If you use SMS instead of U2F…
SMS 2FA is arguably the weakest kind possible. Instead of the second-factor being tied to your physical device, it’s tied to your phone number.
Attack #1: Retrieving codes by attacking voicemail systems
Many services like Gmail and LinkedIn allow SMS-based account recovery. If you forget your password, you can receive a text to your phone with a code that allows you to log in.
Some services let you receive that code via phone call as well. A robot reads you the code in the call, and if you don’t answer, it goes to your voicemail.
But voicemails are remotely accessible. If I know your voicemail PIN, I can access yours right now. By default, carriers set a default voicemail PIN for your phone, so if you haven’t explicitly set a PIN, yours is the default.
Attackers are waiting for you to sleep, sending the account recovery call to your phone, and when it reaches your voicemail, logging into your voicemail remotely and listening for the code. Once they have the code — voila, they’re in!
Affected services today include WhatsApp, LinkedIn, and others.
- Don’t have phone-based account recovery on any site.
For WhatsApp, you can’t avoid this, so you’ll need to enable the two-factor WhatsApp PIN setting.
- Call your carrier and disable voicemail. If you don’t want to disable voicemail, at least set a voicemail PIN if you haven’t already.
Attack #2: Phone porting
As described earlier, this is what phone-based account recovery looks like in Gmail.
If you have SMS account recovery set, or SMS 2FA, you are vulnerable to phone porting as well.
An attacker calls your phone carrier, pretends to be you, and asks them to transfer ownership of your phone number to a SIM card they control. All your calls and SMS texts now go to the SIM card they control.
If this happens, and you have SMS-based account recovery anywhere, the attacker can click “Forgot password?”, receive the verification text/call to their phone, and successfully log in as you.
- Call your carrier and set a customer support PIN or passphrase while on the phone with the representative. Any future caller claiming to be you can only make changes to your account if they provide the correct PIN/passphrase over the phone.
- Tell your carrier to lock your phone number to your SIM card, and to reject all requests to port your number to another SIM.
- Instead of ever using your real phone number, use Google Voice or Google Fi. There are virtual phone numbers which can’t be ported, and have the same authentication protections as a Google account.
- Set a voicemail PIN or call your carrier and disable it entirely.
Attack #3: Intercepting texts and calls via fake cell towers
Attackers can intercept your texts and calls by spoofing cell towers. If someone knows your password, or eavesdrops your recovery code, they will get access to your account.
There are about a million ways that cell towers can be spoofed, so I won’t spend too much time here.
If you use an authenticator app (Duo, Google Authenticator, etc.) instead of U2F…
Authenticator apps are tied to your physical device rather than your phone number.
Despite authenticator apps being better than SMS, you are still vulnerable.
Attack #4: Multi-Device Support
I said earlier that authenticator applications are tied to your physical device, so gaining control of someone’s phone number (by phone porting them, for example), does nothing.
However, many of these authenticator applications have “multi-device” support. Meaning, you can turn off this physical tying to your device, and make the codes follow your phone number, just like SMS.
When you enable multi-device support, your authenticator application becomes as weak as SMS.
- Disable multi-device support in your authenticator app.
Attack #5: Shoulder-Surfing for your Seed
When you go to enroll an authenticator app on a site, the site will often present you a QR code to scan with that authenticator app.
If someone from over your shoulder scans this QR code as well, they will have access to all the same two-factor codes that your app generates forever.
1. Make sure nobody is nearby when you enroll your authenticator app to a site.
Attacks that work on both SMS and authenticator apps…
Attack #6: “Real-Time” Phishing
When you enter your password on a site like Gmail, it will ask for you second factor (whether SMS or an authenticator app).
But if you visit a fake Gmail site and enter your password there, the attacker can take your password and enter it into the real Gmail site with your username.
What happens next? You will get a push/text to your phone with a verification code to enter, because the attacker just logged in to the real Google with your password.
The fake site would then either prompt for that code you received, or you would just accept the push request thinking that you’re logging into the real site. In reality, the attacker just logged in to the real Google, and you accepting the push (or providing the code) allowed them to do it.
Here’s a live demo of another real-time phishing tool doing just this:
- Always double-check the URL of any site to which you provide your password.
Attack #7: Mobile malware
Many variants of malware are designed for mobile phones. These variants can read sensitive data from your phone, like one-time codes. Any Android application, for example, can read and send SMS texts when given permission. iOS devices do not allow any app to replace the default messenger for reading and sending texts.
Mobile malware comes in many shapes and sizes. Some rely on the phone being jailbroken, and other times they jailbreak the phone themselves. At a high-level, a malicious application on your phone can steal one-time codes from the device.
- Be cognizant of what applications you run on your phone.
- Limit the permissions you give applications installed on your phone.
Why is U2F better?
The problem with one-time codes is that anyone, anywhere in the world, can enter them.
A U2F-capable device doesn’t provide one-time codes for authentication; rather, it provides a cryptographic signature that can only be produced by that physical device. The private key material can never be extracted from the device, because it’s tied to the hardware.
Here’s a simplified image from Yubico on how U2F prevents phishing by having the device sign the URI, and prevents man-in-the-middle attacks by also signing the TLS channel ID:
Furthermore, these U2F devices support a “test of user presence” — that is, they may require a physical touch of the device to release a signature. To this effect, malware on your system cannot authenticate to a site without your physical input.
In short: when you have U2F set up, an attacker would need physical access to your U2F-capable device. There isn’t a one-time code they can simply enter from anywhere in the world — they need the device itself to generate the signature!
Use U2F as your second-factor for sites that support it, and never worry about getting phished on that site again.
If you enjoyed this post, you can follow me on Twitter, where I post more frequently.