Security Market Segment LS
Friday, 28 February 2020 11:46

SMS a weak link in two-factor authentication: data guru Featured

Arvind Narayanan: "Some carriers, if you call them and you're able to tell them one or two of the numbers that most recently called you, then they are convinced that you must be the right person." Arvind Narayanan: "Some carriers, if you call them and you're able to tell them one or two of the numbers that most recently called you, then they are convinced that you must be the right person." Courtesy YouTube

Using SMS as a means for two-factor authentication can be the weak link that leads to account compromise, according to Arvind Narayanan, an associate professor of Computer Science at Princeton University, who outlined an easy way that he and three of his colleagues had tested out to compromise accounts.

Narayanan, who was participating in the Cryptographers' Panel at the RSA Conference in San Francisco this week, was responding to a prompt from panel moderator Zulfikar Ramzan, the chief technology office of RSA.

"We were looking at some of the rhetoric around cryptocurrencies... the rhetoric being that it's ultra-secure, because it relies only on math and cryptography," Narayanan said. "And while that part is true, what is also happening is that a lot of people are losing their cryptocurrencies in very, very low-tech old-fashioned ways that brings us right back to the human element."

His reference to the human element was because this was the theme of the conference.

Narayanan went on: "And in particular, the majority of people who have cryptocurrencies store them in online wallets - which is fine if you protect your account properly. But as we know, passwords are very easy to compromise, so these online wallet services will make you get two-factor authentication, often using SMS as the second factor.

"Now, if there's one thing that's easier to compromise than passwords, it turns out to be taking control of your mobile accounts. So that's what we tried to rigorously look at."

He said he and three of his colleagues at Princeton - Ben Kaiser, Kevin Lee and Jonathan Mayer - wanted to see how easy so-called SIM swaps are. "What happens in a SIM swap is that an attacker calls your mobile carrier, pretends to be you and convinces them to transfer your mobile service to a SIM card that the attacker controls," he explained.

"So now they control your mobile phone number and they can use that to easily break the two-factor authentication that you might have on your online services."

He said they tried five different mobile carriers. "In each case, we created 10 different pre-paid accounts and tried to SIM swap ourselves. We were successful with all five carriers. All five of them were using authentication methods that are known to be vulnerable.

"One interesting example is that some carriers, if you call them and you're able to tell them one or two of the numbers that most recently called you, then they are convinced that you must be the right person.

"But how can this go wrong? The attacker can just call the victim and enter a number into their call logs, right? So they hadn't thought about this, we found many vulnerabilities of this type and we published a research paper on that recently."

Narayanan said he was not criticising two-factor authentication. "One thing I would say is, if you have a few minutes - and I think this is really worth a few minutes of your time - go check all of your online accounts, make sure two-factor authentication is enabled - I'm not saying don't enable 2FA - but make sure it is a secure second factor such as an authenticator app rather than SMS which continues to very vulnerable."


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments