Two-factor authentication 2FA -- also known as two-step verification or multifactor authentication -- adds a layer of security to your online accounts, from Amazon, Apple and Google to Facebook, Instagram and Twitter.
Follow The Verge online:
Instead of entering only your password to access an account, you need to enter your password -- the first verification factor -- and then a code sent via SMS or a prompt through an authentication app -- the second factor. This means a hacker would need to steal both your password and your phone to break into your account. For the simple fact that receiving 2FA codes via SMS is less secure than using an authentication app. Hackers have been able to trick carriers into porting a phone number to a new device in a move called a SIM swap.
It could be as easy as knowing your phone number and the last four digits of your Social Security number, data that tends to get leaked from time to time from banks and large corporations. Once a hacker has redirected your phone number, they no longer need your physical phone in order to gain access to your 2FA codes. Also, if you sync text messages with your laptop or tablet, then a hacker could gain access to SMS codes by walking off with such a device of yours. Then there are the weaknesses in the mobile telecom system itself.
In what's called an SS7 attack, a hacker can spy via the cell phone system , listening to calls, intercepting text messages and seeing the location of your phone.
It has the advantage of not needing to rely on your carrier; codes stay with the app even if a hacker manages to move your number to a new phone. And codes expire quickly, usually after 30 seconds or so.
Common flaws of SMS auth
In addition to being more secure than SMS, an authentication app is faster; you need only to tap a button to verify your identity instead of manually entering a six-digit code. If you have an Android phone or an iPhone with the Google Search or Gmail app, you can set up Google prompts to receive codes without needing a separate authentication app. Apparently, developers thought that there is no need to generate random code again if nobody has entered the previous code. Rate limit should limit not only the number of attempts to login with a single phone number, but also the number of requests to the application as a whole, as an attacker may try to perform flood not on a particular user, but on a massive scale, in order to damage the service itself trigger DoS or drain the funds.
Naturally, the confirmation code must be random, because if it can be predicted for example, if its value depends only on the current second by Unix time , any account can be stolen. One of the bugs we found was that it was not the predictability of the confirmation code itself that caused the vulnerability, but its identifier. In one of the services each confirmation code was assigned a number, which, as it turned out, was a global identifier and was incremented for each next code issued to a user.
It turned out that this identifier was not linked to the session, so the attacker could send incorrect confirmation codes on behalf of other users who are trying to login or register at that time. The previously described vulnerability and the corresponding attack are a special case of a DoS attack. If a user account is blocked when the rate limit is exceeded, a mass denial of service is possible: an attacker can simply make several unsuccessful auth attempts for each client, thus blocking all accounts.
Of course, to do this, he needs to know their phone numbers or logins. It is no secret that sending data through SMS is unsafe.
The problem with SMS authentication
The described SMS interception methods are usually not caused by a weakness of the web service itself, but it is necessary to take a risk of such attacks into account when developing an application. If you need to assess security of your web service, contact us at [email protected]. Rate limit should limit not only the number of attempts to login with a single phone number, but also the number of requests to the application as a whole, as an attacker may try to perform flood not on a particular user, but on a massive scale, in order to damage the service itself trigger DoS or drain the funds.
- Do you use SMS for two-factor authentication? Here's why you shouldn't.
- #010 - Making Open-Source Software Usable with Ashley Fowler of USABLE.tools?
- Short Codes – Dialpad.
Naturally, the confirmation code must be random, because if it can be predicted for example, if its value depends only on the current second by Unix time , any account can be stolen. One of the bugs we found was that it was not the predictability of the confirmation code itself that caused the vulnerability, but its identifier.
Cell Phone Tracker App - Track Mobile Phone Location Free
In one of the services each confirmation code was assigned a number, which, as it turned out, was a global identifier and was incremented for each next code issued to a user. It turned out that this identifier was not linked to the session, so the attacker could send incorrect confirmation codes on behalf of other users who are trying to login or register at that time. The previously described vulnerability and the corresponding attack are a special case of a DoS attack. If a user account is blocked when the rate limit is exceeded, a mass denial of service is possible: an attacker can simply make several unsuccessful auth attempts for each client, thus blocking all accounts.
Of course, to do this, he needs to know their phone numbers or logins.
Frequently Asked Questions
It is no secret that sending data through SMS is unsafe. The described SMS interception methods are usually not caused by a weakness of the web service itself, but it is necessary to take a risk of such attacks into account when developing an application. If you need to assess security of your web service, contact us at [email protected]. Your email address will not be published.