Bsrgvty

Security experts are constantly discouraging users from using SMS-based 2FA systems, usually because of worries the auth code could be intercepted by an attacker, either through a SIM swap or a MitM attack.

The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service. Attacks like the one that breached Reddit last year, where a Reddit administrator had his SMS 2FA token intercepted.

You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider). The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent. The way I interpret this, the only people who should actively avoid SMS-based 2FA systems are those who are likely to be targeted for specific attacks, but those are few and far between.

Consider an average Joe, who has about 100 accounts, but doesn't use a password manager (so he has password reuse). He doesn't have special access to any major services. He doesn't have any celebrity status or special usernames anywhere. He is a regular, non-management employee at his office with no special access to his company codebase or product. Put a different way, he's unlikely to ever be the target of an attack specifically targeted at him.

In this context, should Joe be concerned that the SMS-based 2FA he uses for Facebook, Twitter, Google, Dropbox, Slack and Nest has theoretical vulnerabilities?

There is no real concept of an "average user with no special access rights". From the perspective of an attacker the main point is if the effort needed for an attack is less then the gain of the attack. Even an "average user" might have crypto wallets or precious twitter accounts. Sometimes the gain of an attack is also not that obvious, like when a seemingly unimportant target is hacked as the initial step in a larger delivery chain attack against a more precious and better protected target.

For some examples of successful attacks see

• My SIM swap attack: How I almost lost $71K, and how to prevent it


• Here's how I survived a SIM swap attack after T-Mobile failed me - twice


• SIM swap horror story: I've lost decades of data and Google won't lift a finger

Like many things, there is a tiny bit of truth in there, but overall it is a non-issue in practice and incidents are reported/perceived totally out of perspective.

Most stuff, including every new system that comes up every few months and that completely obsoletes everything else is usually based on personal financial interests, dogma, belief, and snake oil. So, recently, SMS-TAN was obsoleted. And the world didn't stop.

How dare I say it's a non-issue? There's some very real security breaches!

First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such (which is usually the first factor).

Without providing the first factor, you do not even get to trigger the SMS to be sent. If the legitimate account owner triggered it, then he is currently in the process of logging in, i.e. he has a TLS connection going. The TAN won't work for anything but for the action it was triggered for either, so it's not really useful for much.

You eavesdrop my SMS? Well go ahead. What are you going to do? Unless you also have a gun so you can force me to step away from the keyboard, or you can spoof my IP address and have subverted TLS so much that you can successfully take over the connection (really, WTF? who do we defend against in this threat model?), there is not much you can do. I mean, there's reasonable things to expect, and unreasonable things. Do I need to defend against the possibility of a 2km large meteor hitting my house? If someone can take over my TLS connection, then I have more serious problems than SMS being interceptable.

Unless of course it was you who initiated the SMS-TAN in the first place, which means you must already know my password.

So a reddit sysadmin gave away his admin password or had such a pathetically bad password that it was easy to social-engineer. Or, something else that is outright face-palm scary, whatever. Took a girl he met in the bar the night before to his workplace to impress her, logged in, and walked away? Something the like?

Wow, clearly the fact that SMS can be intercepted was the problem!

SMS 2FA is the same as every other 2FA. It is a little extra hurdle that an attacker has to take, once they have the first factor. It's not much, but it's better than nothing. For the casual attacker on a random target, that little extra makes the difference between "doable" and "not doable". For example, you may get to know my Google password by chance, but you do not know my phone number (or where I even live). So, technical difficulties aside, how are you going to intercept my SMS at all?

Will 2FA stop a targetted attack by a determined attacker? Well no, it probably won't. But what will? I can always tie your girlfriend to a chair and have you watch me cut off fingers until you perform the authentication. Make it five factor authentication if you will, it won't take more than two or three fingers.

On the basis that SMS-TAN is insecure, my bank replaced TAN via SMS with a totally insecure pair of custom-made apps that will allow a transaction to be initiated, and confirmed, without ever a password or such being entered. Android's biometry API telling it "yeah, OK" is enough. It's been demonstrated that facial recognition is easy to trick.

So yeah, this is definitively so much better and more secure than having to enter a password over TLS (which is stored in Keepass) and to receive a TAN via SMS, which is worthless to anyone else.

The simple truth is, sending SMS-TAN costs money, and that stupid little app doesn't...

"Should I worry?" is not a technical question-- you can worry about anything you want. For Information Security purposes it is more helpful to consider specific threats, balancing their probability and risk against cost and inconvenience.

A different question you could ask is whether SMS 2FA is sufficient mitigation against criminal teams working on mass harvesting of credentials (and, for example, posting them for sale on the dark net). The answer to that is-- yeah, it's pretty good. Even if they were able to obtain a 2FA SMS code, it would not have any resale value since it is only good for a few minutes. So in terms of criminal networks reselling credentials, it is a decent mitigation. That is one kind of threat.

Another kind of threat is a criminal team or malicious user targeting you as an individual and in real time. In that scenario, SMS is completely inadequate, for reasons that I think you already understand. It is much too easy to get that code if they have the necessary resources.

That being said, NIST, FFIEC, PCI, ISO-27001, and other forms of security regulation/compliance/guidance are all moving away from SMS 2FA in favor of other options that are becoming more available as the technology evolves. But the public will take time to catch up. Heck, 90% of gmail users don't use any 2FA, let alone a securID token! That is why SMS two factor authentication isn't perfect, but you should still use it..

Although SMS 2FA is not as strong as TOTP base MFA or the use of a hardware security key (e.g. yubikey) it still offers a significant amount of protection against the typical attacker who's just trying to make use of weak or compromised passwords.

The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service.

[...]

You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider).

[...]

The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent.

You don't always need SIM swap or MitM. Some simple attacks like phishing are already automated and that applies to 2FA codes too.

Now this kind of attack would also bypass other kinds of one-time passwords like smartphone authentication apps, and maybe even login prompts. They would be stopped by token-based 2FA like Yubikeys, since the browser would check that the domain is correct.

Also, I guess it would not be impossible for someone to hack into a phone network and run an untargeted attack while intercepting 2FA SMSs for a while until they get caught.