Since July 2016, the National Institute of Standards and Technology (NIST) has been developing a comprehensive report on digital authentication guidelines. One of the most important topics addressed in the over 40 page report related to use of SMS delivered authentication codes
These guidelines have gone through an extensive review and comment process, with several interim drafts released and thousands of comments collected over the past two years.
The final draft recently released in June, included some significant and noteworthy changes to former versions of the document. Until recently, released draft of the guidelines stated that SMS delivered passcodes were “deprecated” as form of out-of-band authentication, clearly indicating that the agency considered this as an insecure method.
This initial report was met with understanding from the cyber security community, as SMS is indeed something hackers use to compromise identity.
Although earlier drafts of the NIST report were clearly giving the industry a heads up that SMS was out, the final version released in late June made no mention of SMS being depreciated.
So what changed?
The most likely explanation is that, in the end, NIST did not want to completely negate the utility of SMS as a security measure. SMS can be effective when used as an additional security layer within a broader authentication scheme.
Furthermore, and this is import, user experience is an extremely important factor in the ability for security protocols to be carried out effectively at the organizational level.
The inherent weaknesses in SMS authentication are demonstrated time and again. The most recent incident to do this was a series of German banking frauds pulled off by criminals who hacked the SS7, the internationally used system that controls cellular data transfers.
These vulnerabilities are not really news. As early as 2013, industry leaders began pointing to emerging methods of circumventing SMS authentication. Common tactics include malware infiltration that can record sessions on a mobile device and deliver SMS codes to an attacker.
Hackers have also used social engineering schemes to re-route SMS messages to hackers – a ruse that requires no technical skills, but only a convincing story that can be given over to a mobile service provider.
One infamous case of this method being carried out occurred when Black Lives Matter activist DeRay Mckesson’s phone was hacked in June 2016 by an attacker who impersonated him in a conversation with a Verizon customer service representative. The hacker was able to gain access to Mckesson’s Twitter account and deliver as series of pro-Trump posts at the height of the 2016 presidential campaign season.
A smooth talking hacker can even convince a service provider to issue an additional SIM card that can allow access to the victim’s accounts from another device, a method known as SIM Swapping. This tactic has been growing in popularity amongst fraudsters since 2013 according to federal agencies.
And it gets worse:
SMS authentication can actually be wielded against a victim by using messaging to gain access to private accounts. In an emerging method which involves phishing attacks in the form of SMS messages, or “smishing”, a criminal sends a text message that appears to be coming from a source that typically requires authentication, such as the user’s bank, and gets him or her to give up their authentication details.
So why is SMS still as popular as it is?
Let’s face it:
What is easy and accessible is going to be easier to broadly implement.
Today, cellular devices are ubiquitous. Allowing an extra layer of protection to simply pop up on a user’s device is a convenient way to add an additional line of defense to sensitive data.
SMS can indeed be used effectively as part of a multi-layered authentication system, which relies on a variety of multi-factor authentication techniques, including biometrics, geo-fencing or other out-of-band verifications.
With this “hardened” SMS, IT and security professionals can remain confident that security of the enterprise is kept intact, even if one of the many methods to compromise SMS authentication has been executed against users.