Two-factor authentication via Short Messaging Server codes continues to be used despite being shown to be eminently compromisable and better alternatives being available.
Software engineer Sean Coonce of digital assets storage company BitGo in California is a recent example of how dangerous it can be to rely on a "security feature" that is easily bypassed.
Coonce rues not putting better security measures in place after unknown attackers ported his phone number to a new Subscriber Identity Module (SIM) and were able to steal large amounts of money by capturing two-factor authentication codes for his accounts.
He said the attack cost him US$100,000 last week, with the funds evaporating from his Coinbase crypto exchange account over a 24-hour time period.
Coonce said the money's gone for good and said people need to be aware that SMS-based 2FA isn't not enough, as it is vulnerabile to porting attacks.
He suggests using Google Authenticator and Authy time-based one-time password codes along with hardware solutions such as Yubikey that can't be spoofed and are under people's physical control insead of SMS 2FA.
Google also has the ability to use voice 2FA and the online giant's Voice service has phone numbers that can't be ported, Coonce said.
Secondary email addresses for critical online services are also a good idea, if they're not used for anything else and kept private, and backed up with hardware-based 2FA. Coonce suggested.
Coonce said he never took his online security very seriously as he had never experienced an attack.
"... I was simply to lazy to secure my assets with the rigour they deserved," Coonce ended his lament with.
How insecure is SMS 2FA? Is it even 2FA?
Insomnia Security researcher Adam Boileau said this is yet another example of why SMS is one of the least robust 2FA options.
He noted that in the the case of a password reset, the SMS code functions as the single sole factor of authentication; and, the codes can be snagged by bad people.
“There are many ways attackers can capture the SMS codes, including SIM porting.
Other options include obtaining them from the end device, from the SMS transmission application programming interface, logs, in the telco itself, or in some cases over the radio network," Boileau said.
Attackers can also target the number porting system itself, and employees of the telco or its agents.
“Telcos vary in the level of checking they undertake when porting numbers or SIMs around, which ideally involves in-person checks of photo ID.
However, this often takes place in smaller retail stores that are not owned by the telcos in question, and it’s difficult to ensure that they check that the porting request is legitimate.
Plus there are opportunities for insiders to assist in bypassing checks for profit or under duress” Boileau added.
There are some measures tested around the world that our telcos could take, so as to prevent porting attacks, he said.
"Preventing the SIM swap is one approach; a complementary one is detecting that it has occurred.
We've seen some success in Africa, where such fraud was endemic.
In Mozambique, the phone carriers provide an API which lets online services query the relative age of the SIM.
This lets services use this in their risk calculus, and choose to require other authentication if the mobile number's account has suspicious changes.
Ideally we'd start to see this taken up elsewhere," Boileau suggested.
Getting multi-factor authentication right is difficult however.
“Using hardware U2F keys and devices, or being prompted on another machine for permission the way Apple does it make it substantially harder for attacks to succeed, than with SMS 2FA,” Boileau added.
"But adding extra defences to normal authentication just means attackers move to other scenarios, such as password reset.
Designing an authentication system that handles the nuance of the real world - where people lose phones, change names, or move countries - and also degrades gracefully when passwords are forgotten is a hard problem, " Boileau warned.
“Ultimately though, the issue here seems to be that it’s ill-advised to keep US$100,000 on your computer - or any device - no matter which type of 2FA is used.
Having Coinbase as the bank means there’s only a slim chance of getting a refund for the fraud, thanks to the transaction being immutable on the blockchain,” Boileau concluded.
