March 16, 2021

SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of employees at mobile stores who can be tricked or bribed into swapping control over a mobile phone number to someone else. Now we’re learning about an entire ecosystem of companies that anyone could use to silently intercept text messages intended for other mobile users.

Security researcher “Lucky225” worked with Vice.com’s Joseph Cox to intercept Cox’s incoming text messages with his permission. Lucky225 showed how anyone could do the same after creating an account at a service called Sakari, a company that helps celebrities and businesses do SMS marketing and mass messaging.

The “how they did it” was sickeningly simple. It cost just $16, and there was precious little to prevent someone from stealing your text messages without your knowledge. Cox writes:

Sakari offers a free trial to anyone wishing to see what the company’s dashboard looks like. The cheapest plan, which allows customers to add a phone number they want to send and receive texts as, is where the $16 goes. Lucky225 provided Motherboard with screenshots of Sakari’s interface, which show a red “+” symbol where users can add a number.

While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behavior with the text messaging service and phone number.

But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.

Lucky225, who is chief information officer for Okey Systems, told KrebsOnSecurity that Sakari has since taken steps to block its service for being used with mobile telephone numbers. He said Sakari is just one part of a much larger, unregulated industry that can be used to hijack SMS messages for many phone numbers.

“It’s not a Sakari thing,” Lucky225 replied when first approached for more details. “It’s an industry-wide thing. There are many of these ‘SMS enablement’ providers.”

The most common way thieves hijack SMS messages these days involves “sim swapping,” a crime that entails bribing or tricking employees at wireless phone companies into modifying customer account information.

In a SIM swap, the attackers redirect the target’s phone number to a device they control, and then can intercept the target’s incoming SMS messages and phone calls. From there, the attacker can reset the password of any account which uses that phone number for password reset links.

But the attacks Lucky225 has been demonstrating merely require customers of any number of firms to sign a sworn “letter of authorization” or LOA stating that they indeed do have the authority to act on behalf of the owner of the targeted number.

Allison Nixon is chief research officer at Unit221B, a New York City-based cyber investigations firm. An expert on SIM-swapping attacks who’s been quoted quite a bit on this blog, Nixon said she also had Lucky225 test his interception tricks on her mobile phone, only to watch her incoming SMS messages show up on his burner phone.

“This basically means the only thing standing between anyone and the equivalent of a SIM swap is a forged LOA,” Nixon said. “And the ‘fix’ put in seems to be temporary in nature.”

The interception method that Lucky225 described is still dangerously exposed by a number of systemic weaknesses in the global SMS network, he said.

Most large and legacy telecommunications providers validate transfer requests related to their customers by consulting NPAC, or the Number Portability Administration Center. When customers want to move their phone numbers — mobile or otherwise — that request is routed through NPAC to the customer’s carrier.

That change request carries what’s known as an ALT-SPID, which is a four-digit number that enables NPAC to identify the telecommunications company currently providing service to the customer. More importantly, as part of this process no changes can happen unless the customer’s carrier has verified the changes with the existing customer.

But Lucky225 said the class of SMS interception he’s been testing targets a series of authentication weaknesses tied to a system developed by NetNumber, a private company in Lowell, Mass. NetNumber developed its own proprietary system for mapping telecommunications providers that is used by Sakari and an entire industry of similar firms.

NetNumber developed its six-digit ALT SPIDs (NetNumber IDs) to better organize and track communications service providers that were all using other numbering systems (and differing numbers of digits). But NetNumber also works directly with dozens of voice-over-IP or Internet-based phone companies which do not play by the same regulatory rules that apply to legacy telecommunications providers.

“There are many VoIP providers that offer ‘off net’ ‘text enablement’,” Lucky225 explained. “Companies such as ZipWhip that promise to let you ‘Text enable your existing business phone number’ so that customers can text your main business line whether it be VoIP, toll-free or a landline number.”

As Lucky225 wrote in his comprehensive Medium article, there are a plethora of wholesale VoIP providers that let you become a reseller with little to no verification, many of them allow blanket Letters of Authorization (LOAs), where you as the reseller promise that you have an LOA on file for any number you want to text enable for your resellers or end-users.

“In essence, once you have a reseller account with these VoIP wholesalers you can change the Net Number ID of any phone number to your wholesale provider’s NNID and begin receiving SMS text messages with virtually no authentication whatsoever. No SIM Swap, SS7 attacks, or port outs needed — just type the target’s phone number in a text box and hit submit and within minutes you can start receiving SMS text messages for them. They won’t even be alerted that anything has happened as their voice & data services will continue to work as usual. Surprisingly, despite the fact that I publicly disclosed this in 2018, nothing has been done to stop this relatively unsophisticated attack.”

NetNumber declined to comment on the record, but instead referred to a statement from the CTIA, a trade association representing the wireless industry, which reads:

“After being made aware of this potential threat, we worked immediately to investigate it, and took precautionary measures. Since that time, no carrier has been able to replicate it. We have no indication of any malicious activity involving the potential threat or that any customers were impacted. Consumer privacy and safety is our top priority, and we will continue to investigate this matter.”

Lucky225 told KrebsOnSecurity many of the major mobile companies have moved to ensure none of their customers can be affected by changes requested through NetNumber or its partners. But he suspects some of the smaller wired and wireless telecommunications firms may still be vulnerable.

“I’m pretty sure it’s only the big carriers that they’re protecting now,” he said. “But there’s just so much we don’t know about what they patched because everyone is being so tight lipped about this right now.”

Nixon said it’s time for federal regulators to step up and protect consumers.

“Its clear this is a lot of foundational infrastructure mucky muck and some fundamental changes are going to need to happen here,” she said. “Regulators really need to get involved.”

WHAT CAN YOU DO?

Given the potentially broad impact of fraudsters abusing this and other weaknesses in the vast mobile ecosystem to completely subvert the security of SMS based communications and multi-factor authentication, it’s probably a good idea to rethink your relationship to your phone number. It’s now plainer than ever how foolish it is to trust SMS for anything.

My advice has long been to remove phone numbers from your online accounts wherever you can, and avoid selecting SMS or phone calls for second factor or one-time codes. Phone numbers were never designed to be identity documents, but that’s effectively what they’ve become. It’s time we stopped letting everyone treat them that way.

Any online accounts that you value should be secured with a unique and strong password, as well the most robust form of multi-factor authentication available. Usually, this is a mobile app like Authy or Google Authenticator that generates a one-time code. Some sites like Twitter and Facebook now support even more robust options — such as physical security keys.

Removing your phone number may be even more important for any email accounts you may have. Sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts– merely by requesting a password reset email.

Unfortunately, many email providers still let users reset their account passwords by having a link sent via text to the phone number on file for the account. So remove the phone number as a backup for your email account, and ensure a more robust second factor is selected for all available account recovery options.

Here’s the thing: Most online services require users to supply a mobile phone number when setting up the account, but do not require the number to remain associated with the account after it is established. I advise readers to remove their phone numbers from accounts wherever possible, and to take advantage of a mobile app to generate any one-time codes for multifactor authentication.


58 thoughts on “Can We Stop Pretending SMS Is Secure Now?

  1. Luiggi

    The US is the only country relying completely on SMS. They were among the last to ditch CDMA networks. Most of the world relies on more (albeit not perfectly) secure messaging protocols.

    Reply
    1. JamminJ

      What countries? And what secure messaging protocols?

      This isn’t about country of residence. It is about online sites/services. And the bulk of online services still do rely on a phone number to send 2FA codes. They don’t use any secure messaging app like WhatsApp, Signal or Telegram.

      Reply
  2. Robert Scroggins

    Interesting! So this is probably how some person is occasionally horning in on my text messages.

    Thanks, Brian!

    Regards,

    Reply
  3. Jake T

    I use a google voice number when signing up to various websites, and don’t use it for anything else. And of course I don’t use SMS 2FA unless it’s the only possible choice. I figure it’s (marginally) better than no 2FA at all.

    Reply
    1. James P

      Actually, use of the NNID is more common among OTT solutions. The weakness is not that carriers are relying on it, but that all the enterprises use 3rd party SMS firms (like Twilio, Vonage, etc) that do.

      What’s needed is for the intermediary ecosystem for SMS to pivot more toward secured transmission chains rather than the easiest way to scale a solution. Sakari’s failure is common in the tech industry – make things too easy to use so that they become functionally insecure.

      Reply
  4. Hayzam

    This is very scary, India for instance doesn’t even give options to use other 2FA methods, we’re basically stuck with mobile.

    Reply
  5. Occam

    Is this a US (or North American) only problem or is it a global weakness?

    Reply
    1. mealy

      Is sim swapping a North America problem only? No.
      Places have different laws, carriers have differing policies.
      Relying on SMS-anything far too much is a deep global issue.
      Damned by convenience.

      Reply
    1. JamminJ

      Um… no.

      Nothing, as in single factor… is still way weaker than using even insecure SMS.

      Reply
    2. timeless

      Ideally everyone is using Software (generally TOTP) or Hardware tokens. But something is slightly better than nothing as long as there’s enough value left in the nothing bucket for hackers to focus on it instead of the something bucket.

      It looks like the directory for two factor vendors has moved to:
      https://2fa.directory/

      Reply
  6. JJ Chapman

    The problem with these authentication apps is that many critical service providers (e.g. banks, 401K plans, mutual funds, etc.) do not provide for their use as a 2FA. The idea is great, but the implementation is just not sufficiently there across the board.

    Reply
    1. Jess

      Authenticator apps are horrible if you ever have to do a phone reset on purpose or by accident. The key to some, if not all, of them working is timing sensitive and once that gets messed up, you are screwed.

      You need an authenticator app and a fallback combined. Fallbacks intro further security risks (like SMS 2FA is doing) though and shouldn’t be needed if an authenticator app didn’t have that problem.

      Reply
      1. mealy

        There ought to be a thread of honor on some platform or another devoted to businesses that fail because the CEO/CTO/CFO or appropriate loses their phone and… that’s all folks.

        Reply
      2. John

        Authenticators on smartphones are a bad idea also as they have been demonstrated to have vulnerabilities to kernel level hacking. Hardware tokens are the way to go for real security. You can have multiple tokens for backup purposes.

        Reply
        1. JamminJ

          Hardware tokens have been found with vulnerabilities too. See RSA.

          No perfect product. But a balance of security and practicality.

          Reply
  7. Paul Waite

    We have developed a specific solution to address the SMS authentication channel through the use of one-time pad principles and enhancing the knowledge factor.

    Our solution addresses the insecurity of the SMS
    channel and is irrelevant as the secret OTP is never sent via SMS.

    Rather, our solution sends a cipher key which allows the user
    to encode their secret PIN into a different letter code each
    time they authenticate.

    Even if intercepted, the cipher key does not provide an attacker with a means to compromise that user or any other aspects of the system.

    With our solution there is no algorithm to crack. Instead,
    our patented approach leverages tried and tested One-Time Pad principles to ensure each cipher key, or KeyMap, of letters and numbers is used once and once only. This is perfect for strong authentication via an inherently insecure delivery channel
    like SMS.

    Reply
    1. JamminJ

      This just sounds like SMS 2FA, but with more steps.

      Remember, SMS is used as a second factor in almost every case. There is a password (knowledge factor) that is needed first.

      So this scheme is just combining the SMS OTP with the knowledge factor… a bit earlier in the process. Inside the head of the user/attacker, instead of on the authentication server.

      Further, you reduce the knowledge factor entropy from a full length, complex password, to a PIN? Not good security.

      “Even if intercepted, the cipher key does not provide an attacker with a means to compromise…”
      For an attacker to compromise an account using a multifactor authentication implementation with username, password, and SMS OTP code…. They would usually need the password too. This is insecure, because user chosen passwords can often be guessed, reused from another account that was breached, shoulder surfed and possibly brute forced.

      But for your scheme, the “secret PIN” becomes the knowledge factor that suffers from all the same insecure properties as a password, except even worse with the limited character set and length.
      And if you are “adding” a secret PIN, and still require a password. That’s the same as just “a longer password”.

      Furthermore, now you are expecting the end user to do more work to authenticate by having the person encode a PIN with a OTP cipher key? Ugh. So that is just going to be very error prone. So much expected human error, that it’ll be harder to have effective brute force mitigations.

      Sorry, but this is a terrible idea for security. It just makes it harder for people, and “Reduces” security, not enhances it.

      “Don’t roll your own”.

      Reply
  8. woody188

    Instead of an LOA, why aren’t these companies sending a confirmation to the number being signed up?

    They absolutely don’t care and want crooks money!

    Reply
  9. David

    Hi Brian!
    Honest question here: What about a simple system like the one eBay employs? If I ‘log in’ to eBay on a web browser on my computer, eBay sends something to my phone that has to verify that I am ‘me’. I am assuming it is because I have the eBay app on my phone as well, but it never references the iPhone app nor do I have to be logged in or even have it open, it just sends a quick banner message asking if I am trying to log in on the web.

    Would it be possible to use that technology everywhere?

    Reply
  10. GV

    What can we do about financial institutions that only offer SMS texts as a way to validate online logins?

    The last time I checked only two major U.S. financial institutions provide an option like real 2FA. My local credit unions rely on SMS. There are no other options available through them.

    Our Chase credit cards also offer SMS as a validation option.

    This has been worrying me for some time but I haven’t found a way to make these online transactions safer. . .

    Reply
    1. JamminJ

      Some credit unions have multiple options for 2FA. But automatically enroll your account’s mobile number, into the SMS option. So even if they do 2FA with a Push to Approve on their mobile app… an attacker could still just select the SMS option that is available (after getting your password and intercepting your SMS).
      One solution is to give a landline/VOIP number as your mobile number.

      But now I too am worried that 3rd party “SMS Enablement” companies can actually receive SMS messages for landline or VOIP numbers.
      This part of the article was not clear. Could you clarify @BrianKrebs ?

      Reply
      1. mealy

        Just like any extra-authenticator app. Another factor required.
        You’d have to SIM dupe/swap and have the app + credentials also.
        If the app were ‘srs’ it could track your location, deep dive your
        phone for obscure data tags, look at usage patterns over time etc.
        Heartbeat, IRIS, thumb, voiceprint, insert hair in lightning port, etc.

        Reply
  11. FI IT

    It’s important to bear in mind that all of these systems have average-Joe end users that wouldn’t be able to understand 90% of the language in this post. And not just boomers, but millenials, Gen Z, people of all ages who can barely keep track of a username and password, much less deal with an authenticator app.

    Considering how difficult it is to convince the average person you know to use something as simple as Signal, imagine how hard it is to convince an irate customer, struggling to “seeing muh accounts” that they need to bear more responsibility.

    Reply
    1. timeless

      app.grammarly.com says:

      > … text compares in readability to The New York Times. It is likely to be understood by a reader who has at least a 10th-grade education (age 16).

      Ideally most adults have this.

      While there are some rare/unique words, they’re generally explained in context or are just names of entities.

      Brian’s writing is much better than the average tech reporter.

      Reply
  12. Darryl

    Would using apps like signal fix the problem? Obviously the sender’s would need to use it.
    If when you install something like signal, you have to create a pin, then someone trying to intercept your SMS would need to know the sim to be able to read the SMS?

    Reply
    1. JamminJ

      Nope.

      Signal, WhatsApp, Telegram, etc… all require the sender to also use the app, in order to be encrypted or have any protections.

      If a sender is using SMS… the message comes to your phone unencrypted. Only once it hits your phone, does your phone’s OS send it to your designated “default app” for handling SMS. So the app will display the conversation. Some apps will show a small indication that this message was unencrypted/SMS.

      So an attacker who did a SIM swap, ported, or did this cheap SMS interception trick… would just receive the unencrypted SMS.

      Now, if online sites/services were to have some sort of custom messaging gateway that maybe registered with the top 3 most common secure messaging apps… then they could perhaps avoid SMS. But this isn’t practical.

      I toyed around with my home network, registering a spare google voice number with Signal-CLI on linux. So I could send secure alert via Signal. But this is not something that would scale with the thousands of sites/services online that are still using SMS.
      It is MUUUCH easier to just use TOTP which just uses a clock, and any number of apps that anyone can download. Cheaper too, since no messaging is needed at all.

      Reply
  13. Ana

    If there’s someone who thought SMS was safe, that person was naive or just ignorant (which is understandable, people are not obligated to know EVERYTHING). Thanks, Kreb, for discussing something like this. I completely agree, and I’ve thought the same for years. Like, at https://demyo.com/I knew I should have the strongest security protocols, so I never use SMS.

    Reply
  14. Roger A. Grimes

    Don’t forget to add in any voice-call-related MFA. Just as bad as SMS…because they both rely on very flawed and hackable SS7. And we’ve known it’s easily hackable for ever. I think another reason SS7-layered MFA won’t go away, besides it’s supported by 95% of the world, is that unofficial and official eavesdroppers like it that way. If you get rid of the flaws of SS7 and the layers above, law enforcement would be very unhappy. They like their stingray devices and the masses using things they can easily eavesdrop and MitM attack. It isn’t just the “bad guys” enjoying our long-time, widespread, vulnerabilities.

    Reply
  15. Jill

    What happens if I use an authenticator app like Google Authenticator and lose my phone

    Or if I use a device like a Yubi Key and lose it?

    Am I locked out of the account forever?

    Reply
    1. GM

      Make sure that you set up any account recovery process that the account offers. Perhaps printing some special one-time access codes.

      Also, use more than one other factor. Some of the authenticator apps, like Authy, have a desktop app that you can install on your computer. You can also use a device like a Yubikey to have a second physical factor. Just don’t keep your phone and your Yubikey in the same place! 😀

      Reply
    2. JamminJ

      It really depends on the online site or service that is offering MFA.

      To add to GM’s already great mentions…

      Many sites allow you to reset an authentication factor by email alone. Now, this can be pretty weak if your email is compromised. Many people simply have their recovery email logged in on multiple devices. For instance, with Gmail, your Google account may be logged in on phones, laptops, chromecast, etc. So a compromise of one device, gives an attacker access to reset even the strongest of Multifactor devices.

      So the safest methods may be having secondary yubikeys and/or printed backup codes, kept in a safe…
      the website may not have these options available to you, and allow recovery by simple email confirmation.

      One way I recommend for critical sites like banking, is to have a “separate” email account that you are NOT logged into persistently on any device. The email is itself protected by MFA (with backup codes in safe), like protonmail. And have that critical account use that email for recovery.
      One down side to this approach, is if you still want email notifications from that site without being logged into that email account. You can set up email auto forwarding rules to forward to your normal email, *except recovery messages.

      Reply
    3. Erik

      I use Authy because it allows you to back up your codes whereas Google Authenticator does not. As for Yubikey, I have my primary with me at all times, and a backup in a safe. Should I lose my primary, I have the secondary associated with my accounts as well.

      Reply
  16. RonM

    Does this interception of SMS messages used for 2fa actually stop the owner of the account from seeing the message come through? If I received an SMS for one of my accounts that I was NOT trying to access, that would raise a red flag for me.

    Reply
  17. Steven

    I work in authentication and while there are a many new technologies that can be used for strong authentication the problem comes down to infrastructure and implementation. Many industries spent the last 15 years to make OTP standard. A lot of time, money and resources have been spent over the years to achieve ubiquity. Consumers and businesses were trained to finally trust it and accept the friction. It’s going to take time to evolve to new solutions. That effort is well underway.

    Reply
    1. JamminJ

      SMS is still an OTP technology. The real difference between SMS and using a separate app for Time-based OTP (TOTP), is really the inherent built-in capability of mobile phones. Even legacy flip phones can receive SMS, and do not require setup beyond what the cellular carried does at the store. In contrast, the most modern of flagship smart phones, do NOT come pre-installed with an Authenticator app.

      Each online site/service that has an input field for a mobile number to be used for SMS 2FA, could also easily present a QR code too. And TOTP is much cheaper for businesses since it doesn’t require SMS gateways and costs to send messages. The real user friction is because the user needs a smart phone, and needs to download a 3rd pary app, and set that up.

      I would like to see Google and Apple, who own the lion’s share of the mobile market… just preinstall Authenticator apps and have them ready to go for the user. Carriers can even train their staff to set up the most common accounts in the store.

      Reply
        1. JamminJ

          Thanks.
          The code for TOTP is surprising simple.
          Just a Base32 secret/seed, a decent clock, and some HMAC math.

          The camera’s ability to parse a QR code is what makes transferring the secret easy for the user.

          There is no reason phone makers can’t have this function built in.
          Built in default messages/messaging apps for iOS or Android, just to display SMS as conversatons… are way more complicated than a simple OTP app.

          Reply
  18. Ron d

    Lucky 225 mentioned in the article has a
    website- okey- that’s can monitor your phone number for problems.

    Reply
  19. Brandon

    Very interesting read Brian thanks for for tireless reporting and helping to keep us all safe and informed.

    Of course just putting on my tinfoil hat here..I saw your article and I saw it reported on the Twit Network as well as I regularly listen to their podcasts.

    It seems Lucky is connected with the Okey site that says they will monitor for this type of hack.

    I trust your word and info and have you been able to talk to or have on good authority that this company that claims they can monitor for this is on the up and up?

    Yeah I know, just a little paranoid, but if anything with tech, I’m just extra cautious.

    Thanks again!

    Reply
    1. Richard

      Brian Krebs:

      Any update if okeymonitor.com is a reputable source to track this type of attack?

      While I believe the vulnerability exists, okeymonitor.com requires adding a phone number where you need to verify via SMS.

      Reply
  20. Cap Anon

    I’ve followed this topic for a few years now. I have a Google Voice number on most of my accounts now, but, if I understand correctly, this vulnerability would allow someone to just as easily get SMS messages for that, or a landline. Is that right?

    There is a Google account setting under phone number “Use this number to get account security alerts and reset your password if you forget it.”, which you can turn off. I have done so now.

    Obviously securing your main email account is the big one, but what to do about all my bank accounts that require me to have a phone number on them? And services like PayPal and Venmo that require you to have a cell phone attached for 2-fa (Google voice numbers aren’t allowed)?

    And I totally get why companies aren’t all embracing OTP and moving on from SMS. It’s great for tech savvy/paranoid types, but 90 percent of their customers don’t know what it is, and even if they did, there would be huge swathes of them calling their customer service every day getting locked out of their accounts because they lost their one-time codes or even never bothered to save them.

    That’s the problem I guess, anything remotely secure elevates the risk that you will get locked out at some point, unless you are extremely conscientious and thorough. Right now I am considering how to keep hard copies of my one time codes for email account, password manager key, and OTP account key, offsite somewhere. What if the house burns down and with it go all my devices? I might be able to get into some of the accounts where I can call and talk to someone or visit a branch, but many – email and social media among others, would be up in smoke.

    Reply
    1. Stevan

      If one sets up a gmail account / gvoice # specifically for financial accounts it would be difficult for anyone to know your ph# to hack the SMS – unless the financial institution was, itself, compromised.

      To store that secure information in case of fire, one could set up a cloud account (Dropbox, Box, etc), encrypt the important documents (PDF / Office encryption, 7-zip) and have them perpetually available.

      Reply
  21. muffin

    I am an average computer user. My bank and credit card companies send a text message to my mobile phone for the 2-factor authentication. When I enter that number, I then need to enter my password again. So even if someone had the text message diverted, they would not have my password. Am I missing something?

    Reply
    1. Cap Anon

      Many websites allow you to reset your password via a text message if you click “forgot your password”.

      Reply
  22. Paul McGuire

    I agree SMS is not secure. But I disagree with this statement – “remove phone numbers from your online accounts wherever you can”

    It is important that we avoid conflating SMS insecurity with the significant benefits of being able to use the mobile phone as a secure possession factor, because the mobile phone actually holds the key to solving the far larger security problems caused by the widespread use of passwords.

    SMS has become widely used for delivery of One-Time Passwords (SMS OTP) primarily because the traditional email + password paradigm is flawed. So, instead of replacing the password (which has proved difficult to do) a sticking plaster approach has been taken of adding a second factor using SMS OTP. The problem, as you rightly point out in your article, is that SMS itself is insecure. So this 2FA approach with SMS is not a good answer.

    It is well known that passwords are insecure, and their demise has been forecast for more than 10 years. But they are still with us because no good solution has been found that is both more secure and universally deployable (as noted in this in-depth study by Cambridge University Computer Lab).

    As the Cambridge article concludes – there are plenty of solutions that are more secure than passwords, but it is problems with deployability that hold them all back.

    However, with the widespread deployment of Mobile phones, and access to new mobile network operator APIs, a solution is now available that can change all this, in the form of SIM card-based authentication.

    Every mobile phone contains a SIM card which is the same piece of highly secure, scalable and proven microcomputer technology that you can see in every credit card. If you put your SIM card next to your credit card, you will see the chips are the same. Each SIM card has a unique identifier (the IMSI), and a secret authentication key (called Ki) stored inside that only the mobile operator can access. A mobile phone number is uniquely tied to an individual SIM card. This pairing of credentials, therefore, is entirely unique, not duplicable and cryptographically secure. There is nothing a phone user can do to tamper with or change that unique pairing.

    The mobile phone number is an easy-to-use, universal identifier (a replacement for the email address). When used in combination with a SIM-based authentication it can become a powerful security paradigm that can rival the password, replacing a flawed “Knowledge” factor with secure “Possession” factor.

    For this to make sense, it is important to understand the difference between the mobile phone number (MSISDN) and the SIM card identification number (IMSI) and then to ensure that it is the IMSI that is being checked and authenticated, not just the mobile number alone. I recently wrote a blog post on this topic.

    When you want to use your mobile phone (to make phone calls, send text messages or browse the internet) you don’t need to login by typing your email address and password every time. That is because the mobile network operator is able to securely authenticate your device every time you use it, based on the cryptographic security of the SIM card it contains.

    Mobile network operators have realised the potential opportunity for this type of SIM-based authentication and are now starting to roll out commercial APIs. My company tru.ID is one of the providers that is bringing this powerful solution to a wider audience with the aim of finally replacing the flawed authentication paradigm of email + password + SMS, with a more secure and frictionless alternative.

    Reply
    1. BrianKrebs Post author

      Interesting. Thanks for the comment, Paul. But doesn’t the gist of your suggestion mean that we’re back to trusting the carriers not to have security problems involving employees in low-paid, high-churn jobs at countless mobile stores and kiosks who can be tricked or bribed into doing SIM swaps? Because we see how that works out every day.

      Reply
      1. Paul McGuire

        We all need the ability to keep our mobile number but have a new SIM card issued if, for example, we change mobile networks or lose our phone.

        Because of that, if user authentication is based on the mobile number (MSISDN) alone, as is the case with SMS OTP, then SIM Swap fraud will always be a problem.

        The solution I am describing uses authentication tied to the SIM card identifier (IMSI). If the SIM card has changed (due to SIM Swap or any other reason), the IMSI will have changed and so the authentication check will fail.

        The further advantage of this approach is there is no PIN involved, so no social engineering risk and a better user experience.

        There is more detail in this blog post https://tru.id/blog/msisdn-vs-imsi-and-mobile-identity

        Reply
        1. JamminJ

          I read some of your blogs and FAQ.

          From what it seems, but isn’t really explicit… Tru.id is a platform that must be integrated into an app. The service, such as a bank for example, has their app on the customer’s device already. And what you’re selling, is NOT for the end user to buy… rather, for the service/bank to deploy on their end.

          There are many other ways to do secure 2FA once you have an Android or iOS app on the client device. Some are much more secure and don’t require third parties to broker.

          The clearest benefit that your product seems to offer, is an easy path for customers who get a new phone to be immediately enrolled once their new imsi is registered with the phone number. They won’t have to go out of band in order to separately verify a new phone that has a new app installed.

          Many services, like banks, have their apps already enabled with 2FA simply by having the secret tied to the app itself rather than the SIM card.
          But of course, getting a new phone means there needs to be a separate out of band enrollment for the new installed app.

          Another benefit of your product seems to be purely marketing. By saying that you are still tied to the mobile number, just in a much more secure way, makes it seem like SMS OTP is your only competitor.

          But if you have to install an app on the client device, there are already much better options, cheaper for the service provider and easier to deploy.

          Reply
    2. JamminJ

      Sounds like marketing hype language to promote your company.

      You are trying to conflate the security of a sim card with that of a credit card or smart card chip.
      This is fundamentally untrue. The comparisons do not fit.

      You can have the most cryptographically secure hardware… But if the weakest link in the chain is the pairing to a number that is completely transportable and controlled by third parties who then sell their access and control to other third parties, there’s no way to leverage the security of hardware.

      “This pairing of credentials, therefore, is entirely unique, not duplicable”
      This is false and has been proven false many times over. Cloning cell phones, flaws in SS7, etc.

      Phone numbers to SIM card pairings must always be transportable, and must always be easy to port. Lost phones, unpaid bills, etc… There are many reasons why the carrier must be able to alter this pairing.
      And apparently, not just the carrier.
      There seems to be an entire ecosystem of third parties, some like yours, that want to leverage the ability to modify the pairings between phone numbers and physical SIM cards.

      Experts in multi-factor authentication all agree, that SMS is NOT a true possession factor. Because although it may seem that a mobile phone is “something you have”. Your phone number is NOT something that is physical in your possession. And big problem is that this intangible number, can be taken away from you on the whims of a teenager working a summer job at the local store.

      Reply
  23. Steve Lembark

    A: No, not while there is still money to be made selling SMS services.

    Feel free to be disgusted; you’ve been here lobg enough not to be surprised,

    Reply
  24. Darren Chaker

    “Stop Pretending SMS Is Secure Now” – since when was SMS secure to pretend it was secure? Other than texting cookie recipes, I would not construe SMS has ever been secure. The texts remain on your phone, on the recipient’s phone, and on the phone company servers to start with. I have always advised clients to use Signal, Wire, Telegram, and Wickr for true security and anonymity. Of course, be sure iCloud or other back up is disabled. Best to everyone, Darren Chaker

    Reply
  25. Anthony

    Brian I’m curious what your recommendation would be for authentication in places where people can’t afford a smartphone and even a cheap “dumb phone” might be shared by a whole family.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *