Multifactor Authentication (MFA) is one of the most important controls to block account takeover fraud. There are many different forms of MFA available, and many banks support more than one method for customers. Some of these methods require the customer to download and install an “authenticator” app on their mobile phone, but the simplest method is to simply use text messages, otherwise known as “SMS”. Because it is simple and well understood by customers, many customers will use SMS as their MFA method of choice. But recently demonstrated weaknesses of SMS raise the question of whether it should even be offered any longer.
SMS is weak because it allows criminals to intercept text messages. This can be done by an attacker by performing a “SIM-swap” which redirects a victim’s phone number to a different phone. A SIM swap requires an attacker to trick a cellphone provider into thinking that the criminal is the victim so that they can transfer the victim’s phone number to a different device. This is becoming easier and easier to do, as breaches are constantly making personally identifiable information available on the dark web for more and more consumers. In February, T-Mobile itself was the victim of a data breach that exposed the information required to perform a SIM swap for many of their customers.
In addition to SIM swaps, there may be another much simpler method available to criminals to redirect SMS messages. Brian Krebs recently wrote about a method that utilizes “text enablement” services to redirect text messages without any customer verification at all.
This raises the question of whether financial institutions should stop supporting SMS as a valid MFA method. The change would not be easy, as it requires training customers on how to find, download, and use authenticator apps. Stopping SMS authentication will effectively block account access by customers who do not have a smartphone, so might require institutions to perhaps distribute “hardware tokens” to those customers. In the long run, however, eliminating SMS will help make customer accounts more secure.
Institutions can start to prepare now by practicing what they will eventually preach. Communicate with employees about the dangers of SMS and ask them to use authenticator apps or other strong MFA methods for services (Office 365, etc.) that they use internally. The goal is to educate employees regarding how these other methods work so that they will be better able to support customers going forward. Once employees are versed in how modern MFA works, institutions can start by initially recommending to customers that they choose authenticator apps over SMS or voice calls, then work over time to eliminate SMS as an option entirely.
Finally, institutions should be working with their online banking providers today to make sure they are ready to support MFA methods besides text messages or phone calls to gain access to customer accounts. If their providers do not yet support these more secure methods, now is the time to start applying pressure on them.
Bedel Security helps financial institutions understand, track, and mitigate technology risk. To find out how we can help you, please email us any time at support@bedelsecurity.com.
Remote Employee Access
https://www.bedelsecurity.com/blog/remote-employee-access
Remote Access Risk Assessment
https://www.bedelsecurity.com/lp-remoteriskassessment
Remote Work Security
https://www.bedelsecurity.com/blog/remote-work-security
Office 365: A Case for Multifactor Authentication
https://www.bedelsecurity.com/blog/office-365-a-case-for-multifactor-authentication