Security Challenges of SMS-based OTPs
Definitions and Acronyms
SMS: Short Message Service, a text message sent to a mobile device
OTP: One Time Passcode, a single use code (typically a six digit number) that is often utilized for multi-factor authentication
MFA: Multi-Factor Authentication, authentication is usually split into three categories: something you know, something you have, and something you are. MFA tries to utilize two or more of these categories.
SS7: Signaling System 7, the rails that mobile networks SMS messages run on
SIM: Subscriber Identity Module, tells the mobile network who owns the phone and what data to send it
Security is critical in a digital-first world, and it has become increasingly obvious that a username and password is not enough to keep a user’s account safe.
Increasing fraud is leading financial institutions and other corporations to look for alternative authentication measures that add a second layer of security to the username/password combination. The two most common layers of security that they utilize are SMS OTPs and knowledge based authentication (KBAs).
What are SMS OTPs
SMS OTPs are text message based one-time passcodes that are utilized by many industries for multi-factor authentication. When combined with usernames and passwords, they provide a second factor of authentication.While they have become increasingly more common, SMS OTPs still have some major fundamental flaws.
Problems with SMS OTPs
There are three common attack vectors that challenge SMS OTPs: Phishing, SIM swapping, and SS7 attacks.
A common phishing scheme might look like this: An attacker calls their target pretending to be from a bank. They will then say that they are sending an SMS OTP to verify the identity of the user and ask for that OTP. When the user gives them the OTP, the attacker is then able to break into the bank account.
SIM swapping occurs when an attacker is able to convince a mobile network operator that they are the owner of a device and need to change the SIM card.
If they are successful, SMS OTPs sent to the legitimate owner’s phone number will be received by the fraudulent, SIM-swapped device, and the attacker can then use those OTPs to compromise accounts.
SS7 fraud, the most complicated of the three attacks, occurs when fraudsters intercept SMS messages sent over the mobile network. The attacker is able to read the SMS OTPs from the targeted device and can utilize it for “man-in-the-middle” attacks.
When using SMS OTPs for authentication, this attack is almost impossible to stop since both the mobile network operator and the user are often unaware that fraud is occurring.
Adding Asignio Security to SMS OTPs
SMS OTPs are often used for MFA because they are easy for the user to understand and can be widely implemented for any user with access to a phone number.
Asignio adds a second security layer to the convenient SMS OTP process. Rather than sending an OTP that can be phished, sent to the wrong device, or intercepted, Asignio sends a time-sensitive web link for the user to authenticate with their Asignio biometrics. Even if the attacker is able to intercept the link, they will have to break Asignio’s biometric authentication to access the account.
Asignio strengthens the familiar SMS OTP process, to protect you and your customer.