4

I've been thinking about this subject, and found paradoxical fact. Having a service that has 2-step authorization using SMS might become more harmful and open vulnerability hole (read SMS can be intercepted ), then being without using 2-FA at all.

example for Google, FB or any major services:

With 2-step SMS authentication, you are required to set your phone number in your profile. Those numbers are generally used as recovery method. So, if an attacker doesn't have your password, but can intercept GSM/SMS, then you are in more danger because he can click "password recovery" and then force website to send SMS code to reset your password.

Of course, some of you say that this might be "rare" occasion, however, if target is solid and attacker is not newbie, this becomes quite a possible route.

Just for reference, who wants to see if there are other people thinking like this, I have also found similar thoughts: :

T.Todua
  • 2,677
  • 4
  • 19
  • 28
  • "send validation through SMS". So, in your scenario, the attacker knows the account, is physically near the victim and has the ability to intercept SMS. And you are asking, in this specific alignment of factors, if the SMS 2FA opens a vulnerability? – schroeder Sep 06 '19 at 14:53

3 Answers3

8

Having multiple factors of authentication are always more secure than any one of those factors apart.

A password and a token from an SMS message is harder for an attacker to circumvent than just a password or just a token sent through SMS.

However, SMS itself is currently considered the least secure authentication method, and there does not seem to be any way to make it more secure. It should never be used as the sole authentication method.

A person's cell phone number can be reassigned to a different device without the user being aware. This can be done either by social engineering against tech support representatives, or by malicious (bribed) agents at any cell phone store.

In your example, where validating account ownership for the purposes of resetting the password is conducted solely through SMS messaging, if the attacker can reassign your number to their phone, they can gain control of both factors. Google and several other large sites have additional steps to prevent this, such as sending emails to the account owner. However, this has been the basis for losing several accounts in the past, including a few where a couple million dollars worth of bitcoins have been stolen from people who use online exchange and wallet sites.

Ghedipunk
  • 5,766
  • 2
  • 23
  • 34
2

If it's possible to get a password reset token through SMS, and then to log in using the (reset) password + an SMS OTP, then that site does not have 2FA. It might claim it does, but it is WRONG, because the attacker can reach an authenticated state while having only a single authentication factor (access to your SMS).

It's really that simple. The implementation issues that this raises are plausibly more complicated (though in this case, they aren't; just use emailed password reset tokens like everybody else!) but the simple fact of the matter is that a system like you described does not have 2FA.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
0

  1. Getting access to your SMS is much more complex than getting access to your password. That's why even if resetting the password based on SMS is possible on some sites, it is still more secure than password.

  2. How can you password be hacked? For instance, there is some malware on your computer that can read your password database and thus knows web sites, user names and passwords. Hacker doesn't need anything about you in advance. You are just a random victim of the hack. Where as intercepting SMS does not give any information what sites and what user names you use. That's why hacking your SMS messages makes sens only if hacker knows your sites and user names in advance. It means when hacker wants to hack namely you, not just some random person. But if smb. wants to hack namely you, then you should expect also more serious measures like special hardware installed in your house and in your car. Then you have little chance any way.

mentallurg
  • 8,536
  • 4
  • 26
  • 41
  • 4
    i can take measures to protect myself if using a password, but avoiding a SMS hack is (mostly) out of my hands. It is fine to do a risk assessment and consider that sms are more secure _for you_, but for another profile it may not be (or they could simply weight it differently). – Ángel Sep 05 '19 at 23:34
  • 2
    First of all, being targeted doesn't mean you will be physically so, [Mat Honan](https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/) was targeted (actually _weak_ targeted, since they only cared that it was a 'premium' twitter account) but I really doubt they would have entered his house to bug his devices. And second, if I am to be targeted at such levels, it is possible that I also have more serious measures, too, such as guards protecting my house or an alligator behind my computer desk. – Ángel Sep 05 '19 at 23:36