Opinion: SMS mobile phone authentication under threat

The more likely threats facing two factor authentication have been ignored, why?

While the recent attack against RSA has caused many to question the RSA two factor solution, most people have ignored the more practical and more likely threats facing two factor authentication toda.

One of the most common uses of two factor authentication outside of the RSA solution is SMS based two factor authentication.

This is a very widely adopted solution deployed by many institutions. Commonwealth Bank of Australia through its NetBank platform is one of the most publicly recognised early adopters. Most of these early adopters did so in era when the concept of a "smartphone" was still in its infancy with the Blackberry the only real model of its kind, largely a toy in the hands of IT executives. It was also done to keep the cost of issuing tokens to an absolute minimum. They realised that the cost of tokens were not cheap and if consumers had to pay full price for them out of their own pockets, they probably wouldn't despite greater security. So the de-facto 'solution' became to use their mobile phones to transmit the token.

While not as secure as carrying the token, since mobile phones were largely not used for Internet banking at the time, they considered 'secure enough'. The problem with this approach today is that the mobile phone is no longer an out of band channel.  As society grows increasingly reliant on mobiles phones as a personal computing device, this means that they are likely to become the greater target for cybercriminals. Even though the mobile phone was never a fully out of band channel, the threat landscape is changing, which means that SMS based two factor authentication is becoming increasingly under threat.

Bruce Schneier commented in 2009 on attacks involved trojans designed to 'piggyback' the user's authenticated session, likewise using 'man-in-the-middle' attacks to intercept the tokens - and prior to that in 2005. So these attacks are not new. Australians have already seen examples were criminals were able to steal personal information of registered Internet banking users to request a redirect of their mobile phone and use their information to reset their password, get their token and use their phone number to drain bank accounts undetected by the account holder. While these attacks are highly sophisticated and still far from normal, they do occur and will continue to grow in number as the user grows even more mobile and demands more services.

Solutions to future attacks against two factor authentication must address the challenges of using insecure networks, insecure platforms while being able to ensure it is the transaction that is authenticated and not just the user. But most importantly, tokens must be issued in an out of band channel and must be tied to something that the user "has". Smartcards, One Time Pads (OTPs) and other, more innovative solutions do abound. However should adopters still wish to use mobiles to issue tokens, they must address the fact that the tokens are being sent over an insecure channel and where possible, defeat replay attacks.


Jarrod Loidl is an information security consultant with seven years industry experience. He has worked in a number of different verticals such as education, gaming, advertising, financial services, professional services, not-for-profit and healthcare. His specialities are security management, risk and architecture. He runs his own blog at http://jarrodloidl.blogspot.com and can be found on twitter as @jloidl.

The views in this article represent his own and not that of his employer.

Join the CSO newsletter!

Error: Please check your email address.

Tags smartphonetrojanscybercriminalssmartcardstwo factor authenticationrsa

More about Commonwealth Bank of AustraliamobilesNetBankRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jarrod Loidl

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts