. Even “simple” notification services, let alone transactional services, can be a problem. If you get a text message when you use your credit card for a purchase you’ll undoubtedly get used to seeing these messages all the time. So when a message arrives, purporting to be from your bank (after all, it has their originating number so it appears on your phone display as your bank) and asking you to call a number to check on a transaction, you’ll call and give your account number, mother’s maiden name and whatever else, thinking you are talking to your bank when you are actually talking to fraudsters. In other words, because people believe SMS to be secure, even though it isn’t, they will believe the identity of the caller, which is one of the reasons why authorised push payment (APP) fraud over Zelle in the USA and Faster Payments in the UK is so out of control.
Why is anyone still using SMS for 2FA? A couple of years ago, the well-known security researcher Brian Krebs said that we should stop treating mobile phone numbers as identifiers (for which they were never intended) and avoid selectingSMS or phone calls for 2FA or one-time codes. Yet SMS 2FA is at the heart of the “SIM swap” frauds that continue to plague both traditional financial services and cryptocurrencies.
In a SIM (Subscriber Identity Module) swap attack, fraudsters convince their target’s mobile operator to move the target's phone number from the SIM card inside the target’s handset to the SIM card inside the criminal’s handset. The criminal can then pose as the target and have service providers (eg, cryptocurrency wallets) send password reset links or authentication codes to the criminal’s handset. It is far too easy to do this. When Princeton University researchers made 50 total attempts to have employees at five different mobile service providers (ten attempts per provider) complete SIM swaps that shouldn't have been authorised they were successful in pulling off the scam 39 of those 50 times, and in many cases were only asked to provide the easiest authentication details.
(To give just one example, in December last year a chap from Florida was sentenced to 18 months in prison for his involvement in a SIM swap attack that allowed fraudsters to transfer roughly $24 million in cryptocurrency from cryptocurrency investor Michael Terpin.)
I can’t wait for the death of SMS 2FA. Hopefully it won’t be too long because as of today, Google has turned on passkeys for personal Google Accounts which means that Google will not ask for a password or 2FA when you sign in. Hurrah!
(Passkeys is the new standard for passwordless login, using the FIDO Alliance’s standard, and follows Google, Microsoft and Apple’s decision to support passkeys. Apple introduced Passkeys at WWDC last year and Google will support them on Android 14, which is expected to be released later this year.)
Passkeys are going mainstream. The password manager that I use, 1Password, is going all-in on “passkeys" starting this summer, as the company announced today that its users would soon have the option of using passwordless logins. I’m sure the same will be true for other offerings in the sector and there is a reasonable chance that, within a year or so, I will never have to remember a password for the overwhelming majority of online interactions in my life.
But back to Twitter. As it happens, I’d never bothered turning on 2FA for my Twitter account until I saw Mr. Musk’s announcement about charging for SMS 2FA, at which point I did wonder why it is that, as Rolling Stone’s headline on the subject said, "Twitter to Allow Only Blue Subscribers to Use Worst Form of Authentication”. So I went to my Twitter account right away and turned on 2FA using Google Authenticator. Now I feel better and so does my wallet.