Why it might be time to ditch SMS for MFA

BLUF: multi-factor authentication (MFA) utilizing SMS (i.e. text messaging) leaves an organization open to vulnerabilities. IT departments, users, and platform operators should cease use in lieu of vastly more secure app-based or hardware options.

If you are serious about security, it is time to think twice about using text-messaging (SMS) as a multi-factor authentication (MFA) delivery method. Traditionally, MFA has been widely adopted as way to secure an account while limiting the burden placed on the user trying to login. By requiring two steps to verify an identity, the process is, in theory, more secure. However, as we have seen recently, SMS is very vulnerable to security breaches.

Now to be clear, any MFA, including SMS based, is better than none. If you’re using it, keep using it until you get something better.

A New Kind of Attack: Sim-Jacking

Like most issues in our industry, this is a people problem rather than the result of any technological limitation. SMS is extremely vulnerable to social engineering attacks on the telecom industry. A motivated attacker will call your mobile provider and manipulate them until they’re able to gain access to your phone line. This kind of attack is known in the industry as sim-jacking. This places your security in the hands of a generally poorly trained individual at risk of social engineering, bribery, general apathy or some combination therein.

This issue was highlighted in the past week by the compromise of Jack Dorsey’s twitter account (he’s the CEO of…Twitter) through an apparent sim-jacking attack. Other notable examples include Jared Goetz and a rash of attacks on popular cryptocurrency figures.

Application Based Soft Tokens

Multi-factor authentication is likely the easiest and most effective control that you can employ in securing your environment. And as stated above, SMS MFA is better than not having any at all. But, given the frequency of these attacks, it’s not enough. We suggest the use of application based soft tokens that generate a number i.e. Authy, Google Authenticator, Microsoft Authenticator or something similar. These applications, while not perfect, are easier to use than SMS after initial set up and can even be configured with push notifications, eliminating the tedious number entry process.

Unfortunately, it’s not entirely in your control – yet. Various web services and providers still mandate the use of phone numbers for MFA, limit other choices, and utilize SMS as a fallback mechanism for password resets and emergency account access. Where possible, however, we strongly encourage using alternate and more secure means.

A Quick Workaround

The fatal flaw in SMS MFA is with the phone company. If SMS is required for an application, here’s an effective way to harden it – albeit with a bit of work. Create a Google Gmail account with a long, completely random username and long, completely random password. Secure this account with a software or hardware MFA token. Do not provide it your mobile number. Utilize this account solely for creating a free Google Voice number. Using the Google Voice app on your smartphone, provide this number to the application for your SMS MFA. You should use this number solely for MFA and no other purposes. This method is not perfect but far better than tying it your personal cell phone.

At Intraprise Health, our security and risk management software can be critical in helping you identify security risks i.e. SMS for MFA. Once those risks are identified our certified audit-support team can help you with creative solutions to help you remediate your environment. To learn more, please contact us.