Two-factor authentication: again about the risks of using SMS and voice calls
About a week ago, journalist Christopher Mims published a password for his Twitter account in an article about two-factor authentication. It was brave enough, if not stupid.
In just a couple of days, Christopher was forced not only to change the password, but also to change the mobile phone number . The reason is simple - after entering the password, Twitter shows which phone number the one-time code is sent to (by the way, many other services do not do this, hiding some numbers). That is, the phone number is known, and you can use it: for example, send someone a message from this number. When Christopher received an SMS where in the field of the sender his own number was listed, he realized that he had acted stupidly. He changed the phone number, fearing that attackers could use and "substitute" him - for example, send a message on his behalf.
Further in his article, he recommends using applications to generate one-time passwords, illustrating by example that the phone authentication method is not so secure. In this he is absolutely right, but, in fact, the risks are of a completely different scale - he risked not only the possibility of impersonation using his mobile phone number, but also directly hacking into his account.
Consider all the risks in more detail.
Christopher was most afraid of this, but the consequences here are minimal, this can be used except for a rally (although a rally can have serious consequences). The fact is that SMS gateways, of which there are now a great many on the Internet, allow you to specify an arbitrary set of characters as the sender's name — this is mainly used for the letter name of the sender, but you can substitute a number, moreover, any. Of the several SMS gateways that I tested, only one had a procedure for “moderation” of the sender’s name, but she, as I understand, does not imply verification of ownership of the number — I easily added my friend’s number to the sender’s field and sent him the same test SMS.
In all banks, the procedure for verification of identity is quite strict (sometimes it comes to the point of absurdity). But this is not the case with mobile operators, despite the fact that many online banking systems use a mobile phone number to confirm transactions. I will give an example from my experience: this year I ordered duplicate SIM cards twice (nano-sims were needed) and in both cases they asked only for a phone number and no personal identification, and notice this for a post-paid contract. Not later than yesterday, for the sake of interest, he did the same operation in a neighboring country already with pre-paid, and the situation repeated itself exactly - no documents were asked. In all the examples above, the action took place in the countries of central Europe.
')
Many two-factor authentication systems, including the Google system, offer, in addition to SMS, a regular phone call, with the help of which the robot reports one-time password digits. This is convenient if there is no cell phone, or there are problems with the signal level in the room. However, if voice mail is enabled on the number, this leads to the risk of intercepting the voice message. For example, it happened in 2012 with Cloudflare CEO Matthew Prince. In this incident, social engineering was partially used, however, this method can also be dispensed with: using the services of changing the caller's number (for example, SpoofCard ). The attack is based on the fact that when accessing voice mail, many operators do not require additional verification if the caller-ID of the caller matches the number of the subscriber. The Australian security expert Shubkham Shah conducted a rather extensive study and found out that the problem existed (some still exist) from such resources as Linkedin, Facebook, Google, etc. As of today, the problem has been eliminated by many, but Google and Yahoo do not consider it a vulnerability and are not going to do anything. So, advice - if anyone has a voice call on these services as the main method, it’s better to change to SMS, or better yet: choose a method with a mobile application.
SMS and voice calls are certainly convenient, but as it turns out, they are not as safe and reliable as the same mobile applications or hardware keys. By the way, mobile applications are also not perfect, but the risks are much less there.
And yet, it will seem to many people to be a simple truth, but nevertheless, we recall that the password is still important: the advantage of two-factor authorization is precisely in two factors, removing the password from the process we will get one-factor with other, but still, risks.
In just a couple of days, Christopher was forced not only to change the password, but also to change the mobile phone number . The reason is simple - after entering the password, Twitter shows which phone number the one-time code is sent to (by the way, many other services do not do this, hiding some numbers). That is, the phone number is known, and you can use it: for example, send someone a message from this number. When Christopher received an SMS where in the field of the sender his own number was listed, he realized that he had acted stupidly. He changed the phone number, fearing that attackers could use and "substitute" him - for example, send a message on his behalf.
Further in his article, he recommends using applications to generate one-time passwords, illustrating by example that the phone authentication method is not so secure. In this he is absolutely right, but, in fact, the risks are of a completely different scale - he risked not only the possibility of impersonation using his mobile phone number, but also directly hacking into his account.
Consider all the risks in more detail.
Impersonation
Christopher was most afraid of this, but the consequences here are minimal, this can be used except for a rally (although a rally can have serious consequences). The fact is that SMS gateways, of which there are now a great many on the Internet, allow you to specify an arbitrary set of characters as the sender's name — this is mainly used for the letter name of the sender, but you can substitute a number, moreover, any. Of the several SMS gateways that I tested, only one had a procedure for “moderation” of the sender’s name, but she, as I understand, does not imply verification of ownership of the number — I easily added my friend’s number to the sender’s field and sent him the same test SMS.
Duplicate sim card
In all banks, the procedure for verification of identity is quite strict (sometimes it comes to the point of absurdity). But this is not the case with mobile operators, despite the fact that many online banking systems use a mobile phone number to confirm transactions. I will give an example from my experience: this year I ordered duplicate SIM cards twice (nano-sims were needed) and in both cases they asked only for a phone number and no personal identification, and notice this for a post-paid contract. Not later than yesterday, for the sake of interest, he did the same operation in a neighboring country already with pre-paid, and the situation repeated itself exactly - no documents were asked. In all the examples above, the action took place in the countries of central Europe.
')
Voice mail
Many two-factor authentication systems, including the Google system, offer, in addition to SMS, a regular phone call, with the help of which the robot reports one-time password digits. This is convenient if there is no cell phone, or there are problems with the signal level in the room. However, if voice mail is enabled on the number, this leads to the risk of intercepting the voice message. For example, it happened in 2012 with Cloudflare CEO Matthew Prince. In this incident, social engineering was partially used, however, this method can also be dispensed with: using the services of changing the caller's number (for example, SpoofCard ). The attack is based on the fact that when accessing voice mail, many operators do not require additional verification if the caller-ID of the caller matches the number of the subscriber. The Australian security expert Shubkham Shah conducted a rather extensive study and found out that the problem existed (some still exist) from such resources as Linkedin, Facebook, Google, etc. As of today, the problem has been eliminated by many, but Google and Yahoo do not consider it a vulnerability and are not going to do anything. So, advice - if anyone has a voice call on these services as the main method, it’s better to change to SMS, or better yet: choose a method with a mobile application.
findings
SMS and voice calls are certainly convenient, but as it turns out, they are not as safe and reliable as the same mobile applications or hardware keys. By the way, mobile applications are also not perfect, but the risks are much less there.
And yet, it will seem to many people to be a simple truth, but nevertheless, we recall that the password is still important: the advantage of two-factor authorization is precisely in two factors, removing the password from the process we will get one-factor with other, but still, risks.
Source: https://habr.com/ru/post/230695/
All Articles