Signal System 7 (SS7) is the standard signaling language used to send text messages (SMS) around the world. The technology has been employed in various communication channels for almost 40 years, though it wasn’t until 2008 that security vulnerabilities in the language were made public. More recently, SMS has been used as a method of providing sensitive information such as one-time passcodes, shifting the security issues from theoretical challenges to real vulnerabilities that allow fraud to occur. With the proliferation of other methods of two-factor authentication, SMS should no longer be considered a secure authentication method.
Recently, one of these vulnerabilities was used to bypass two-factor authentication at various German banks. These banks used SMS to deliver one-time passwords (OTPs) to verify online transactions; the attackers took advantage of the security issues in SS7 to redirect the SMSs to phone numbers controlled by the attackers instead of being delivered to the account holders. The fraudsters then used the OTP to access and withdraw funds from the online account.
Back in 2012, Australian Telco declared SMS unsafe for transactions. The CEO stated, “SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication.” In 2016, the National Institute of Standards and Technology also put out warnings regarding the safety of SMS as part of a strong two-factor authentication system.
In general, telephone networks were not designed to be secure. SS7 was created to give users a seamless experience as they travel, allowing them to have uninterrupted calls as they speed down a highway or take the train to work. The adoption of SMS for transmitting sensitive information is the perfect example of a pattern we often see in security: when new methods of communication or new digital products are rolled out, user experience and speed to market are given priority over security, which is often seen as a hindrance to competitiveness.
Even with various alarms ringing over the years, a lack of major fraud losses resulting from SS7 vulnerabilities means that major banks and web platforms have not felt pressure to move away from using SMS to deliver sensitive information. The recent SMS attack in Germany proves that the alarms were, in fact, necessary and should push organizations to move away from SMS authentication.
Changes are starting to be seen as banking regulators in countries across the globe are increasingly crafting regulations to drive business away from this method of communication for sensitive information. For example, in Colombia, Circular 029, which defines what companies and financial institutions must do in order to legally conduct online transactions over mobile devices, specifically mentions that “sensitive information, under no circumstances, may be known by telecommunications provider networks, services, or by any entity other than the financial organization that provides the service through the [SMS] transaction channel.”
A lack of viable alternatives has long been an excuse for service providers to stick to SMS, but this no longer the case.
Alternatives to SMS for Two-Factor Authentication
Today, one-time passcodes can be delivered via alternative methods, such as voice or via software token, without impacting the user’s experience.
Additionally, by leveraging push notifications, organizations can increase security and improve user experience. This technology delivers a secure and encrypted communication channel that is resilient against attacks. A push notification is sent to a user’s phone via a mobile app, and the user approves the notification to verify their identity. It’s that simple. To further improve security, more authentication layers, such as biometrics, can be added.
At Easy Solutions, we have packaged all of these alternative authentication factors into an innovative authentication framework that can be easily deployed to end-users and even to your employees. For more information, check out DetectID from Easy Solutions.