There are countless ways to carry out a cyber attack, but for the vast majority the key is deception – typically involving identity deception in which the attacker poses as a trusted party to the intended victim.
With cyber criminals constantly on the prowl to capture passwords and other credentials, two-factor authentication (2FA) has become one of the most widely accepted backup verifications for many services and companies. While various 2FA methods are available, the humble SMS text message has emerged as a favourite as it is incredibly ubiquitous and easy to understand.
Nevertheless, SMS also contains a number of inherent flaws as a security verification method. The first problem is that 2FA doesn’t actually verify the user’s identity, only that they have access. This means that anyone with direct access to the device can pass through 2FA security measures as they can send themselves the code.
The SMS phishing menace
Thieves and fraudsters don’t need to have the device in their hands, as 2FA is also vulnerable to remote phishing. We most often think of phishing attacks as taking place over email, targeting information such as passwords, but the same tactic can very easily be applied over SMS and targeting reset codes. One particularly powerful technique is the Verification Code Forwarding Attack, or VCFA. For this approach, the criminal accesses a service provider and requests an SMS code to reset their password for a particular user. Immediately afterwards, they send a fake text message to the same user, pretending to be the service provider and asking for the code “as an additional verification measure”.
In a research experiment I conducted with colleagues at New York University, we discovered that the VCFA technique can be incredibly effective – far more so than comparable email-based phishing attacks. We enlisted more than 300 volunteers who were not aware that the experiment involved SMS phishing, and sent them a variety of different messages designed after real SMS from their email provider. The most successful message was able to fool 50 percent of recipients into giving up their authentication code, which is an impossibly high result for most forms of social engineering. By comparison, most non-targeted email-based phishing attacks have a success rate of around 1 per cent, with the very best reaching two or three percent.
Any service being breached in this way would mean severe repercussions for the victim, most obviously online payment, retail, and anything else connected to financial data. The holy grail for any attacker is to gain access to an email account, a tactic known as Email Account Compromise (EAC). While financial details can be exploited as a one-off opportunity before the bank takes action, an email account can be used in much more subtle and insidious ways.
EAC emails are far more difficult to detect than normal fraudulent messages, as they lack potential tells such as mismatched sender IDs. The good news is that they are not entirely unstoppable, and it is possible to detect and prevent an EAC email by looking even deeper into different elements associated with the identity of the legitimate user. For example, an email security system could be set up to detect details about the user agent – the device used to send the email. So, a user could normally use a Mac with a 2560 × 1600 screen resolution, while the imposter who has hijacked their account might use a PC with an 1440 x 900 resolution.
This difference can be identified through the email itself, along with other signs such as the IP address. Taken together, these clues can point to a suspicious email even when then account address is genuine. The email can then be flagged for further examination to determine if there really is a malicious actor at work, or if the CEO happens to be using his or her spouse’s PC for the afternoon.
Can 2FA be saved?
The most obvious solution to the many security flaws in SMS 2FA is to abandon the text message as a verification measure – something I expect to see happening with increasing frequency over the next year.
Although SMS 2FA is certainly on the way out, it will be some time before the change filters through all organisations thanks to its simplicity and popularity. While SMS remains so widespread and more attackers pick up on SMS phishing attacks, it is more important than ever for organisations to be aware that their workforce’s digital identities may be compromised. Enterprises must be prepared for the threat of an employee’s email being hijacked via 2FA and used to attack them from within.