Stolen data gives attackers an advantage against text-based 2FA

Companies that rely on texts for a second authentication factor put around 20% of their customers at risk because the information needed to attack the system is available in compromised databases for sale on the Dark Web.

Around 1 billion records synthesized from online databases – representing about one in five mobile phone users worldwide – contain users’ names, email addresses, passwords and phone numbers. This gives attackers everything they need to carry out SMS phishing attacks, also known as smishing, says Thomas Olofsson, CTO of cybersecurity firm FYEO.

Cybersecurity experts have long known that adding a one-time SMS password is a weak form of two-factor authentication and the easiest form of two-factor authentication for attackers. However, the combination of such attacks with readily available user information produces a “perfect storm” for attacking accounts, he says.

At Black Hat USA, Olofsson plans to review research findings on the issue during a session on Wednesday, August 10 titled “Smishmash – Text-Based 2FA Spoofing Using OSINT, Phishing Techniques, and a Burner Phone.”

“The research we did has two parts: how to bypass 2FA and how many phone numbers can we bind to an email address and password,” he told Dark Reading. “So for about one in five people – a billion – we can connect your email address to your phone number, and that’s really bad.”

The analysis found that by collecting information from known databases of compromised usernames and passwords, researchers could create a database of 22 billion credentials. Tying those credentials to a phone number reduced exposure to just over a billion records, about half of which were verified.

To use these records, attackers can conduct an adversary-in-the-middle attack, where the smishing attack goes to a proxy. When a targeted user opens a link in a malicious SMS message on a mobile device, browsers on iOS and Android rarely display security information, such as the URL, because the screen is so small. Because of this, few, if any, signs of an attack are presented to the user, making attacks much more effective, says Olofsson.

Additionally, smishing attacks are seven times more likely to succeed than email-based phishing attacks, he says.

“That makes it extremely likely that someone will click on the link,” says Olofsson. “I even watch our attacks, and I thought, wow, I could fall for it.”

Attackers have used smishing to compromise financial accounts — especially those tied to cryptocurrency exchanges — over the past two years, with more than $1.6 billion worth of crypto stolen so far in 2022, according to an analysis published in May.

SMS for 2FA: Risky Biz

Meanwhile, the US federal government has already placed additional restrictions on any use of SMS for second factor authentication. In 2016, the National Institute of Standards and Technology (NIST) warned against using one-time passwords sent as text messages for a second factor of user authentication.

“An SMS sent from a mobile phone can turn into an Internet message sent to, for example, a Skype or Google Voice phone number. Users shouldn’t have to know the difference when they click send – it’s part of the magic of the Internet. But it’s important for security,” NIST wrote in an explanation of the policy, adding, “Although a password paired with an SMS has a level of protection much higher than passwords alone, it lacks the strength of device authentication mechanisms inherent in other authorized authenticators” per NIST guidelines.

To reduce the likelihood of such attacks succeeding, users should ignore all SMS notifications and log into their account directly.

“Never trust an SMS message,” says Olofsson. “If you feel something is wrong, don’t click on it, don’t trust it. Go to a computer and see if you have an email, because at least then you can check the headers.”

Unfortunately, many financial institutions and other businesses make it difficult for users to implement better security because they only offer SMS as an option for second factor authentication. Adding reCAPTCHA checks can give users a clue that something is wrong, Olofsson notes, because any adversary attack in the middle will show the proxy server, not the user’s IP address.

About Mary Moser

Check Also

Your Weekend Read: The High Cost of Inflation Control Could Happen

Central Banks of Ulaanbaatar in Pretoria and Washington in London triggered aggressive tightening to combat …