The problem with SMS OTPs: Why this 2FA method isn’t as secure as you think

For most of us, hardly a day goes by without needing a code from an SMS message in order to log in to an online service, confirm our identity, or authorise a transaction. SMS OTPs have become the most popular method for two-factor authentication (2FA) – but they aren’t as secure as many people believe.

‍

Malicious actors are taking advantage of the vulnerability in SMS messaging to steal sensitive information and commit identity fraud – using social engineering, phishing (or ‘smishing’), and other fraud techniques including SMS spoofing and pump fraud.

‍

Some form of multi-factor authentication (MFA) is increasingly recognised as an essential security measure for any service you sign into. SMS OTPs have become standard because everyone has a mobile phone, and it is attached to a different identity than the initial login factor (usually an email and password).

‍

But this method of mobile authentication isn’t actually as secure as you may think. Not only can an SMS message be spoofed and actually originate from a malicious actor, but they can also be intercepted by man-in-the-middle attackers with increasing ease in order to perform account takeover (ATO) attacks.

‍

We’ll explain different fraud methods and how they work – and the silent network authentication alternative, which still uses the mobile phone but with superior security.

‘Smishing’, man-in-the-middle, and social engineering attacks

One of the biggest SMS OTP vulnerabilities is ‘smishing’ (SMS phishing), a phishing method that uses SMS messages instead of emails to trick users into providing a fraudster with confidential information. A type of social engineering, smishing attacks typically start with a text message that appears to be from a legitimate source, such as a bank or an online retailer.

‍

The message may ask the recipient to verify their account information or enter a code at a link; often claiming to be a security measure, which prompts quick action. In fact, the link will be a fraudulent copy of the real website’s login page, designed to capture user information – including real SMS OTP codes.

‍

Once the victim enters their password and OTP, the attacker has all the information they need to take control of the account. Smishing has been behind several high-profile security leaks, including the 2022 Activision data breach.

‍

MITM (‘man-in-the-middle’) attacks: This attack method is so named because the fraudster directly intercepts messages intended for the victim, including OTP codes. This is possible because SMS was designed to be used for machine-to-machine communications, not humans, and lacks encryption. Black-Hat hackers have built rogue botnets which use malware to infiltrate this global system, enabling them to listen to calls, read SMS messages, and track a phone’s location.

‍

Automated bots to steal OTP codes: Researchers from Stony Brook University recently found that over 1,200 phishing kits designed to steal 2FA codes are out in operation. Vice’s Motherboard spoke to a seller who boasted that these bots can be used by anyone – even if they don’t have social engineering skills.

‍

SIM swap fraud: SIM swap is a sophisticated, personalised attack method which hinges on directly intercepting SMS security codes to take over a victim’s accounts. Bad actors can fraudulently convince a mobile network to assign the victim’s mobile number to a new SIM card, letting them steal incoming codes directly. (Learn more on our blog about how SIM swap works, and how to protect yourself from an attack.)

‍

SMS spoofing: How fake sender information appears legitimate

SMS spoofing attacks involve criminals altering their sender information (name and mobile phone number) to make an SMS message seem legitimate. This tricks the victim into clicking on a malicious link which compromises their account, as in other phishing schemes.

‍

It works because a sender’s phone number is not actually linked to a sent message: the message is sent to a central server, which then forwards it to the recipient’s mobile phone. So it’s easy to send a text message ‘from’ any business.

‍

Bad actors commonly pretend to send a text from a bank to initiate these spoof attacks. After receiving the victim’s banking or other login details, the fake website downloads malware onto the user’s device, allowing them to bypass the second layer of security, intercept OTPs, and use the victim’s information to make purchases or payments to themselves.

‍

Lots of people fall for it, given how often we receive legitimate links and OTP codes via SMS. Smishing accounts for 55 percent of digital payment frauds in India, making it the biggest type of fraud in the country today – learn more about how SMS spoofing is used to steal UPI information from Indian consumers.

‍

SMS pump fraud: the $6.7 billion scam taking advantage of businesses

SMS pump fraud, also known as toll fraud or AIT (artificially inflated traffic), happens when organised criminal groups work with insiders in telecom networks and international premium-rate number providers (IPRNs), generating a large volume of expensive SMS traffic.

‍

Exploiting signup forms that generate codes automatically, they use bots to generate a large volume of calls or SMS messages to a block of premium rate numbers. The targeted business must pay the cost of every message sent, and the criminal group splits the profits with the provider.

‍

The cost to business and mobile networks can be huge, with the Communications Fraud Control Association (CFCA) estimating global losses at $6.7 billion in 2021. In January 2023, Elon Musk claimed Twitter lost $60m to SMS pump fraud.

If not SMS, then what? The silent, network-based alternative for mobile authentication

Ultimately, password-based identity and authentication will always be flawed – even a one-time passcode. If it can be copied and pasted or forwarded, it can be phished and stolen with ease. SMS OTPs don’t even have the advantage of being best for user journeys: a fiddly extra step in the onboarding journey, they provide a frustrating user experience, causing delays and drop-offs.

‍

The better alternative is to remove OTPs from the user journey, and move to truly digital possession-based authentication. And it’s easy to do.

‍

Every mobile phone on the planet has a SIM card with built-in encryption that connects us to the phone network, silently and password-free, every time we make a call.

‍

We call this Silent Network Authentication, and it’s now available for not just telcos, but any business or organisation.

‍

How to get started with Silent Network Authentication

Silent Network Authentication uses the existing cryptographic security built into a SIM card to authenticate the mobile number of the device being used, and link that to the customer’s account.

‍

As this approach does not use SMS OTPs, it’s not vulnerable to man-in-the-middle attacks, social engineering or SIM swap fraud. It also makes life easier for the customer, as it’s a seamless and invisible experience.

‍

The authentication works by using a secure, encrypted connection from the mobile device to the mobile network operator, which then verifies the associated mobile number.

‍

Once verified, the mobile phone number can be compared with the device previously registered against that user’s bank account. If there is a match, the transaction can proceed.

‍

The whole process is simple for the customer but highly secure, requiring no input from the customer (other than typing their mobile number) – which means no room for malicious actors.

‍

• Seamless and secure: SIM cards use the encryption technology already present in every mobile network, and they’re used every day to allow us to log on to a network via our devices without any usernames or passwords.

‍

• Simple, affordable, standardised: It’s the same secure technology that allowed debit cards and credit cards to replace cash and cheques as the primary payment technology – by tethering a unique microchip to a portable device.

‍

• Unambiguous verification: You can be sure that the SIM card either is or is not present – no fake bot accounts will be verified, helping prevent SMS pump fraud.

‍

• Already live and universal: Most of us already carry smartphones with us everywhere we go, and already use them as a primary point of access to the internet. Rather than asking more of your users, you can simplify their experience.

‍

To learn more about how Silent Network Authentication from IDlayr could help your business move past SMS OTPs, talk to us today.