9

Are old phones safer / safe / as safe as modern smartphones when it comes to auth-tokens / confirmations tokens?

Is SMS encrypted?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Joelty
  • 219
  • 1
  • 3
  • Notice that unless you threat model identifies it as such, security token communication is most probably not a weak link to be worth the effort. This is because it is commonly used as part of [2FA](https://en.wikipedia.org/wiki/Multi-factor_authentication), and thus compromising the token on its own does not compromise your authentication. Subjectively speaking, I'd expect that this is less valuable than compromising your password, assuming that this is your other authentication factor. In contrast to tokens, passwords are managed by people, thus less formally and with less attention. – mapto Nov 22 '18 at 09:37

3 Answers3

4

From an OpSec-perspective, I'd argue that a second, dedicated phone (dumb or smart) is a good idea as long as you treat the dedicated phone as exactly that: dedicated to one exact use case.

You minimize the attack surface because you'll be less prone to web-borne attacks and you'll slightly elevate your security, albeit through obscurity (of your banking phone number). However, all this comes down to how well you operate your second phone.

To expand on that second phone's OpSec, with input from @schroeder and @ste-fu:

  • Use a dedicated SIM card/phone number for banking (and do not communicate this number to others except your banks)
  • Do not use it for browsing
  • Do not use it for messaging/communication with anyone except your banks
  • (smart phone) Do not install apps on it
  • Keep it in a secure spot especially if it's a dumb phone without lock screen protection (PIN/pattern etc.)
  • (smart phone) Disable lock-screen notifications/hide the content
  • Disable mobile data and WiFi
  • Power it off when you're not using it. This is not really a necessity, but it will limit you from compromising your OpSec. Human error is always possible.

In regards to your second question, here's an excellent and in-depth answer on SMS interception/encryption.

SeeYouInDisneyland
  • 1,428
  • 9
  • 20
  • 1
    I would really want to expand your opsec for the 2nd phone: do not use it to browse, do not install apps, do not transfer data to it, and if possible, turn off wifi or only use it at home. – schroeder Nov 22 '18 at 09:25
  • One practical problem with turning it off when not about to receive a 2FA token is that (in my albeit limited experience) banks tend to hold one mobile number to which they will not only send 2FA tokens, but also alerts about suspicious payments etc. Not having the phone on would mean you could miss those. – TripeHound Nov 22 '18 at 14:27
  • FWIW: I called my bank yesterday and asked about this situation. At least at this bank it would be possible to use one number for 2FA/2 Step Authn/mobile TAN, and another number for fraud alerts, general communication etc. – SeeYouInDisneyland Nov 23 '18 at 07:05
  • This is an excellent answer. Thanks for posting it! – securityOrange Nov 26 '18 at 04:01
  • Well, even if you *do* use the second device for browsing etc., using two devices – and thus two separate channels – is still more secure than using *one* (modern) phone, isn’t it? Sure, if you can afford it, minimize its usage for other purposes to make the setup even more secure. – caw Dec 06 '18 at 02:20
3

As with most things, it depends. For SMS 2 Factor authentication the answer is - not really

The network /telco transmitting the the SMS data is the same whether it is a smart phone or a dumb phone. Call centre operatives who get socially engineered can allow takeover of the relevant number or the actual network can get hacked and the SMS intercepted.

If you had some particularly sensitive account, the using a dumb phone with a unique SIM/ Phone number for that one account would make it significantly harder for that account, but as soon as you start using the same number all the time, you risk that number becoming associated with all your accounts.

NIST published some guidance saying SMS 2FA was deprecated although they have backtracked a bit

ste-fu
  • 1,092
  • 6
  • 9
  • 1
    I like this answer a bit better, as it emphasizes that SMS is not to be trusted at all for something like this. I'd also argue that there are possibly more unknown/unpatched vulnerabilities in old phones (e.g. buffer overflow when receiving a crafted SMS), but I can only speculate about this. – multithr3at3d Nov 22 '18 at 18:33
1

Using a dumb phone avoids a lot of security issues present on smartphones. I consider a smartphone more a pocket computer, with all vulnerabilities of a desktop computer.

Using an old phone only for receiving tokens will protect the token at rest, because there will not be any running program capable of intercepting the token and sending it elsewhere. But will not protect the token in transit.

As your telco probably is not secure-aware, the token CAN be intercepted while in transit, your telco can be tricked and transferring your service to another user without much validation (SIM swap attack). Crypto traders are usually targets of this attack.

If possible, don't use SMS for receiving tokens. My bank can send tokens or get a number from an authentication app. I used the latter.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142