Industry Insights with Andrew Showstead

Governance & Risk Management , Information Sharing , Multi-factor & Risk-based Authentication

I Hope That No One Gets My (SMS) Message in a Bottle

NIST Weighs In On SMS Security
I Hope That No One Gets My (SMS) Message in a Bottle

The news is in that the National Institute of Standards and Technology has finally stated what both security professionals and hackers alike have known for years: SMS is insecure, and is no longer suitable as a strong authentication mechanism. SMS Messages are not protected from the wrong eyes seeing them, and there is no assurance that they will actually go to the intended recipient. So everyone knew this day was coming, yet scores of applications deployed SMS as a security mechanism, and the question is, "Why?"

It's quite simple: As people began to lose trust in password-protected services, in the rush to give users a 'sense of security' (in other words, "We're secure, so keep using our service, pretty please!"), SMS texts provided a cheap, ubiquitous, and easy-to-understand process. In the best of cases, SMS was used for low-risk web-site access; in the worst of cases, misplaced trust saw it leveraged for access to highly-targeted intellectual property, "secure" networks, and even some credit card issuers and financial institutions. Oh, the SMS peddlers without suitable alternatives talked it up with various buzz-phrases, like "out-of-band" and "step-up" authentication, but the reality now is that SMS security does not deliver as a true "second factor", as some may have claimed; attacks against SMS are no longer theoretical but widespread.

What was the problem with SMS from the beginning, and what has changed? Well, SMS has always provided a "logical" link between your user's phone number and the actual device they hold in their hand. Before smartphones and must-have apps, the point of compromise was the user's wireless account; change the phone registered to an account, and voila! You are receiving the messages without actually hacking the account being attacked. Basically, you were relying upon the cellular companies to maintain your security. In some cases, the providers have increased the security of these types of device changes, and so maybe we delayed the inevitable....

Many people innocently believe the only way for someone to see their SMS messages is if they are in possession of their phone, and have a false sense of added security if they are using a passcode or fingerprint to protect their phone access. They couldn't be more wrong! What's here now is the ability to attack the phone directly. A user downloads all sorts of apps, usually granting various permissions without giving it a thought. Downloading apps from untrusted app stores, using jailbroken or rooted phones, or in general, just acting like users, clueless to the risks they face day to day.

Now consider the variety of apps available for "legitimate" use. Want to really see who your kids are socializing with by monitoring their texts? Want to help your aging parent by monitoring their SMS messages from one of the various services they might use? Simply install a hidden SMS utility on their phone and remotely see all their incoming and outgoing messages. So if these apps can do these things at your command, what makes you think a hacker can't hide these malicious tools in an app without your knowledge? Application repackaging, code injection, screen overlays, rogue keyboards.....Are you downloading the latest viral app? You might just get a few extra bells and whistles that you are not interested in, and they will most likely be stealing your login credentials.

So what now? Alternatives exist, and your application can be protected by run-time self-protection, true transaction security and device-binding technologies, allowing your mobile to still be used as a great second factor." Unfortunately, for years have we have heard "Passwords are dead!" yet most of us can't get around typing passwords all day; knowledge-based authentication is equally vulnerable. And now that we have heard "SMS Authentication is dead!" we need to go where the user and their devices are, and truly secure them! We must stop relying upon the SMS "message-in-a-bottle" approach to security, or we'll be relearning this lesson again and again and again....

About the Author

Andrew Showstead

Andrew Showstead

Director of Technical Consultancy and Market Solutions, VASCO Data Security

In this role, Showstead oversees engineering and product implementation aspects of multifactor authentication and application security projects for large enterprise clients in North America. While at VASCO, he has been leading a cross-functional team tasked with developing cutting-edge security solutions for evolving markets. Currently, Showstead and his team focus on creating a trusted digital identity ecosystem for healthcare and government sectors. Showstead holds a B.S. in Electrical Engineering from Purdue University. He brings over 20 years of experience in engineering and product development from Eastman Kodak, Creo Inc., nJuvo and other technology companies. His research interests include identity federation and the use of embedded technologies to simplify security.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.