Opinion: SMS mobile phone authentication under threat
- — 14 July, 2011 21:29
While the recent attack against RSA has caused many to question the RSA two factor solution, most people have ignored the more practical and more likely threats facing two factor authentication toda.
One of the most common uses of two factor authentication outside of the RSA solution is SMS based two factor authentication.
This is a very widely adopted solution deployed by many institutions. Commonwealth Bank of Australia through its NetBank platform is one of the most publicly recognised early adopters. Most of these early adopters did so in era when the concept of a "smartphone" was still in its infancy with the Blackberry the only real model of its kind, largely a toy in the hands of IT executives. It was also done to keep the cost of issuing tokens to an absolute minimum. They realised that the cost of tokens were not cheap and if consumers had to pay full price for them out of their own pockets, they probably wouldn't despite greater security. So the de-facto 'solution' became to use their mobile phones to transmit the token.
While not as secure as carrying the token, since mobile phones were largely not used for Internet banking at the time, they considered 'secure enough'. The problem with this approach today is that the mobile phone is no longer an out of band channel. As society grows increasingly reliant on mobiles phones as a personal computing device, this means that they are likely to become the greater target for cybercriminals. Even though the mobile phone was never a fully out of band channel, the threat landscape is changing, which means that SMS based two factor authentication is becoming increasingly under threat.
Bruce Schneier commented in 2009 on attacks involved trojans designed to 'piggyback' the user's authenticated session, likewise using 'man-in-the-middle' attacks to intercept the tokens - and prior to that in 2005. So these attacks are not new. Australians have already seen examples were criminals were able to steal personal information of registered Internet banking users to request a redirect of their mobile phone and use their information to reset their password, get their token and use their phone number to drain bank accounts undetected by the account holder. While these attacks are highly sophisticated and still far from normal, they do occur and will continue to grow in number as the user grows even more mobile and demands more services.
Solutions to future attacks against two factor authentication must address the challenges of using insecure networks, insecure platforms while being able to ensure it is the transaction that is authenticated and not just the user. But most importantly, tokens must be issued in an out of band channel and must be tied to something that the user "has". Smartcards, One Time Pads (OTPs) and other, more innovative solutions do abound. However should adopters still wish to use mobiles to issue tokens, they must address the fact that the tokens are being sent over an insecure channel and where possible, defeat replay attacks.
Jarrod Loidl is an information security consultant with seven years industry experience. He has worked in a number of different verticals such as education, gaming, advertising, financial services, professional services, not-for-profit and healthcare. His specialities are security management, risk and architecture. He runs his own blog at http://jarrodloidl.blogspot.com and can be found on twitter as @jloidl.
The views in this article represent his own and not that of his employer.