Why SMS and push codes are not secure
Posted on 12.05.2020 at 09:49
By Pavel Melnichenko, CTO
In previous blog posts, we often said that using one-time-passwords via SMS and push notifications to confirm financial transactions is not a good idea. In this blog, I would like to spend some time on this particular topic and answer the question–“why these “classic” transaction confirmation methods are not secure?”.
Using an SMS as a second authentication factor is familiar to most people. Moreover, many digital services use this authentication method for use cases like restoring access, approving some actions, confirming device linking and so on.
If you link your mobile phone number to all of the daily used digital services like email, Google account, Apple ID account, Facebook, Twitter and so on, your SIM card becomes a “key to your life”.
Actually, it’s ok if your SIM card is just used to access your photos and tweets. It’s not that interesting for any malicious person to steal your Facebook account (unless you’re a celebrity). But when SMSs are used to manage your money movements – it gets more interesting.
To make it clear, a modern “hacker” is not a lone person in big glasses. “Hacking” is a structured high tech criminal business with top managers, brain centers, performers, informers and so on. The main goal of this business (as for all businesses) is to earn money and grow.
“Hacking” managers do understand that “real money” is held in banks. Indeed, a bank’s customers have remote access to manage and transfer money from one account to another. So, these hackers just need an instrument to gain access on behalf of a legal customer. It’s here that they face security controls.
Let’s imagine that a group of hackers got (from somewhere) the requisites to access a customer’s account. It can be payment card details, logins, passwords for remote banking, or an account from a FinTech service – does not matter. To transfer money they need to pass a second authentication factor. If a bank or a FinTech service provides services using SMS or push codes, then they need to catch it.
Three major scenarios of how an SMS code can be intercepted
Let’s see how an SMS code can be intercepted and delivered to the “hackers” performers.
- Technical mechanism
This is classical hacking, hacker groups create viruses and malware. This malware will be delivered to customer devices with spam, infected sites, fake applications repositories, keygens, activators, “hacked” paid software and so on.
After installing on a customer’s smartphone (especially Android based) this malware has access to the victim’s SMS content.
You may be surprised; it’s not rocket science to access SMS content on an Android smartphone. Android has standardized mechanisms for each application to read incoming SMS messages. The question here is – what does an application do with this content? It can be used to simplify a user’s life (for example, to analyze user activities) or to steal confirmation codes sent by a bank.
- Technological mechanisms
When we talk about SMS, we are talking about a technology invented in the 1970s. The world was different; security risks were different. It’s funny when you realize that profitable SMS security threats originated in 2017, as soon as they became the de-facto standard as a second authentication factor. Today, you can use equipment that costs about $1500 to intercept any SMS in the world. It became possible after independent researchers found a vulnerability in the SS7 protocol. This protocol is used to transfer SMS messages. You can find detailed information by googling “SS7 attack”.
By the way, one big German bank was hit by this type of attack. You can find information about this incident too.
- Social mechanisms
In this block, there are two major techniques: SIM swapping and social engineering.
- SIM swapping works in a very simple way. A malicious person, usually with the help of an accomplice in a mobile network operator, changes a sim card to a new one with the same phone number. That is all. After this manipulation the “key to your life” is in the malicious person’s
Yes, the customer will figure out that their sim card was changed. However, 10 minutes is enough to reset access to all your digital services and to transfer all your money from your bank account.
Of course, the mobile network operator can inform the bank when a sim card is changed. This service is called “IMSI check”. It costs money. Not that many banks want to pay for customer risks.
- Social engineering is about conversing with a customer. When a malicious person calls a customer and says something like “Hello, this is the security service of your bank. Have you created this suspicious transaction to transfer all of your money? No? Ok, to decline this, please tell me the one-time-password in the SMS message you just received”. You can imagine what will happen as soon as the customer dictates the code. There are many social engineering techniques. We are aware of cases when a customer transferred all of their money via ATM by hand, without any codes. But the point is, when a customer has something to dictate – it will be dictated to the malicious person.
Ok, we briefly and very superficially described how confirmation codes can be intercepted by “hackers”. We need to understand that a part of each stolen dollar (or rupiah, or baht, or yen, or won, or ringgit) will be spent on developing these mechanisms: creating more advanced malware, sending more spam, implementing SS7 interception within different ingress points, hiring psychologists for social engineering scripts and so on. SMS messages are not secure “by design”.
The Juridical side of OTP SMS message:
A few more things I want to mention are about juridical viewpoints.
- In most cases we’ve seen, a one-time-password is not linked to the transaction’s details. This means that you can use a password for one transaction to confirm another transaction. You, as a customer, cannot prove that you confirmed a transfer of “$10 to Alice”, but not “$1000 to Eva”. It can be a big problem.
- At the same time, you, as a customer, can go to your bank and ask them to “return your money for this particular transaction”. If they say “why?”, you can tell them “I have not confirmed this operation, you did this instead of me, because you knew the confirmation code before me, you created it. And the mobile network operator knew. And the SMS message aggregator knew. I received this code but did not input it anywhere. Prove me wrong”.
This means that SMS message codes are not secure from a juridical point of view too.
What about push codes?
Push codes are sent via the internet, not mobile networks. One can think that, theoretically, they are better secured on a mobile phone. Actually, not really.
- Techniques. Stealing push notifications from smartphones is as easy as SMS message.
- Technology. Push notifications are sent through the mobile platform’s holder – usually Google or Apple. If you read the developer’s agreement from Google and Apple carefully you can find that they severely restrict sending confidential information “including bank passwords” via push notifications. This means that push content, like SMS messages, will be known by third parties.
- Social. Push codes can be dictated as easily as SMS messages. No difference. But, push has one advantage – SIM swapping cannot be done.
From a juridical point of view – there is no difference between SMS messages and push codes.
Accordingly, the security level of these two technologies is the same.
To conclude, I would like to share with you the results of our technical experiment. We put ourselves in the “hackers” shoes and tried to create a malware for Android to steal SMS messages and push notifications. It took about 1 hour and 30 minutes to create a complete solution – the malware for Android, a server to receive stolen notifications and a UI to read them on the server’s side. No antivirus or behavior analysis applications detected this malware. We successfully stole a few bucks from my personal Visa using the 3D-Secure transaction process. The first time around, a confirmation code was sent by push, the second time by an SMS message. We demonstrated a video of this experiment on one of our webinars, and are ready to explain how the solution works.
I would like to warn you against using SMS or push messages when it comes to confirming any financial transactions. From a security point of view, this is not a good idea. In 2020, we have solutions, which have the ability to accommodate our needs in a more proper way.