NIST Has It Right-SMS Is Not Secure

By Special Guest
Michael Lynch, Chief Strategy Officer, InAuth

The National Institute of Standards and Technology (NIST), the non-regulatory agency of the United States Department of Commerce that publishes guidelines to assess the security of products and services in the government and private sector, recently confirmed something security professionals have been saying for a number of years—that SMS is not secure.

Specifically, NIST called out the risk on SMS use for two-factor authentication (2FA) in the latest draft of the Digital Authentication Guideline (DAG).  While the guidelines are still under discussion, it is almost a certainty that future versions will discourage the use of SMS-based authentication for out-of-band (OOB) verification, a type of 2FA.

First, a few definitions are in order. Two-factor authentication (2FA) refers to the accepted security protocol of confirming a user's claimed identity by using two different attributes—a combination of something the user knows (for example, a PIN number), possesses (such as an ATM card) or is inseparable from them (for example, the user’s fingerprint).

Out-of-band (OOB) verification refers to the use of two separate networks to authenticate a user. When you forget a password and have a temporary one texted to your phone, that’s an example of out-of-band security. This method is believed to make fraud more difficult to commit because two separate and unconnected authentication channels would have to be compromised for an attacker to gain access.

However, it has been well known by security experts for years that SMS is a vulnerable 2FA method, and determined criminals can, in fact, exploit it. Possession of a person’s mobile device is not required as SMS can be intercepted with man-in-the-middle attacks or the message can be forwarded.

Further, criminals can attempt to substitute their own phone number for their victims’ number prior to attempting access. The effectiveness of this technique depends on the organization’s strict adherence to security protocols in changing account information.

For these and other reasons, fraudsters often specifically target SMS as a potential access point. Malicious software can exploit SMS functionality to send fraudulent text messages or fake incoming SMS messages (for phishing). Users may be tricked into clicking fraudulent links or disclosing sensitive personal information. Further, SMS over VoIP should never be used because some VoIP services allow SMS messages to be intercepted.

Despite these vulnerabilities, the industry has long accepted them for lack of an alternative. Fraud and authentication professionals have struggled to find the right replacement.

Instead of SMS, the guideline recommends the use of tokens, one-time code type generators, and software cryptographic authenticators to prevent fraud. With these tokens in place, changing the pre-registered telephone number is not possible without two-factor authentication at the time of the change, blocking one potential access point from fraudsters.

Further, communication through dedicated apps, coupled with authentication software that delivers point-to-point communication for server-to-client messages along an encrypted path without any external communication, is remarkably secure. There is no way for transmissions sent along this route to be intercepted or replayed.

Messaging done in this fashion reduces reliance on costly, ineffective, and insecure third party message providers, like SMS, and ensures that only the intended device can receive and read the message.

Another best practice for authentication mentioned by NIST is the use of biometrics. If more authentication is needed, the user can use the device as “something you have,” the biometric as “something you are,” as well as the location of the device as “somewhere you are” to create solid multi-factor authentication. In particular, the NIST summary states that biometrics should follow a set of standards such as those created by the FIDO Alliance.

The good news is there are now viable security methods to use in place of SMS. The challenge remaining is getting companies to adopt them. Hopefully the revised NIST guidelines will provide the spark.

About the Author

Michael Lynch serves as Chief Strategy Officer of InAuth, where he is responsible for leading InAuth’s new products strategy, along with developing key domestic and international partnerships. Lynch brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specializing in security and technology leadership. Prior to joining InAuth, Lynch served as a Senior Vice President for Bank of America, responsible for Authentication Strategy. He served at Bank of America for 14 years in various leadership positions within technology, customer protection, and online and mobile security strategy roles. Prior to Bank of America, Lynch specialized in information technology in various financial services, Fortune 500, and consulting services roles.