Why you shouldn’t use two-factor authentication which relies on an SMS message – hackers are on it and could gain access to all your passwords, especially if you are using Android credentials

By Syed Wajid Ali Shah, Jongkil Jay Jeong and Robin Doss*

It is now well known that usernames and passwords are not enough to securely access online services. A recent study found that over 80% of all hacking-related violations occur due to compromised and weak credentials, with three billion username / password combinations stolen in 2016 alone.

As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username / password system.

It also works. Figures suggest that users who enabled 2FA ended up blocking around 99.9% of automated attacks.

But as with any good cybersecurity solution, attackers can quickly find ways around it. They can bypass 2FA via one-time codes sent as an SMS to a user’s smartphone.

Yet many essential online services in Australia still use SMS-based one-time codes, including myGov and the Big Four Banks: ANZ, Commonwealth Bank, NAB and Westpac.

So what’s the deal with SMS?

The main suppliers such as Microsoft urged users to ditch 2FA solutions that leverage texting and voice calling. Indeed, SMS are notorious for their low security, which leaves them open to a multitude of different attacks.

For example, SIM card exchange has been shown to be a way around 2FA. SIM swapping involves an attacker convincing a victim’s mobile service provider that they themselves are the victim, and then requesting that the victim’s phone number be switched to a device of their choice.

SMS-based one-time codes are also compromised by readily available tools such as Modlishka using a technique called reverse proxy. This facilitates communication between the victim and a service whose identity is spoofed.

So, in the case of Modlishka, it will intercept the communication between a genuine service and a victim and will track and record victims’ interactions with the service, including the login details they can use).

In addition to these existing vulnerabilities, our team found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web on your Android device.

Due to sync services, if a hacker manages to compromise your Google credentials on their own device, then they can install a message mirroring app directly on your smartphone. Shutterstock

If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you receive a prompt), then they can automatically install any app they want on your computer. smartphone.

The attack on Android

Our experiments revealed that a malicious actor can remotely access a user’s SMS-based 2FA with little effort, through the use of a popular application (name and type withheld for security reasons) designed to sync user notifications across different devices.

Specifically, attackers can exploit a compromised email / password combination logged into a Google account (such as [email protected]) to maliciously install a readily available message mirroring application on a victim’s smartphone via Google Play.

This is a realistic scenario because it is common for users to use the same credentials on a variety of services. Using a password manager is an effective way to secure your first line of authentication (your username / password).

Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to activate the permissions required for the app to function properly.

For example, they can pretend to call a legitimate service provider to persuade the user to activate permissions. After that, they can remotely receive all communications sent to the victim’s phone, including the one-time codes used for 2FA.

While several conditions must be met for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods.

More importantly, this attack doesn’t need high-end technical capabilities. It just requires an overview of how these specific apps work and how to use them intelligently (along with social engineering) to target a victim.

The threat is even more real when the attacker is a trusted person (for example, a family member) with access to the victim’s smartphone.

What is the alternative?

To stay protected online, you need to check whether your first line of defense is secure. First check your password to see if it is compromised. There are a number of safety programs this will allow you to do so. And make sure you use a well-designed password.

We also recommend that you limit the use of SMS as a 2FA method if you can. You can use app-based one-time codes instead, for example via Google Authenticator. In this case, the code is generated in the Google Authenticator app on your device itself, rather than being sent to you.

However, this approach can also be compromised by hackers using certain sophisticated malware. A better alternative would be to use dedicated hardware devices such as YubiKey.

The YubiKey, first developed in 2008, is an authentication device designed to support one-time passwords and 2FA protocols without having to rely on SMS-based 2FA. Shutterstock

These are small USB (or near-field communication) devices that provide a simplified way to enable 2FA on different services.

Such physical devices should be plugged in or placed near a connecting device as part of 2FA, thereby mitigating the risks associated with visible single-use codes, such as codes sent by SMS.

It should be emphasized that an underlying condition for any 2FA alternative is that the user himself must have some level of active participation and responsibility.

At the same time, more work needs to be done by service providers, developers and researchers to develop more accessible and secure authentication methods.

Essentially, these methods need to go beyond 2FA and into a multi-factor authentication environment, where multiple authentication methods are simultaneously deployed and combined as needed.


Syed Wajid Ali Shah, researcher, Cybersecurity Research and Innovation Center, Deakin University; Jongkil Jay Jeong, CyberCRC researcher, Cybersecurity Research and Innovation Center (CSRI), Deakin University, and Robin dossier, Research Director, Center for Research and Innovation in Cybersecurity, Deakin University. This article is republished from The conversation under a Creative Commons license. Read it original article.

Leave a Reply

Your email address will not be published. Required fields are marked *