Security Experts:

6 Ways Attackers Are Still Bypassing SMS 2-Factor Authentication

1992 was both an ending and a beginning. It was the year I lost my beloved grandfather, and I’ll never forget his final words to me: “Stop shaking the ladder, you idiot!” Shortly after his completely unpredictable and unpreventable demise, the Short Message Service (SMS) was born. Yes, that’s right, SMS was born in 1992, and the first SMS message was “Merry Christmas.” 

It’s crazy that SMS has been with us for 27 years already, especially considering all its deficiencies (no read receipts, short text limits, and reliance on phone numbers). Most of the world has moved on to better, more secure messaging platforms like iMessage, WhatsApp, and, hopefully soon, RCS. 

SMS is getting less secure, seemingly by the day. Even though NIST recommended that SMS be replaced as an authenticator in 2016, a disturbing number of websites and mobile apps still require it for the second factor of authentication. The debate about its deprecation as an authentication system is less about the agreed-upon insecurity of SMS and more about what can replace it. SMS survives because of its ubiquity, period.

In my travels, I’ve seen SMS as the second factor bypassed in more clever ways than I can count without putting my down my cell phone or unbuttoning my pants. I’ve probably seen even more, but these are the ones I remember.

SMS Authentication bypass1. Mobile Number Transfer: The first rash of 2FA bypasses occurred in countries where phone number porting (moving a number from service to service) was relatively easy. Australia was a prime early hunting ground for attackers who, after collecting the credentials of a target, were able to research the victim’s phone number, too. A quick call to the mobile carrier could get the phone number assigned to a phone that the attacker controlled. From then on, all 2FA codes were intercepted by the attackers, and the victims often had no idea—they woke up the next day and their phones didn’t work. It could take them a week to get their number back, and only then did they realize their bank accounts had been drained.

2. Interception at Mobile Operator: Here’s a novel one that’s seen a lot of use in the last year. Attackers get access to 2FA codes through the mobile operator’s customer portal. Where a lazy person reuses the same password for their email and mobile accounts, all the attacker needs to intercept the 2FA code is to log into the user’s mobile account and see the code among the stored text messages. From there they can reset the bank password (if they didn’t already have it), and theft ahoy.

3. Malware Intercept: Since at least 2014, custom malware has infected mobile phones and intercepted the SMS-based 2FA codes as they arrived. Sometimes this malware was part of a banking trojan package. Other times, the malware would just forward the 2FA codes to the attacker, and voila, game over. This problem was particularly widespread in the Android ecosystem, but rarely, if ever, seen with Apple.

4. Lost Phone Reset Password Bypass. People lose phones and change phone numbers. It happens, like diabetes. So all services that use SMS-based authentication systems must have recovery services where people can reset their account or update their phone number. If the attacker has already compromised the email account (perhaps because of re-used passwords), they can reset, update, or otherwise bypass the 2FA system. Lost phone and password-reset pages are the most common targets of unwanted automation today. Don’t believe me? Check your access log for lost-password.html.

5. Social Engineering. Attackers targeting a specific organization or person have been known to use social engineering to bypass 2FA. For example, the attacker calls you, the victim, on your phone, and claims to be a representative of your bank. He says they are checking accounts for fraud, and he’s going to send you a code to verify your identity. He asks you to read it back to him, then logs into a site with your credentials while you wait. The 2FA code is sent to you, and you give it to him over the phone. He thanks for you for your help, then robs you of your money and residual dignity.

6. Man-in-the-Middle Website Proxies—Modlishka. A group of researchers created the Modlishka phishing proxy framework [github link] to show how easy it is to trick a user into entering their SMS 2FA code. If you haven’t seen the video, it’s a total forehead slapper for the security community. How did we not see this coming?

In theory, non-SMS 2FA has a smaller threat surface (drop 1-4). Social engineering (5) is always going to work; that problem can’t be fixed by technology. The final attack method, as shown by the Modlishka framework (6), is the one that concerns me the most and is the inspiration for this listicle. Modlishka could work against any 2FA system, even ones not based on SMS, because the user session was effectively compromised as soon as they hit the phishing framework. 

Even with all these different bypass methods, two-factor and multi-factor authentication still have their place in the toolbox of a defender. But 2FA systems are clearly showing their age, said the author, shaking the ladder.

view counter
David Holmes, CISSP, is a security researcher and a low-rent technical evangelist. He has a background in cryptography, application security, architecture, and development. He has spoken at more than 50 conferences, including RSA, InfoSec Europe, the Australian CyberSecurity Conference, and Gartner Data Center. He researches and writes regularly about cryptography, the Internet of Things, malware, policy, vulnerabilities, technical solutions, and the security industry in general as an expert contributor at SecurityWeek. Holmes studied Computer Science and Engineering Physics at the University of Colorado at Boulder and has awards from Toastmasters International. On Twitter he is @capmblade.