Where Current SMS Authentication Fails, the Next Generation Succeeds
Mobile-originated SMS creates a four-factor authentication solution by sending a simple text message
- By Scott Goldman, Robert Foster
- Aug 01, 2014
Jane and Jake work for the
same company. This week
they’re on one of those
dreaded road trips—three
cities in four days—and
are, as we all are, completely
dependent on their tools of choice while on the move.
Smartphones, tablets, laptops, remote access, file sharing,
email and SMS have taken the place of maps, boarding passes,
manila folders, calculators, notepads, restaurant guides,
the daily newspaper, music players, micro recorders and
cameras. As a result, the risk of back injury from overloaded
briefcases, or worse, losing one, is a thing of the past.
If one of their tablets or smartphones gets lost, Jane, Jake or
the IT department can “brick” it remotely, rendering it useless in
a matter of minutes. Risk inherent in carrying this digital equivalent
of a Swiss Army Knife are different, though, and while they
both take great care to use complex passwords and some form
of identity management, their company’s choice of security has
left a gap in their access control large enough for a hacker to step
through without breaking a sweat.
The Back Story
Up until about a year ago, Jane and Jake were both issued security
devices in the form of “key fobs” that displayed an everchanging
series of numbers that they needed to hurriedly enter
into a web site or VPN login screen before they change—usually
every 30 seconds. These first-generation, two-factor authentication
(2FA) devices were effective and strong barriers to potential
hackers, but were costly, difficult for the home office to implement
and far too expensive for most companies that could benefit from
improving their security.
Last year, that changed. Their company embraced “soft” token
technology; the second generation of 2FA that uses SMS to
verify a user’s identity, thus helping Jane and Jake eliminate yet
one more device from their road trip inventory. When they attempted
to log into the company’s web site, they received a text
message with a numeric code in it and entered that code into a
field on a new page that appeared, before allowing them access
to the company’s internal site. Just like that, they had gone from
the easily lost or forgotten “fob” to using the same authentication
process used by Facebook, Google, major banks and other megaenterprises.
The “white hats” had won again…for the moment.
The company still incurred big expenses for the two-factor
authentication process, and the implementation remained complicated
and mysterious. It worked, however, and there were no
more fobs to account for or purchase. All in all, the second generation
of 2FA was good and effective.
Unfortunately, that warm feeling of security and protection
disappeared recently when SMS-based authentication was hacked.
Two hacks were used: malware downloaded to smartphones and
man-in-the-middle (MITM) attacks aimed at browsers.
SMS, by its nature, isn’t secure; it’s sent in clear text over
an open channel on a cellular carrier’s system. But, the larger
vulnerability comes in the way that it’s used for authentication.
SMS messages sent to cell phones, smart or otherwise, are fundamentally
not secure because someone monitoring messages
sent to those phones, like tabloids hacking celebrity’s phones,
can see those SMSs. Plus, MITM malware—key logging, diverters,
resending—can “see” the code you enter into the web page.
Using this method allows an intruder to gain access to the site
by diverting the message to another device. Once that happens,
if the malware also contains a key logger that’s capturing the
ID and password entry fields in the browser, your security just
became useless.
During their end-of-year security audit, Jane’s division determined
that the risk in these second-generation 2FA methods
would increase and sought a new solution. Jake’s division decided
to stick with the SMS-to-the-phone solution. Jane’s division decided
to explore the third generation of 2FA methods including
biometrics, pattern recognition (how keys are tapped or swiped
on the screen) and a newer version of SMS-based authentication
that turns the process upside-down. A code is displayed on
the web page after a user ID and password are correctly entered,
which then must be sent from the cell phone that is associated
with that ID before entry is allowed.
And Now, Back to the Road Trip
It’s been a successful road trip so far and the convenience of not
remembering, carrying, checking and using a key fob-type authenticator
is clear. Each of the road warriors are logging into the
company intranet and VPN to check inventory, compare wholesale
prices and enter their expenses. Jake has downloaded a cool
new game to pass the time during a flight delay and is giddy about
reaching the top level so quickly. Jane reads and catches up on
email during the delay but is cajoled by Jake to download the
same game.
At the next hotel, they both go to their respective rooms and
log into the company’s system. Jake uses the SMS-to-the-phone
method of authentication and Jane uses the SMS-from-thephone
to verify her identity. Both complete the login, but Jake
has a bit of trouble. After two or three attempts and repeated text
messages sent to his phone, eventually he gets logged in, takes
care of business and turns in for the night.
The Fatal Flaw
The next morning, both Jane and Jake’s phones start ringing very
early; emails are flying between everyone in the company; and
the CEO is screaming. The company’s server has been hacked.
The website has been splattered with graffiti; their internal pricing
documents have been stolen; and their personnel records have
been deleted. Recovery from backups will restore everything to
normal but that will take days.
The CEO is livid, demanding answers and ready to fire the
person who was careless enough to allow the intrusion. The IT
department is in a frenzy and in tracking back the access control
problem, traces it back to Jake. The game he downloaded
contained malware that intercepted his inbound authentication
text message, rerouted the message to a hacker in Eastern Europe,
who had also used the game to install MITM browser malware,
opening a back door to the server.
The IT department, looking at everyone’s remote logins from
the night before, sees Jane’s login, too. She downloaded the same
game, got the same malware on her phone and logged into the
same VPN, but no damage was done by the malware. She was
using the SMS-from-the-phone method that turns out to be impervious
to this type of attack. Her authentication occurred totally
outside of the browser rendering MITM attacks impossible.
Sending the text message into the authentication server would
only work from her phone because its unique device identifier
(UDID), a sort of fingerprint for that individual phone, avoided
giving the hacker access.
Mobile-Originated SMS Prevails
Jane’s phone was protected by the third-generation 2FA method
of mobile-originated SMS (MO-SMS). Unless she sent the code
that appeared on the screen of her laptop into the cloud-based security
system that connected securely with her company’s website,
she couldn’t be granted access. And even though the hacker may
have seen or even captured the code that she sent to the system,
it was a one-time-password (OTP) and thus was useless, even if
diverted to someone else.
Requiring the correct code to be sent from the correct phone’s
UDID—in this case, Jane’s phone—functionally adds two additional
factors of authentication, turning this 2FA into a 4FA
method with one simple change, sending the authentication code
from the phone (mobile-originated) instead of sending it to the
phone (mobile-terminated).
While both Jane and Jake downloaded the same game and
were attacked by the same malware, only Jake’s authentication
was affected. The MO-SMS method that Jane used changes
the game: Without the correct code being sent from the correct
phone within the allotted time, access to any website, VPN or
other access-controlled facility is denied.
This article originally appeared in the August 2014 issue of Security Today.