Two-factor authentication (2FA) is an essential security measure for any service you sign into. For authenticating sign-ins and transactions on mobile apps, using SMS to verify phone numbers has become the norm.
With this method, the user’s expected phone number is sent a text message with an OTP (one-time password), and if the user enters the correct OTP back into the app, it is assumed that they are the phone’s owner.
But if your mobile application uses SMS OTP to verify your users, there are a few security essentials you really need to know about how this system works behind the scenes. Read on...
When you transmit secure information such as passwords online, that data is usually encrypted – meaning that it’s turned from its original form (‘plaintext’) into an encoded form (‘ciphertext’) that can only be accessed by authorised parties.
SMS, however, runs on Signalling System 7, a protocol for machine-to-machine communication from 1975, which wasn’t designed with human intervention in mind. That means anyone able to access a network can see SMS messages – including sensitive information such as 2FA codes – in plaintext.
SMSCs (SMS Centres) work using the ‘store-and-forward’ technique. They receive the message from the sender, save it, and then attempt to forward a copy to the recipient on a ‘best-effort’ basis (learn more here).
As well as the obvious security problems when it comes to sensitive information like password reset codes, this also means that in some cases, the message simply never arrives – which is why you still need that ‘resend code’ option.
You’ve probably received an SMS message out of the blue where the sender is listed as your bank, post office, or pharmacy, despite not having that company’s details saved to your phone. This is possible because most Mobile Network Operators support using Alphanumeric senders as the origin of SMSes. Achieved with ‘SMS gateway software’, this has legitimate origins: it’s convenient for a business to identify themselves when they send important information to users en masse, as customers might ignore a random phone number.
Unfortunately, as is often the case, this technology has been used by criminals to masquerade as a business and steal information. Since there are few checks, it is possible for you to receive an SMS that claims to be from a sender with no real association. Attackers impersonate banks and businesses, attempting to trick users into following a malicious link or replying with personal or financial information.
The good news is the likelihood of an attacker breaking into the SS7 network to find 2FA information is quite low. Unfortunately, though, there’s a steadily rising number of cases of SIM swap fraud as a more sophisticated way to steal this information.
In a SIM swapping attack, the fraudster will either bribe a telco employee or use social engineering to assume a target’s identity, saying that they’ve lost their phone and want to switch to a new SIM card.
This means all messages and calls meant for the target’s phone number are now rerouted to the attacker, who then swiftly triggers SMS-based security to break into financial accounts and reset passwords before the victim can take action.
It’s clear that relying codes, especially through a method as insecure as SMS, is flawed. But other methods, such as biometric and hardware authentication or downloading external apps, aren’t universal – you can’t expect all your users to adopt them.
Luckily, there’s now a method of mobile authentication that has all the conveniences of SMS without any of the security or UX problems.
With a tru.ID solution, the only thing you need from your user is permission to process their phone number. It’s so simple: the user enters just their mobile phone number, and the app communicates instantly with the MNO (mobile network operator) to verify that this number is the one linked to that SIM. It’s frictionless, invisible authentication that looks like magic to the user, and it can also mitigate SIM swap fraud.