Where Current SMS Authentication Fails, the Next Generation Succeeds

Mobile-originated SMS creates a four-factor authentication solution by sending a simple text message

Jane and Jake work for the same company. This week they’re on one of those dreaded road trips—three cities in four days—and are, as we all are, completely dependent on their tools of choice while on the move. Smartphones, tablets, laptops, remote access, file sharing, email and SMS have taken the place of maps, boarding passes, manila folders, calculators, notepads, restaurant guides, the daily newspaper, music players, micro recorders and cameras. As a result, the risk of back injury from overloaded briefcases, or worse, losing one, is a thing of the past.

If one of their tablets or smartphones gets lost, Jane, Jake or the IT department can “brick” it remotely, rendering it useless in a matter of minutes. Risk inherent in carrying this digital equivalent of a Swiss Army Knife are different, though, and while they both take great care to use complex passwords and some form of identity management, their company’s choice of security has left a gap in their access control large enough for a hacker to step through without breaking a sweat.

The Back Story

Up until about a year ago, Jane and Jake were both issued security devices in the form of “key fobs” that displayed an everchanging series of numbers that they needed to hurriedly enter into a web site or VPN login screen before they change—usually every 30 seconds. These first-generation, two-factor authentication (2FA) devices were effective and strong barriers to potential hackers, but were costly, difficult for the home office to implement and far too expensive for most companies that could benefit from improving their security.

Last year, that changed. Their company embraced “soft” token technology; the second generation of 2FA that uses SMS to verify a user’s identity, thus helping Jane and Jake eliminate yet one more device from their road trip inventory. When they attempted to log into the company’s web site, they received a text message with a numeric code in it and entered that code into a field on a new page that appeared, before allowing them access to the company’s internal site. Just like that, they had gone from the easily lost or forgotten “fob” to using the same authentication process used by Facebook, Google, major banks and other megaenterprises. The “white hats” had won again…for the moment.

The company still incurred big expenses for the two-factor authentication process, and the implementation remained complicated and mysterious. It worked, however, and there were no more fobs to account for or purchase. All in all, the second generation of 2FA was good and effective.

Unfortunately, that warm feeling of security and protection disappeared recently when SMS-based authentication was hacked. Two hacks were used: malware downloaded to smartphones and man-in-the-middle (MITM) attacks aimed at browsers.

SMS, by its nature, isn’t secure; it’s sent in clear text over an open channel on a cellular carrier’s system. But, the larger vulnerability comes in the way that it’s used for authentication. SMS messages sent to cell phones, smart or otherwise, are fundamentally not secure because someone monitoring messages sent to those phones, like tabloids hacking celebrity’s phones, can see those SMSs. Plus, MITM malware—key logging, diverters, resending—can “see” the code you enter into the web page. Using this method allows an intruder to gain access to the site by diverting the message to another device. Once that happens, if the malware also contains a key logger that’s capturing the ID and password entry fields in the browser, your security just became useless.

During their end-of-year security audit, Jane’s division determined that the risk in these second-generation 2FA methods would increase and sought a new solution. Jake’s division decided to stick with the SMS-to-the-phone solution. Jane’s division decided to explore the third generation of 2FA methods including biometrics, pattern recognition (how keys are tapped or swiped on the screen) and a newer version of SMS-based authentication that turns the process upside-down. A code is displayed on the web page after a user ID and password are correctly entered, which then must be sent from the cell phone that is associated with that ID before entry is allowed.

And Now, Back to the Road Trip

It’s been a successful road trip so far and the convenience of not remembering, carrying, checking and using a key fob-type authenticator is clear. Each of the road warriors are logging into the company intranet and VPN to check inventory, compare wholesale prices and enter their expenses. Jake has downloaded a cool new game to pass the time during a flight delay and is giddy about reaching the top level so quickly. Jane reads and catches up on email during the delay but is cajoled by Jake to download the same game.

At the next hotel, they both go to their respective rooms and log into the company’s system. Jake uses the SMS-to-the-phone method of authentication and Jane uses the SMS-from-thephone to verify her identity. Both complete the login, but Jake has a bit of trouble. After two or three attempts and repeated text messages sent to his phone, eventually he gets logged in, takes care of business and turns in for the night.

The Fatal Flaw

The next morning, both Jane and Jake’s phones start ringing very early; emails are flying between everyone in the company; and the CEO is screaming. The company’s server has been hacked. The website has been splattered with graffiti; their internal pricing documents have been stolen; and their personnel records have been deleted. Recovery from backups will restore everything to normal but that will take days.

The CEO is livid, demanding answers and ready to fire the person who was careless enough to allow the intrusion. The IT department is in a frenzy and in tracking back the access control problem, traces it back to Jake. The game he downloaded contained malware that intercepted his inbound authentication text message, rerouted the message to a hacker in Eastern Europe, who had also used the game to install MITM browser malware, opening a back door to the server.

The IT department, looking at everyone’s remote logins from the night before, sees Jane’s login, too. She downloaded the same game, got the same malware on her phone and logged into the same VPN, but no damage was done by the malware. She was using the SMS-from-the-phone method that turns out to be impervious to this type of attack. Her authentication occurred totally outside of the browser rendering MITM attacks impossible. Sending the text message into the authentication server would only work from her phone because its unique device identifier (UDID), a sort of fingerprint for that individual phone, avoided giving the hacker access.

Mobile-Originated SMS Prevails

Jane’s phone was protected by the third-generation 2FA method of mobile-originated SMS (MO-SMS). Unless she sent the code that appeared on the screen of her laptop into the cloud-based security system that connected securely with her company’s website, she couldn’t be granted access. And even though the hacker may have seen or even captured the code that she sent to the system, it was a one-time-password (OTP) and thus was useless, even if diverted to someone else.

Requiring the correct code to be sent from the correct phone’s UDID—in this case, Jane’s phone—functionally adds two additional factors of authentication, turning this 2FA into a 4FA method with one simple change, sending the authentication code from the phone (mobile-originated) instead of sending it to the phone (mobile-terminated).

While both Jane and Jake downloaded the same game and were attacked by the same malware, only Jake’s authentication was affected. The MO-SMS method that Jane used changes the game: Without the correct code being sent from the correct phone within the allotted time, access to any website, VPN or other access-controlled facility is denied.

This article originally appeared in the August 2014 issue of Security Today.

Featured

  • The Key to Wellbeing in the Office

    A few years ago, all we saw in the news was the ‘great resignation.’ Now we have another ‘great’ to deal with. According to CBRE, 2023 was the start of the ‘great return’ as office workers returned to their normal offices after working from home. The data shows that two-thirds of all U.S office buildings were more than 90% leased as of Q2 2023. Read Now

  • Failed Cybersecurity Controls Costing U.S. Businesses $30 Billion Yearly

    Panaseer recently released ControlWatch and the Continuous Controls Battle: Panaseer 2025 Security Leaders Report examining the cost of cybersecurity control failures and the impact of growing personal liability for security failings on security leaders. The report analyzes the findings of a survey of 400 security decision makers (SDMs) across the US and UK. It shows that security leaders feel under increasing pressure to provide assurances around cybersecurity, exposing them to greater personal risk – yet many lack the data and resources to accurately report and close cybersecurity gaps. Read Now

  • The Business Case for Video Analytics: Understanding the Real ROI

    For security professionals who may be hesitant to invest in video analytics, now's the time to reconsider. In a newly released Omdia report commissioned by BriefCam (now Milestone Systems), the research firm uncovered a compelling story: more than 85% of North American and European organizations that use video analytics achieve a return on investment within just one year. The study, which surveyed 140 end users across multiple industries, demonstrates that security technology is no longer just for security — it's a cross-organizational tool that delivers measurable business value far beyond traditional safety applications. Read Now

  • Survey: 54% of Organizations Cite Technical Debt as Top Hurdle to Identity System Modernization

    Modernizing identity systems is proving difficult for organizations due to two key challenges: decades of accumulated Identity and Access Management (IAM) technical debt and the complexity of managing access across multiple identity providers (IDPs). These findings come from the new Strata Identity-commissioned report, State of Multi-Cloud Identity: Insights and Trends for 2025. The report, based on survey data from the Cloud Security Alliance (CSA), highlights trends and challenges in securing cloud environments. The CSA is the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

Featured Cybersecurity

Webinars

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3