Micro Focus is now part of OpenText. Learn more >

You are here

You are here

SIM swapping: Researchers name and shame the SMS 2FA FAILs

Richi Jennings Your humble blogwatcher, dba RJA

Repeat after me: An SMS challenge is not proof of identity. It’s far too easy for a hacker to take over a number or intercept SMS traffic.

SIM swapping and SS7 spoofing are real and present dangers. They make cellphones into weak-as-kitten second factors and useless for password resets.

Unfortunately, PayPal and its Venmo subsidiary still rely on SMS, despite being told again and again. In this week’s Security Blogwatch, we’re as mad as hell and we can’t take it anymore.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Inspirational granny.


What’s the craic? Lorenzo Franceschi-Bicchierai reports—Some companies still haven’t fixed systems that make it easy for hackers to take over accounts:

Several major apps and websites … have a flaw that lets hackers easily take over users’ accounts. … If a hacker takes control of a victim’s cellphone number via a common and tragically easy to perform hack known as SIM swapping, they can then hack into the victim’s online accounts.

Last week, two months after their initial outreach to the [17] companies to report this flaw in their authentication mechanisms … Princeton researchers checked again to see if the companies had fixed the problem. Some … have plugged the hole. Others have yet to do it.

Paypal and Venmo, given that they are apps that allow users to exchange money and are linked to bank accounts or credit cards, may be the most glaring examples. … Venmo is owned by Paypal, neither … responded to multiple requests for comment.

Who are these researchers? Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan say it’s dysfunctional:

In January, we released a study showing the ease of SIM swaps at five U.S. prepaid carriers. … We also uncovered 17 websites that use SMS-based … MFA and SMS-based password recovery simultaneously, leaving accounts open to takeover from a SIM swap alone.

We responsibly disclosed the vulnerabilities to those websites in early January. … Sixty days after our reports, we re-tested … except for those that reported that they had fixed the vulnerabilities.

9 … remain vulnerable by default: … Amazon … AOL … Finnair … Gaijin Entertainment … Mailchimp … PayPal … Venmo … WordPress.com … Yahoo.

Companies need to realize that policy-related vulnerabilities are very real, and should use threat modeling to detect these. There seems to be a general lack of knowledge about vulnerabilities arising from weak authentication.

Huh? Matt Elliott explains like I’m 5 (or 65)—Do you use SMS for two-factor authentication? Here's why you shouldn't:

You would be wise … to use two-factor authentication to protect your personal information and online accounts. … You'd be wiser still to use an authentication app rather than receiving codes through text, also known as SMS.

Two-factor authentication (2FA) … adds a layer of security to your online accounts. … Instead of entering only your password to access an account, you need to enter your password … and then a code sent via SMS or … through an authentication app. … This means a hacker would need to steal both your password and your phone to break into your account.

[But] hackers have been able to trick carriers into porting a phone number to a new device in a move called a SIM swap. … Then there are the weaknesses in the [SS7] telecom system itself. … A hacker can spy via the cell phone system, listening to calls, intercepting text messages and seeing the location of your phone.

Once a hacker has redirected your phone number, they no longer need your physical phone. … At best, getting hacked is a hassle. More often, it's a mix of anger, pain, loss and confusion.

But isn’t it the services’ fault, for relying on carriers? onyxruby seems to think so:

At this point using a phone number as your second factor is bound to get someone sued for negligence before long. If memory serves, that already happened with some of the Bitcoin wallet heists.

Memory did serve. But the carriers are trying to wriggle out of it, reports Paddy Baker—AT&T Files for Dismissal in $24M Phone Hack Case:

U.S. mobile operator AT&T hopes to dismiss crypto investor Mike Terpin's amended case over a SIM-swap hack. … Terpin first accused AT&T of civil negligence in August 2018, alleging an employee had been bribed by a criminal gang to pass over control of his SIM card.

He is suing AT&T for $23.8 million in compensation, as well as $200 million in punitive damages. … Last December, in a separate case, AT&T filed a motion for dismissal against another crypto executive who had fallen victim to a similar phone hack, claiming the case had "critical holes."

The even bigger issue is when services use SMS for account recovery—raymorris worms his way into our narrative: [You’re fired—Ed.]

The big problem here is … once you can get the SMS, you don't need the password. You can use the SMS to reset the password. So the SMS becomes the ONLY factor, not the second.

Starting with strong passphrases first, depending on the security needs of the system I'm fine with also requiring SMS as the second factor. … For logging into Charles Schwab, where you have your life savings, I'd want two strong factors.

Insecure banking! Whatever next? zxcvbn4038 says it’s not just PayPal:

CapitalOne is even worse. They locked me out of their app today and asked to send an SMS code – and they let you pick which number to send it to on the spot. Good one fellas.

What is the point of having Touch ID and their dumb Swift ID stuff set up if they keep doing dumb stuff like this? … Too bad there is no Tony for security theater.

PayPal is the worst - a couple days ago they disabled my password (including both 2FAs) and sent me an e-mail asking me to reset it. The only way to reset it is via SMS. … What I love is when they refuse to help you except by talking on the phone. As if somehow my speaking to someone who has never met me and is completely unfamiliar with my voice is more secure.

Robinhood impressed me by supporting both strong passwords AND 2FA with Google Auth. They haven't rolled out cash management accounts yet but I think they will be my financial center once they do.

What other services do it right? Sebby offers this 2FA PSA:

Use twofactorauth.org to see which services provide proper auth support and where to look up the instructions for enabling it for each service.

Is there a silver lining? jjoonathan is on cloud nine:

If we can channel the fear of SIM swaps into U2F adoption, I think it actually stands a chance.

U2F can't spread fast enough. For about a year or so it's been good enough that almost all U2F keys Just Work on all major browsers / platforms without installation or tweaks. That's huge.

The next big hurdles are getting support from e.g. banks, getting keys into peoples' hands, and getting people familiar with them. Those efforts are underway in the corporate world and I am optimistic that they will cross-pollinate.

The moral of the story?

I can’t put it better than exabrial, who sums up this call to action:

Please work to remove this antipattern from your products. … It's not better than nothing, it's worse than nothing.

And finally

#inspirational: An isolated Grandma reads to her great-grandchildren

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Grey World (cc:by)

Keep learning

Read more articles about: SecurityIdentity & Access Management