Redirecting you to
Podcast Jul 29, 2020

Root Causes 109: Examining MFA Through Phone-based SMS

SMS-based one time password (OTP) is a very commonly used form of multi-factor authentication (MFA). That's because it's fast and inexpensive to roll out to users. Unfortunately it is deeply vulnerable to a set of well-defined attacks. In this episode our hosts explain why SMS MFA became so popular and how this outdated MFA scheme fails to provide the security expected by those who use it.

  • Original Broadcast Date: July 29, 2020

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    We talk a lot about MFA and how MFA obviously is a big part of identification schemes in general, so it comes up a lot and PKA matters, and MFA matters intermingle a lot and oftentimes we sort of reference in passing the concept of fundamentally insecure or untrustworthy MFA schemes that are used and that are in common use, and we don’t necessarily explain that. What’s insecure? What’s untrustworthy? And so, we thought that that would be a useful thing to do for the audience and I think today we were gonna start with SMS-based one-time password.

  • Jason Soroko

    That’s right, Tim. Thanks. Yeah. This is really the kickoff to what will probably be a series of deep dives, deep enough that it’s gonna take place within a single podcast but we’re gonna take a look at each form of MFA and really talk about what’s good about it, maybe a little bit of the history about it and then why there probably are problems with it because no form of MFA is perfect and Tim, this one that we are talking about today which is phone-based SMS, the elephant in the room when you talk about it and finally, finally this elephant showed up and it needed to, was the fact that it sucks.

  • Tim Callan

    Ok. That’s a broad term. Maybe we can clarify that a little.

  • Jason Soroko

    And I hate to be that blunt about it, Tim. Here’s the reason why I’ve got such a bad itch over that form of MFA. I remember years ago, and I’m talking now, my goodness, let’s just say 2010 and a little later and the world was waking up to the fact that just passwords was a bad idea. You know. There were still people in the world that thought to themselves, you know, if I just change my passwords often enough and make them difficult to guess I’m all good. You know. Username and passwords are fine and then I was going all over the world showing people a demonstration of attacking keylogging and being able to harvest credentials in that way, showing people the hash attack and showing them that MFA of some type was important. And I think just like me, other people were waking up to that. So, one of the simplest things was hey, I’ve got this phone in my pocket and text messages are just so darn easy why don’t I issue a one-time password - -

  • Tim Callan

    Text me a six-digit code that’s unique to this one usage, it’s gonna take nearly a million guesses to get that six-digit code, that’s plenty secure. Right?

  • Jason Soroko

    Well, the fact was it was a different factor in the sense that the one-time passcode was coming via something else. Now we were living in a world where we have RSA tokens, hard tokens, right? So, it’s not like that idea was new when SMS tokens were out there it’s just that SMS was so easy.

  • Tim Callan

    Yeah.

  • Jason Soroko

    It was a replacement in a way.

  • Tim Callan

    I already own the phone. I knew that I had the phone with me. If I left the house without my RSA token in the morning, I might not realize it until it’s too late but if I left the house without my phone, I would realize it by the time I hit the driveway and run back and get it. Right? So yeah, exactly.

  • Jason Soroko

    So here is probably my main point on that form of MFA, Tim. And that is, I remember talking to so many very smart security architects in a lot of different verticals at the time. I was really burning a lot of shoe leather going all over the world talking to people about MFA. This was a big subject for me at the time and I was writing blogs, things that were titled Not Every MFA is Created Equal. And it was because of this, right. There were at least at the time - I’m talking 2010 to 2014 era. There were at least five different ways at the time that I was able to show how a bad guy could actually take advantage of the vulnerabilities of SMS and not the least of which it is, the fact that there was malware on Android devices that was fundamentally able to redirect SMS. And so therefore, an SMS message could be received by the phone. That SMS message could be hidden, harvested by a bad guy, they could complete a transaction with that OTP on your behalf and then none of which would be known to you.

  • Tim Callan

    Yeah. You’d have no way to know that any of this had happened.

  • Jason Soroko

    Now when that was just described in words a lot of security architects at the time said, yeah, but it’s so much more secure than just passwords that I’m gonna just go with this.

  • Tim Callan

    Right.

  • Jason Soroko

    And, Tim, this is what happened. This is amazing. I think it was mostly in Europe because Europe really went crazy for SMS OTPs for banking transactions, for example. And your bank would send you this OTP. Well, I mean I’ve lost count of the number of silly names that tech journalists gave all these attacks and hundreds of millions of euros were stolen because security architects felt that that form of MFA was good enough.

  • Tim Callan

    Right.

  • Jason Soroko

    And it wasn’t. It simply wasn’t good enough. There were other forms of MFA that were good enough. They weren’t perfect. And we’re gonna go through them in a series of podcasts but SMS is one of those forms of MFA is below what I consider the minimum line of is it good enough. Is it good enough to say it’s better than user name and password and let me tell you why we absolutely have to put this one to bed, Tim. And I’m sorry if this sounds like a little bit like a rant but, you know, I think it’s important information. Now with the advent of SIM swapping, Tim, for goodness sakes, anything that’s hard coded to the phone in terms of the phone number you simply can’t trust it.

  • Tim Callan

    So, within the last month, Jack Dorsey had his Twitter account taken over. How did it happen? SIM swapping.

  • Jason Soroko

    It’s rampant. And there doesn’t seem to be a solution to it now and this problem has been around quite a long time. We could have a whole podcast on SIM swapping but that’s even just one problem. That’s one problem out of perhaps ten to a dozen problems with SMS as a form of MFA and therefore I thank goodness, when I was out on the road competing against SMS as a form of MFA, I didn’t have the benefit of NIST deprecating it. It was still on the list of MFA authenticators that were recommended by NIST and a lot of people would point to that and say, Jay, you are overreacting. But then, guess what? NIST deprecated it because they had to because the evidence was mounting that this was just such a bad idea.

  • Tim Callan

    So that’s an interesting point and this is something I’ve been meaning to bring up with you, so this is a good time. You know, NIST did, in fact, very clearly say that this is not a secure form of multifactor authentication and yet, obviously, it’s still in widespread use. So, what – - I don’t know how to put this. How much, I guess, value is there to NIST saying something like that if it doesn’t seem to change behavior?

  • Jason Soroko

    Well, I can tell you from me personally it at least gave me something to point to. At the very, very least people like me who, I mean, I had done a lot of thinking about this and myself amongst others - I was not the only voice saying this, but it was dangerous. It was dangerous for a major guidance organization like NIST where people just trust them. If that’s on the list of MFAs that are recommended, then because of how cheap and cheerful and easy it is a lot of security architects are just gonna choose it.

  • Tim Callan

    Sure. You could say if you’re an IT professional at a medium-sized organization and you are a company of a few hundred people you might say I am never gonna put the same amount of research into this that NIST is going to. I’m never gonna have the same level of resourcing to commit to this question that NIST is going to so I’m gonna look at the NIST recommendations and I’m gonna assume that they are better than what I’m gonna come up with on my own and act on that and under those circumstances, yeah, if it’s sitting there you could see someone choosing it and then so, ok, so it’s deprecated today but people are still using it. Is this just cause they didn’t get the memo?

  • Jason Soroko

    I think, Tim, in terms of greenfield implementations, there is now so many forms of MFA that are so much better and as I said, we are gonna get into all of those in future podcasts and the reasons why they are better. I would say it’s probably not common in greenfield implementations.

  • Tim Callan

    Right.

  • Jason Soroko

    But it is, was common, in a lot of infrastructure that just isn’t gonna go away anytime soon.

  • Tim Callan

    What about vendors? What if you are a vendor and you want to offer this as an option for your end customers? You want to give them MFA options. If your customers are asking you for SMS-based MFA as an option, should you just say no?

  • Jason Soroko

    I think you should say no because there are now alternatives that are - - you know if what you are trying to protect isn’t money. If what you are trying to protect isn’t extremely important and it’s a low risk because it’s low value and you need a very low-cost authenticator or an easy authenticator those authenticators exist and again, we are gonna get into what those are. What are the, you know, I just need something MFA type of authenticators. Those exist.

  • Tim Callan

    And this is a real-world security decision, and this is something we must acknowledge, right, which is that not every system in the world is going to be hardened or deserved to be hardened against everything. If I’m a small business and the stakes are very low, I might say look, if Cozy Bear wants to come attack me, Cozy Bear is gonna win cause I’m just not as good as Cozy Bear but I’m not worth Cozy Bear’s time. Right? And so, you set your standards for what you need to protect against based on something that’s your realistic potential problems. And I can see that and under those circumstances to your point you might say, you know what, implementing this real rigorous difficult expensive MFA process that’s hard on my users, I don’t deserve that. Ok fine but you are saying there’s better ways to do it that aren’t more expensive or more difficult or more onerous than SMS-based authentication and yet they’re definitely more secure.

  • Jason Soroko

    Exactly, Tim. For example, if you are protecting banking transactions – this is the biggest bug bear I have with SMS. It was a lot of European banks that chose SMS just because hey they have a lot of banking customers and they needed to do something because username and passwords are being harvested left and right so therefore, let’s just go to the easiest, cheapest thing. And that was SMS.

  • Tim Callan

    It’s more, right? It’s more than it was. Sure.

  • Jason Soroko

    And guess what? They got hosed, Tim. They did not jump high enough and now that was back then. That was back then when perhaps there weren’t a lot of options for them. Maybe that was the excuse but that excuse no longer exists.

  • Tim Callan

    Right. And the other thing I think to be cautious of is to your point about them not all being made equal I think there’s a risk that in somebody’s mind or on somebody’s checklist there’s now a checkmark in that box and therefore, it’s considered to be handled. As opposed to warranting more attention and scrutiny to decide if it’s really handled.

  • Jason Soroko

    That’s a really good point, Tim, where checkbox auditing, if that form of governance is your way of thinking through security, I can definitely see how you would have gotten into trouble with SMS. Therefore, if you are doing some sort of greenfield project that requires authentication, I would even question the whole idea of MFA, Tim, and that’s maybe where we can round out this podcast today is just to talk a little bit about the future and just show how far things have gone.

  • Tim Callan

    Sure.

  • Jason Soroko

    Is that why in a greenfield scenario, Tim, would you even consider passwords in the first place? In other words, MFA is all about adding two passwords because passwords are just useless as a security mechanism. They are not a secret anymore. They’re not a secret at all. If you don’t consider them a secret, you need MFA and then MFA is the way to complete the authentication. Well, if that’s all true, if you accept that, why in any greenfield scenario where you are building a new application would you use passwords at all and therefore, why are you using MFA with a password? There are new ways of doing things.

  • Tim Callan

    That’s interesting. I think that’s its own podcast. Let’s just leave that as a teaser for the listeners. Listeners, there will be a time when we come back, and we expand on that last sentence Jay just made and we will talk about what that new way of doing things needs to look like instead. But maybe this is a good place to leave it for today.

  • Jason Soroko

    Yeah.

  • Tim Callan

    Jason, always a pleasure to talk to you. Thank you very much.

  • Jason Soroko

    Always, Tim.

  • Tim Callan

    And thank you listeners, this has been Root Causes.