Keeping Text Message Multi-Factor Authentication Secure

December 20, 2016

 

One of the largest challenges that organizations face when implementing multi-factor authentication is user adoption. Balancing user experience against security has always been a difficult task and seems to be getting harder every day for security organizations around the globe. One of the largest hits to multi-factor adoption has been against SMS (AKA Text Message) delivery of One-Time Passcodes.

Getting users to switch to a more secure method of two-factor authentication, such as mobile apps, physical tokens, or biometrics is not always practical. With the continued rise of attacks focusing on compromising two-factor authentication, SMS has received the lion share of media attention. Between SIM card fraud, Signal System 7[1] (SS7) network intercepts, and the National Institute of Standards and Technology’s (NIST) recent cautions in their August 2016 Digital Authentication Guideline[2] draft of using SMS as an authentication method, there is no question that you need to evaluate the security of using SMS as an authenticator.

Enter: SecureAuth Phone Number Fraud Protection.

To continue providing the ideal balance between user experience and security, SecureAuth has recently added phone number fraud protection to allow organizations to continue to use text message or voice calls for multi-factor authentication! To understand why this is crucial to any security strategy, let’s look closer at the most prevailing SMS vulnerability, “SIM card swap fraud”.

It should no longer be a surprise to anyone, but we are now living in a generation where social media “over-sharing” is at an all-time high. This presents a real threat to an organization’s risk profile and is difficult to audit and remediate[3]. Typically, we look at social media risk in terms of public image and operational effectiveness as stated by Tommie W. Singleton in the referenced article, but a very real risk is the information exposed that can be leveraged by bad actors. This is how the SIM card swap fraud is usually perpetrated.

Commonly, it is not some hacker stealing the SIM card out of your phone when you aren’t looking (it is a real threat though!) or using some device to read and imprint your SIM card through your pocket or bag; it is simple social engineering. When the bad actor has enough information about their target, they will contact the phone carrier and have the phone SIM card swapped to a new device/SIM. Once this is complete, all texts and phone calls will be sent to this device! Typically, the bad actor ports the number to some sort of virtual number, but there have been cases where the number is ported to a “burner” or pre-paid phone.

The prevalence of SIM card swap fraud and phone porting abuse is in part what led to NIST’s recent caution around using text messages (SMS) for authentication. However, there is a bit of miss-conception around what the actual guidance states. For clarity:

“If the out-of-band verification is to be made using the public switched telephone network (PSTN), the verifier SHALL verify that the pre-registered telephone number being used is not associated with a VoIP (or other software-based) service. It then sends the SMS or voice message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change.” August 2016 NIST Digital Authentication Guideline

The crux of the recommendation is around virtualized soft-phones (VoIP) and the use of pre-registered phone numbers. Today, SecureAuth traditionally only allows users to use pre-registered phone numbers and the phone number fraud protection capability embraces and extends this guidance to help keep text message MFA challenges secure. Specifically, it adds these features:

Block Recently Ported Numbers: Numbers that have been transferred will be blocked from use. Users can re-enable their number after they complete authentication using a different challenge method.

Block Recently Ported Numbers

Block By Phone Class: You can chose what type of phone number may be used. For example, physical phones may be allowed while virtual numbers are blocked.

Block By Phone Class

Block By Carrier: You can chose which of the ~180 worldwide carriers can receive phone/SMS challenges. For example, if all of your customers are based in North America, you can limit to carriers in that region.

Block by Carrier

Multi-Factor Abuse Throttling: Prevent attackers from brute force guessing of OTPs for access by limiting the number of MFA requests that can be sent across all channels.

Multi-Factor Abuse Throttling

These features are designed to block the most common ways that phone number fraud attacks are carried out. Phone fraud protection is just one of the many ways that SecureAuth helps you determine identities with confidence. At SecureAuth we are committed to preventing the miss-use of valid credentials and providing a multi-layered protective shield around your organizational resources. The more layered the risk checks you do, the less chance an attacker gets through. 

Request a demo and see how SecureAuth prevents the misuse of stolen credentials

[1] https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls

[2] https://pages.nist.gov/800-63-3/sp800-63b.html

[3] https://www.isaca.org/Journal/archives/2012/Volume-5/Pages/What-Every-IT-Auditor-Should-Know-About-Auditing-Social-Media.aspx

  • Product: IdP

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!