What Could Go Wrong with SMS-Based MFA? Plenty


SMS-Based Multi-factor authentication is cool. All websites ask you to enable it, and rightly so. Even if a data breach reveals that your password is “password,” criminals can’t access your account without the second factor. This is usually a texted or app-sent code.

The first method is a major security concern. Thomas Olofsson, CTO at FYEO, and Mikael Byström, head of OSINT, showed smishmash at Black Hat to show that text messaging as a second factor is dangerous.

More From Us:This Privacy Service Prevents Cell Phone Tracking

 OSINT Smishing FYEO ?

FYEO advocates decentralised internet, finance, and security, according to its website. FYEO can also signify For Your Eyes Only (James Bond).

Open-source intelligence (OSINT) was popular at Black Hat. It involves obtaining and analysing public information to gain intelligence. A diligent researcher can do incredible things with public information.

You’ve heard of phishing, where criminals lure you into signing into a fake bank site to steal your credentials. SMS messages can also carry phishing URLs. Then we smish.

Texts are insecure.

“It’s a mashup of techniques,” says Olofsson. “2FA SMS is broken. Since the beginning, this has been known. This wasn’t planned. Since we started hacking, we’ve spoofed texts. Now it’s weaponized.”

Text message frauds have a greater success rate than email scams, he says. Olofsson reviewed smishing and 2FA breaches, including the OpenSea NFT theft. “Smishing attacks have skyrocketed,” he claims. “How many of you received an unsolicited text last week?” Your phone number is leaking.”

Byström: “What we have done [is combine] a search of the clear-net and darknet to create a huge database,”

“We got so much spam,” says Olofsson. “Even ‘do you want the Black Hat attendee list?'” We paid under $100.”

Olofsson: “Leaked credentials were username and password.” “With a username, broken password, and phone number, you can bypass 2FA. We have 500 million phone numbers, so we can link one in five email addresses to a number.

What’s a 2FA Breach?

“The most common way to fool 2FA is to initiate a password reset,” says Olofsson. Three of six real-world attacks involve account recovery. Account recovery is lax.”
The first SMS was sent in 1992. Never meant to be secure. Checksum, sender verification, nothing. “Sending texts is easy,” he says. Manually, obviously. Use an old phone as a modem. Or utilise API.”
Black Hat saw the duo spoofing. Olofsson later said these attacks can be bought. He shows a link from Alibaba that sells specialised hardware for $160. Even 64-attack ones. Spoof the IMEI and SMS sender. They’re promoting them, which is a well-known secret.

The team discussed technical approaches and services firms may use to protect against this attack, but the best option is to avoid SMS. They also released the complete database to Black Hat participants so they could verify if their phone number was exposed. Fully qualified security researchers can request the unhacked version.

It’s obvious. Whenever possible, avoid SMS-based authentication. If it’s an important account, like your bank, tell them to do better.


Leave a Comment

Your email address will not be published.