One-time-passwords and push codes are not as secure as you think!
Posted on 08.05.2020 at 18:09
By Pavel Melnichenko, CTO, Airome | Wednesday, May 6, 2020, 2:12 PM Asia/Singapore
Using one-time-passwords via SMS and push notifications to confirm financial transactions is not a good idea.
Using an SMS notification as a second authentication factor is familiar to most people. Moreover, many digital services use this authentication method for secure transactions such as restoring log-in access, approving some actions, confirming device linking and so on.
If you link your mobile phone number to all of the daily essential digital services like email, Google account, Apple ID account, Facebook, Twitter and so on, your SIM card becomes a “key to your life”. Actually, it is ok if your SIM card is just used to access your photos and tweets. It is not that interesting for any malicious person to steal your Facebook account (unless you are a celebrity).
But when SMSs are used to manage your money movements—it gets more interesting. To make it clear, a modern ‘hacker’ is not a lone person in big glasses. Hacking is a structured high-tech criminal business with top managers, brain centers, performers, informers and so on. The main goal of this business (as for all businesses) is to earn money and grow.
‘Hacking’ managers do understand that ‘real money’ is held in banks. Indeed, a bank’s customers have remote access to manage and transfer money from one account to another. So, these hackers just need an instrument to gain access on behalf of a legal customer. It is here that they face security controls.
Let us imagine that a group of hackers have obtained (from somewhere) the requisite details to access a customer’s account. It can be payment card details, logins, passwords for remote banking, or an account from a FinTech service—does not matter. To transfer money they need to pass a second authentication factor. If a bank or a FinTech service provides services using SMS or push codes, then they need to catch it…
Three major scenarios of how an SMS code can be intercepted
Let us see how a security code sent by SMS messaging can be intercepted and delivered to the hackers:
- Technical mechanisms
This is classical hacking: hacker groups create viruses and malware to trap the message. Such malware will be delivered to customer devices via spam, infected sites, fake applications repositories, keygens, activators, ‘hacked’ paid software and so on. After it is installed on a customer’s smartphone this malware can have access to the victim’s SMS content.
You may be surprised; it is not rocket science to access SMS content on an Android smartphone. Android has standardized mechanisms for each application to read incoming SMS messages. The question here is, what does an application do with this content? It can be used to simplify a user’s life (for example, to analyze user activities) or to steal confirmation codes sent by a bank. - Technology mechanisms
When we talk about SMS, we are talking about a technology invented in the 1970s. The world was different; security risks were different. It is funny when you realize that profitable SMS security threats originated in 2017, as soon as they became the de-facto standard as a second authentication factor. Today, you can use equipment that costs about US$1500 to intercept any SMS in the world. It became possible after independent researchers found a vulnerability in the SS7 protocol. This protocol is used to transfer SMS messages. By the way, one big German bank was hit by this type of attack. You can find information about this incident too. - Social mechanisms
In this block, there are two major techniques: SIM swapping and social engineering.
SIM swappingworks in a very simple way. A malicious person, usually with the help of an accomplice in a mobile network operator, replaces a sim card with another one with the same phone number. That is all. After this manipulation the “key to your life” is in the malicious person’s hands.
Yes, the victim will figure out that their sim card was changed. However, 10 minutes is enough to reset access to all your digital services and to transfer all your money from your bank account. Of course, the mobile network operator can inform the bank when a sim card is changed. This service is called “IMSI check”. It costs money. Not that many banks want to pay for customer risks.
Social engineering is about conversing with a customer. When a malicious person calls a customer and says something like “Hello, this is the security service of your bank. Have you created this suspicious transaction to transfer all of your money? No? Ok, to decline this, please tell me the one-time-password in the SMS message you just received”.
You can imagine what will happen as soon as the customer dictates the code. There are many social engineering techniques. We are aware of cases when a customer transferred all of their money via ATM by hand, without any codes. But the point is, when a customer has something to dictate—it will be dictated to the malicious person.
So these are the three main avenues whereby SMS data can be intercepted by hackers. SMS messages are not secure ‘by design’.
We also need to understand that a part of each stolen dollar (or rupiah, or baht, or yen, or won, or ringgit) will be spent on developing these mechanisms: creating more advanced malware, sending more spam, implementing SS7 interception within different ingress points, hiring psychologists for social engineering scripts and so on.
Legalities of SMS 2FA
In most of the cases we have seen, a one-time-password is not linked to the transaction’s details. This means that you can use a password for one transaction to confirm another transaction. You, as a customer, cannot prove that you confirmed a transfer of “$10 to Alice”, but not “$1000 to Eva”. This can be a big problem.
At the same time, you, as a customer, can go to your bank and ask them to “return your money for this particular fraudulent transaction”. If they ask why, you can tell them “I have not confirmed this operation, you did this instead of me, because you knew the confirmation code before me, you created it. And the mobile network operator knew. And the SMS message aggregator knew. I received this code but did not input it anywhere. Prove me wrong”.
These two scenarios mean that SMS one-time-passwords (OTP) are contestable evidence from a legal point of view.
What about push codes?
Push codes are sent via the internet, not mobile networks. One can think that, theoretically, they are more secure on a mobile phone. Actually, not really.
- Technical mechanisms
Stealing push notifications from smartphones is as easy as with SMS messages. - Technology mechanisms
Push notifications are sent through the mobile platforms—usually Google or Apple. If you read the developer’s agreement from Google and Apple carefully you can find that they severely restrict sending of confidential information “including bank passwords” via push notifications. This means that push content, like SMS messages, will be known by third parties. - Social mechanisms
Push codes can be dictated as easily as SMS messages. No difference. But, push has one advantage – SIM swapping cannot be done.
From the legal point of view, there is no difference between SMS messages and push codes. Accordingly, the security level of these two technologies is the same.
To conclude, I would like to share with you the results of our technical experiment.
We put ourselves in the hackers’ shoes and tried to create a malware for Android to steal SMS messages and push notifications. It took about 1 hour and 30 minutes to create a complete solution: the malware for Android, a server to receive stolen notifications, and a UI to read them on the server’s side.
No antivirus or behavior analysis applications detected this malware. We successfully stole a few bucks from my personal VISA account using the 3D-Secure transaction process. The first time around, a confirmation code was sent by push, the second time by an SMS message. We demonstrated a video of this experiment on one of our webinars, and are ready to explain how the solution works.
I would like to warn all readers against using SMS or push messages when it comes to confirming any financial transactions. From a security point of view, this is not a good idea. In 2020, there are better solutions to accommodate our security needs.