Saturday, August 22, 2009

SMS based 2-factor authentication not that secure?

There is a push to get away from token based two factor authentication (for the not security savvy folks: Tokens are the little things that displays numbers and are used to login to your bank or work account). Using your cell phone (for the non-US readers: mobile phone) instead seem to be a general trend. Many companies are now offering SMS based two factor authentication, using your cell phone as a secure device to provide you with a code.

How does it work? A text message (SMS) is send to your cell phone containing a code. Once received, you simply need to type it when trying to log into your account online.

The idea sounds brilliant. Cutting down the cost by not buying the expensive token devices. And as an extra benefit, no clunky device on your key chain

But as always the devil is in the details. Is a cell phone really that secure? The GSM standard that has been the predominant technology worldwide for quite some time, with core developed taken place quite some time ago. At that time some compromises were made when it came to security, simply to shave of some of the costs.

Also in some of the more "regulated" countries the encryption, that is offered with the GSM standard, is not used (e.g. Pakistan). Other Operators like "Eltasel", a mobile operator in the United Arab Emirates, seem to have their own idea of privacy and security. According to several news articles Eltasel tried to install malware on its customers Blackberries to snoop on them. It is suspected that Eltasel was serving the local government when doing this but it is still not clear.

Another development of interest is that suddenly certain cell phone models are increasing in price on the 2nd hand market. A German Nokia 1100 handset supposedly went for 25K Euros in the Netherlands. Rumors have it, that those handsets can be used to intercept SMS messages. Currently an investigation into the technical details are pending but if it is possible than it is just a question of time before other models might come in demand with even bigger flaws.

All in all this does not look too good if you ask me. Cell phones were designed for voice calls and security even for that has been lacking. But now we are trying to use this platform for way more, a secure communication device that allows us to log into critical systems. If you ask me, I think we have a little bit to go before there is a clear trust model on channel and end-point security with mobile devices in general.

Some background reading:

25K Euros for an old Nokia
Handset makers the criminal's friend
Eight accused in AT&T, T-Mobile $22m ID theft scam


1SSA - Security Consulting, Training and Products