Hackers learn to hurdle two-factor authentication
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
For years, cyber security experts have been urging users to add a second layer of authentication to their accounts, often a code sent by text message to their phone.
But determined hackers are now able to hurdle this extra measure by spoofing your SIM card, intercepting the unencrypted message as it is sent over the network or trying to steal databases filled with information about mobile accounts from telecoms operators.
Last year, there were reports of cyber criminals draining bank accounts in Germany after hacking the routing system to redirect text messages. The hackers obtained users’ passwords by sending phishing emails and then exploited a vulnerability in the signalling network used by different telecoms operators to connect calls and messages.
In the US, T-Mobile notified hundreds of customers in October that criminals were trying to hijack their SIM cards. The hackers had taken advantage of a bug on T-Mobile’s website that allowed them to access users’ personal details and wanted to use it to impersonate them and obtain a copy of their SIM cards. Rashmi Knowles, Emea chief technology officer for RSA Security, a cyber security company, believes using SMS is less secure than other forms of second-factor authentication, such as physical tokens or authenticator apps on smartphones. “The two-factor authentication we are all familiar with is meant to be something you have and something you know,” she says.
The first factor, a password, is what you have in your head. The second factor is meant to be what you have in your device. But SMS does not quite work like that as it is sent from a network to the phone, giving a hacker an opportunity to capture it.
Sending sensitive information over standard text messages is not a great ideaAndrew Blaich, Lookout
One popular hacker technique involves “socially engineering”, in other words, persuading call centre or shop staff at telecoms operators to give them an identical SIM. They often pretend to have lost their phone. The victim can learn about this quite quickly, as their service is cut off. Other tactics are more high-tech. Ms Knowles warns that devices called stingrays can be bought online and set up anywhere mimicking mobile phone towers and capturing data from nearby phones.
Andrew Blaich, a senior security researcher at Lookout, a mobile security company, warns that SMS messages are never encrypted. “Sending sensitive information over standard text messages is not a great idea,” he says.
But the attacks still tend to be targeted, as the hacker must already have the victim’s phone number and the first password they use to access their account. Nation-state actors may target political opponents, or financially motivated criminals could target wealthy individuals. For many people who might only be caught up in mass data breaches, two-factor authentication by text message will make their accounts more secure.
Attackers have a very clear payout at the end of the rainbow so there is sufficient motivation to target peopleMark Risher, Google
Companies are introducing alternatives to SMS authentication for employees and customers. A hardware token is a thing you have and it does not send information over a telecoms network. Authenticator apps may rest on your phone but they do not depend on the SIM card and they are not randomly generated — they are codes based on a seed code that is linked with your identity. When you set up the app, an initial secret key, or seed, is generated and stored that is personal to you. It is then scrambled with the current time and date when you log in.
Other sites are exploring biometric second-factor authentication, from banks asking customers to take a selfie for facial recognition to software that studies behavioural biometrics, such as how you use a mouse, in case your online banking session is hijacked.
Google recently launched Advanced Protection, a programme designed to give an extra layer of security to the accounts of those most at risk of targeted attacks: journalists, activists, business leaders and political campaign teams. Mark Risher, director of product management for counter-abuse and identity services at Google, says anyone can sign up and get the two security keys to protect their Gmail accounts. “You know your life better than we do,” he says, adding that anyone who thinks they could be disproportionately under threat should sign up.
Owners of large stashes of cryptocurrency, who may make their bitcoin wealth known on social media, have been targets, he says. “Attackers have a very clear payout at the end of the rainbow so there is sufficient motivation to target people,” he adds.
One advantage of the Google system is that it does not rely on the user to spot whether the website into which they are entering their details is fake. The key can tell if it is not getting the right message back.
Google also uses machine learning to “stitch together subtle anomalies and deviations from the norm” that go beyond the factors that are often considered, such as where you are logging in from and at what time of day.
Mr Risher says Google is not just focused on the “front door” but also how you behave when you get in. If you log in from a different device from normal and start behaving unusually, you may be shut out. Authentication is moving beyond brute barriers.
Get alerts on Cyber Security when a new story is published