SMS Authentication Pitfalls

SMS is promoted as a reliable way to authenticate users.  A message is sent to a mobile number with a one-time passcode (OTP) that is subsequently checked on a web portal ‘proving’ that the owner of that mobile number is human and requires the service described.   The message might be used as part of a Multi-Factor Authentication process or for account recovery.  Due to the potentially large numbers of requests and verifications corporate SMS and one-time passwords will almost certainly be provided through some sort of automated service.

In the UK the NCSC provides advice on SMS best practice.  The core pitfall of using SMS and telephone communications is that the sender cannot reliably be identified allowing criminals to spoof the source of messages.  The SMS sender id is supposed to aid the recipient but in many countries including the UK the sender id can be set by the user.  Since July 2023 in the UK there have been some restrictions on the letters that start a sender id; for example; ‘Delivery’ and ‘Winner’ are banned.  All sender ids are also limited to 11 characters or 15 digits based on the historical technology used.  Changing the sender id is not possible from a phone but is relatively straightforward using a commercial SMS provider such as a company or fraudster might use.

A worrying consequence is that if the sender id (even if faked) matches a contact number already on the recipient’s phone then that (stored) name will be displayed making any message appear more trustworthy.  It should be possible to call or message back the sender id when sent as a number for some check of validity; if this fails the message is almost certainly fake.  Even a reply could be to a number controlled by a scammer.

Kindus has already discussed the dangers from loss of telephone accounts through sim swapping.  A journalist, Lucie Cardiet, claimed that in moving to France and acquiring a new mobile phone number she was issued a number from a previous user, still linked to an Amazon account that she was able to access.  Log in to that account was by mobile phone number and validated by a one-time code sent to that same number.

One approach used by fraudsters is to take advantage of the fees charged by Telecom operators to provide SMS services. This has become known as Artificial Inflation of Traffic (AIT) fraud.  In 2023 Elon Musk stated that Twitter lost $60m a year through inflated SMS traffic fraud.  The scam originates through untrustworthy Telecom operators who charge for SMS traffic that they never deliver.   These operators could be based outside the USA, EU or UK but fraudsters spoof local numbers and rely on the collusion or poor practice of local systems to ensure that this type of traffic is not rooted out.  Elon Musk determined that 390 Telco operators had been defrauding Twitter and subsequently cut off payments to any operators who did not agree to control fraud at their end.  In the UK the NCSC  summarises the scam as follows:

  • A fraudster creates multiple fake accounts.
  • These all generate SMS passcode requests.
  • The Telco receives the requests but does not send the SMS messages.
  • The Telco bills the account provider for the messages.
  • The income is shared between the Telco and fraudster.

The unwary customer could even see the bogus traffic as a benefit as on the surface verification seems to be working well with high levels of traffic and a significant number of applications being blocked.  In reality; the potential volume of genuine enquiries is much lower than reported.

Although many users will be using the same device both to access web pages and to receive text and voice calls the provision of a mobile number is a case of an organisation requesting personal information that it does not necessarily need.  The collection of linked phone numbers and email accounts will always be of interest to data harvesters.  Any user should be wary of submitting mobile phone details where these are not relevant to the transaction.  Services such as Google’s sign in or password recovery through a mobile phone number are dangerously weighing off convenience (of access) against risk (through losing access to the golden number).

More from Security

03/09/2024

Google and Facebook Single Sign On (SSO)

Single Sign On (SSO) options are commonly seen through providers such as Google, Facebook and to a lesser extent Apple.  There are also less …

Read post

13/08/2024

Ransomware in Healthcare

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported …

Read post

29/07/2024

Bad Bots

Kindus has discussed the role of bots on the Internet and how webmasters can use ‘robots.txt’ to control them.  Unfortunately many bots do not …

Read post

22/07/2024

Lessons from the Cloudstrike Outage

On July 19, 2024 at 04:09 UTC, CrowdStrike released an update for ‘Falcon Sensor 7.11’ or above to Windows systems.  This caused a system …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories