Last week, along with the rest of the industry, I learned that Reddit had been breached. While it would seem on the surface that the data stolen was not too severe, I was drawn to the parts of coverage that mentioned the use SMS as a second factor for authentication what was attackers used as the target of the breach. This apparent interception of SMS brings us back to an ongoing - yet timely - discussion that needs to happen again within the industry.
NIST tried to resolve this discussion with the update of their 800-63B Digital Identity Guidelines – Authentication and Lifecycle Guidance a year ago. In the guidelines, they describe the authenticator threats in the use of SMS by an attacker. There are also known published data around how to intercept SMS including:
- SIM Swap (or phone number porting fraud as its more formally known) -- an attacker, through some means, convinces a technician or customer service rep that a number must be ported to a new device/carrier or because a SIM card has been damaged and replaced.
- IMSI catchers - a tactical and undetectable system for monitoring transmissions on 2G, 3G and 4G mobile networks. The system enables secret, full-duplex interception of both SMS text messages and voice connections - incoming and outgoing
- SS7 hacks – an attack that uses a development kit to bypass encryption enabling attackers to forward calls, read SMS texts, and track locations.
Given the amount of publicity, one would think that the use of SMS as a second factor is completely useless and insecure (that is for another debate). What we do know is that SMS is still the most widely used form of two-factor authentication due to the relative ease of adoption and comparatively frictionless registration process for consumers.
There are several worthy alternatives to SMS that are worth considering, including:
- Hardware tokens – requires physical possession and ownership of a device
- Symbol-to-accept – requires the use of a smart phone with an authenticator that knows the symbol unique to an authentication request
- Application based push-to-accept – requires downloading an application, registering the device and then accepting the authentication request
But for the purpose of this post, it is important to understand that SMS is the most widely-used form of two-factor authentication that is employed by organizations.
How does one balance the need for an additional factor of authentication with what seems to be a relative acceptance of SMS’s insecurities? It’s simple, you also must deploy another layer of protection – without any change or hindrance to an end users existing user experience. This must-have additional layer of protection is known as phone fraud prevention. On the surface, it is a straightforward task: Whichever MFA solution provider is deployed, you must ensure that requirements stipulate the usage of phone fraud prevention as method of risk analysis during the authentication process.
Phone number fraud prevention
What is phone number fraud prevention? Simply put, it is the ability to restrict the usage of a phone number for authentication (or in this case using SMS for two-factor authentication) based on what can be learned about that number at the time of use. Factors that are assessed include:
- Carrier type – is the carrier known, reputable and viable for this geography
- Phone number type – is this a land line, VOIP, or mobile phone number
- Current ported status – has there been a recent carrier change
Any one or more of these triggers could cause the user’s phone number to lose its viability to be a mechanism for authentication, especially SMS-based two-factor authentication.
Having phone number fraud prevention as a critical requirement in your adaptive authentication strategy that will allow you to have the freedom to use SMS for secure two-factor authentication while enabling you to provide a frictionless experience for end users.
It is also worth noting that as of June 18, 2018 in the most recent Gartner Access Management Quadrant it was reported that SecureAuth + Core Security has the broadest set of adaptive access features, including phone number fraud prevention. We are the only vendor in the report that provides functionality to protect against the fraudulent transfer of phone numbers to new devices and carriers. This functionality can inhibit the abilities of attackers to assume the device's identity, and to intercept authentication challenges rerouted from legitimate users to the attacker, thereby increasing the security of your authentication process without adding friction to the user experience.
For more information, download our Best Practices Guide to Strong Identity Access Control.