A reminder that your security is only as best as the weakest link. A compromise of one system reveals weak points in web services that many believe are secure. Some people utilize two factor authentication for their accounts. (Email and financial services). However, I assume the majority of people use the SMS or call feature to retrieve the second authentication to access their accounts. It is the simple approach to integrate for many companies rather than forcing end users to use a hardware or software app token. In enterprise environments the option for SMS is barely available due to its inherent flaws. Again this is another scenario of security vs usability of web services. If you have two factor linked to any critical accounts or services via SMS/phone number you should understand the potential flaws.
As a business decision it completely makes sense to allow for SMS/call in verification. One the extra support and hassle of educating users to adopt software apps would be costly. Next users are churning through phones every year or so which will add in additional step to setup their auth app. There are probably more reasons but I’ll focus on the security issues now. Companies such as Google have definitely made the transition simpler with their integration of their app when setting up the 2 factor. However, you must be sure to remove the SMS and phone call backup options. This is another decision some might not make as they don’t want to be locked out in certain situation.
Here lies your choice for security. Take the easy path or try to be most secure as possible. In the end almost anything has a flaw as I have discovered countless times especially if you are targeted. In this case a compromise of your phone provider account. Don’t worry alerts won’t do anything for you at 3AM on the weekend a perfect time for hackers these days. Businesses really need to step up adaptive authentication to restrict these scenarios. Especially when someone is logging in from a different country with a random device and IP. (The hacker doesn’t even attempt to mask their IP or use a VPN as they don’t care because that doesn’t factor into account lockouts) Again I assume this goes back to the security and usability issue. However how many people are really logging in at middle of night from a USA telco account in a different country that has never been visited by that person.
This is where security intelligence can really help out. Companies need to start applying the same fraudulent intelligence they do for monetary transactions as account transactions. (IP velocity, geo location, browser fingerprints, language, proxies, vpn, account action scoring) All these factors can be analyzed intelligently to trigger some security alerts or automatic actions. So now your accounts are already compromised by the time you wake up. Time to backtrack the changes. First you won’t see the text messages and calls done by the hacker right away because they conveniently enabled the cloud SMS feature that allows them to get your text messages on their own device. (Verizon conveniently has an app to receive messages on any device using your phone number). Even if you use a custom SMS app it seems that it can be enabled remotely and retrieved on devices. Next call forwarding was enabled to some random Google voice number. Now the hacker essentially owns your cell phone number. They get all text messages received and can spoof and receive all your calls with your number. Luckily telcos provide a easy view of history of all calls and messages too. After a quick review you will find what they were after. 1. Email 2. Financial accounts. The highest value assets for many in information and monetary sense. Once inside your email its a simple escalation of privileges to all your accounts if you don’t have proper segregation of duties (accounts) in place.
Now for some initial cleanup of the security mistakes. 1. Use a another computer if you believe it is compromised before changing account information. Run Tronscript or similar tools to scan for any malware. (Nothing found good maybe…) Change your account/voicemail passwords, username, secret question and answer. 2. Inform telco to block the cloud SMS app and call forwarding on their end. Might throw a wrench for future attacks. 3. Make sure accounts have unique usernames/passwords per service. This step can stop majority of attacks in the first place, but requires the most effort to manage for the average user. While it seems two factor auth adoption has improved within the past few years it takes attackers little time to adapt. Here’s a interesting article that essentially describes a similar attack nearly 4 years ago. Security is a constant battle and must be kept up on to stay ahead. Either through social engineering, web vulnerabilities, end-users, or other devious tactics there seems to be a weak chain in two factor auth. One can only hope to stay ahead with an evolving security strategy in this wild west environment.
Update 7/26/16: Looks like even the government understands how insecure SMS is for authentication. NIST guidelines now ban SMS.