This blog article makes two main points:
- that of the several ways of doing two-factor authentication, SMS (text messaging) is by far the most insecure, and
- if you have no choice but to use SMS two-factor authentication, there is a way to be really smart about it.
The way to be smart about SMS two-factor authentication is to create your own virtual cell phone from clever and inexpensive voice-over-IP building blocks.
First, a discussion of why and how it is that of the several ways of doing two-factor authentication, SMS (text messaging) is by far the most insecure.
Some systems and protocols are and have been designed from the outset with the goal of making them secure. An example that we are all familiar with is the “https://” protocol for web sites. Everything about “https://” was designed from the beginning to be as secure as possible. The protocol itself has been constantly scrutinized for weaknesses and has been improved many times. Various underlying processes such as the procedures for issuing SSL certificates have been made more rigorous over the years.
Text messaging (SMS) began in the 1980s. The designers of the parts of the telephone networks that carry SMS messages did not have a goal of making, nor did they have a responsibility to make, the text message systems secure or bulletproof or ultra-reliable.
Among the many security weaknesses in the SMS systems is that it is within the ability of an attacker of only modest technical sophistication to spoof a cell tower and to trick a mobile phone network into thinking that the attacker’s device is your cell phone, in which case the attacker’s device could intercept your text messages.
Again it must be emphasized that in the 1980s when system designers came up with the idea of a text message, this was never intended as a way to (for example) authenticate you to a bank. It was intended (for example) as a way of permitting two friends to make a plan to meet at a restaurant.
An attacker need not have any technical sophistication at all to call up your mobile phone company, pretending to be you, with a story that you dropped your cell phone into a puddle and you (they) need the mobile phone company to transfer your telephone number to the new telephone that you (they) just bought for cash at Wal-Mart. If they succeed in such a “social engineering” attack, they can intercept your text messages.
Again it must be emphasized that years ago when mobile phone companies set up procedures for things like transferring a telephone number to a new phone, the company was not under any obligation to (for example) protect the money in your bank account, or prevent someone from hijacking your social media page. The mobile phone company’s goal was to make you a happy customer even if you had had the bad luck to drop your phone into a puddle.
Here are two articles about this:
- So Hey You Should Stop Using Texts for Two-Factor Authentication (Wired magazine)
- SMS two-factor authentication is unsafe – Use these instead (Slashgear)
When one reflects upon this history and this context, one realizes that it is really quite unfortunate that so many otherwise intelligent and responsible institutions (banks, credit card companies, service providers, social media companies) have made the mistake of trying to force the world of SMS messaging, a world that was never intended for anything more life-critical than meeting up with a friend at a restaurant, to serve as a way to protect the money in your bank account or as a way of preventing an unauthorized purchase on a credit card or preventing someone from hijacking your social media account.
So what exactly should you do with this information that we are talking about in this blog article? One thing that we can appreciate is that if a bank or credit card company or service provider or social media company gives you the ability to select from among several ways to do two-factor authentication, and if one of those ways is not a text message, then probably you should consider using one of the ways that is not a text message.
For logging in at ePCT, for example, one good way to do two-factor authentication is the “browser certificate” approach.
For logging in at MyUSPTO or ePCT, a good approach is the TOTP method. (See my blog article “Being smart about TOTP“.)
But the sad fact is that even though everyone who has paid attention to the history and technology of SMS messaging realizes that it is really dumb to try to use it for two-factor authentication, lots of otherwise intelligent banks and credit card companies and social media companies and other service providers stupidly use only SMS messaging as their way to do two-factor authentication. My point being that sometimes you, the user or customer, don’t get to pick what kind of two-factor authentication will be used.
In such a situation, how can you be smart about it? How can you eliminate the risk that an attacker might set up a fake cell tower to spoof your mobile phone and intercept your text messages? How can you minimize the risk that an attacker might call up your cell phone company with a sad story about a phone that got dropped into a puddle, so as to induce the cell phone company to transfer your telephone number to the attacker’s telephone, so as to receive your text messages?
I will tell you how you can be smart about it. The way to be smart about it is to create your own virtual cell phone. You can do it using clever and inexpensive voice-over-IP building blocks.
I created a new virtual cell phone just now, specially for purposes of this blog article. The entire process took only about thirty minutes, most of which was time spent writing about it for the blog article. Here are the steps that I took.
(If you do not already have an account at Voip.ms, then you are behind the times. You need to get an account at Voip.ms. By the way, any customer of Voip.ms, no matter what country you are in, can call any other customer of Voip.ms for free. Just consider that if every reader of this blog article in every country around the world were to switch to Voip.ms for our telephone service, we could all call each other for free.)
The new DID that I picked is +1-970-788-3088, and I wonder if any readers might think this is a lucky or auspicious telephone number. (Please post a comment below!) To purchase this number I had to pay a one-time fee of 40¢ and the recurring monthly fee will be 85¢.
Second, I created a new SIP trunk (Voip.ms calls it a “Sub Account”) and I configured my new telephone number +1-970-788-3088 to be routed to that new SIP trunk. I turned on SIP and RTP encryption for the trunk (see blog article). The encryption means that the SMS messages are protected in a very strong encrypted way at most points along the way.
Third, I turned on SMS for this telephone number (in the Voip.ms user interface) and I configured it that the text messages would go to an email address of my choosing as well as to this newly created SIP trunk. (My email client is also set up for encryption in the connections for sending emails to and receiving emails from my email server.)
Fourth, I went to the Grandstream Wave app in my smart phone.
(You do not have to use the Grandstream Wave app. There are many good VOIP apps for smart phones. The main point here is that you should have some VOIP app on your smart phone.)
I already had several accounts set up in my VOIP app. For the purposes of this blog article I set up yet another account in my VOIP app. I entered the SIP server (denver2.voip.ms), the SIP user ID (which is the name of this newly created SIP trunk), and the SIP password. I configured the transmission protocol to be TLS (meaning that the call setup and signaling is to be encrypted) and the SRTP mode to be “enabled and forced” (meaning that the talk path is to be encrypted). I then clicked on “activate account”. A cheerful green dot showed that my app had “registered” to the “denver2” server which is located in a large windowless building in the Denver Tech Center.
How is this virtual cell phone different from a conventional cell phone? How is an SMS message with this VOIP app different from an SMS message on a conventional cell phone? In what way might it be said that this virtual cell phone makes it possible to be smart about SMS two-factor authentication?
One thing is that an attacker with a goal of intercepting an SMS message to +1-970-788-3088 will accomplish nothing by setting up a fake cell tower and spoofing a cell phone. The reason is that my carrier (Voip.ms) is not a mobile telephone carrier. Nothing about this telephone number ever connects to cell towers or cell phones in the traditional way.
Another thing is that an attacker with a goal of transferring the telephone number +1-970-788-3088 to a newly purchased phone from Wal-Mart by calling up a mobile phone company and doing some social engineering will get nowhere. My carrier (Voip.ms) is not a mobile telephone carrier.
There are some other nice things about this way of receiving SMS messages.
Suppose I use a traditional cell phone for my text messages. And suppose I happen to be in a rural location with poor or nonexistent cell coverage. Or I am on an airplane where it is not possible to use a cell phone (even if I can connect to wifi for an Internet connection). Or suppose I am in the basement of a building in a place with no cell coverage. Or suppose the battery in my cell phone has run down. Under any of these circumstances I would not be able to accomplish a login using SMS two-factor authentication.
But with this VOIP-style way of receiving an SMS message, I might do better. I can receive the SMS message anywhere that there is an Internet connection. Because I have also set it up for the SMS message to be emailed to me, I can receive the one-time passwords by email as well as via the smart phone app. This would permit me to do a two-factor login even if my cell phone battery has run down or even if I am on an airplane.
If you want to see for yourself how this can work, send me an SMS message to this newly created virtual cell phone +1-970-788-3088. I will send an SMS message back to you. At my end, there will be no legacy mobile phone service involved.
I must disclose that the SMS service provided in this way by Voip.ms only permits me to send SMS messages to US and Canadian ten-digit telephone numbers. Not only that, the Voip.ms people say they are not able to offer assurances that an SMS message sent to this number from a number outside of the US and Canada will be received.
This telephone number works for voice calls too, if I happen to be in a place with robust Internet connectivity. I have not gone to the trouble of setting up voice mail on this telephone number, but I could easily do so on the Voip.ms platform. If I were to do so, this would come rather close to providing a substitute for traditional mobile telephone service. And this would be at a small fraction of the monthly cost of legacy mobile telephone service.
Do you think this telephone number is lucky or auspicious? Have you created such a virtual mobile phone for yourself, like this? Please post a comment below. Oh and please send a test SMS message to this new telephone number and I will be glad to answer it.