Just a few months ago, we wrote an article about the dangers of using SMS (text) to support multi-factor authentication (MFA), called Breaking the SMS Habit. SMS verification can also be called OTP (One Time Password) as it’s essentially the same: a code is delivered via text and the user then takes that code and enters it as a second factor.
After hearing stories and reading the latest security blogs, it seems the message to move away from SMS is worth repeating for Financial Institutions (FIs) and their customers. Many FIs are currently increasing use the MFA for a variety of reasons, so when you are undertaking those projects, please heed our call to disable SMS as a verification option. Here’s why:
- One Time Password (OTP) Bots- There are a variety of internet services out there designed to trick people into giving up their SMS authentication. These are services where hackers can pay as little as $16/mo. to use the service. Granted they need information about a person, such as a telephone number, however, this information is not difficult to obtain.
A cybersecurity intelligence firm, Intel 471, noted: “Over the past few months, we’ve seen actors provide access to services that call victims, appear as a legitimate call from a specific bank and deceive victims into typing an OTP or other verification code into a mobile phone in order to capture and deliver the codes to the operator. Some services also target other popular social media platforms or financial services, providing email phishing and SIM swapping capabilities.”
Intel 471 noted another OTP bot, “The bot provides options to disguise a call to make it appear as a legitimate contact from a specific bank while letting the attackers choose to dial from any phone number. From there, an attacker could follow a script to trick a victim into providing sensitive details such as an ATM personal identification number (PIN), card verification value (CVV), and OTP, which could then be sent to an individual’s Telegram account. The bot, which was used by attackers targeting Canadian victims, gives users the chance to launch attacks in French and English.”
- Coinbase- Coinbase recently disclosed that cryptocurrency was stolen from 6,000 customers after a vulnerability allowed hackers to bypass their SMS verification feature. This began with..guess what…a phishing email designed to trick the user into giving up their credentials and SMS code into a malicious website.
- Call back- As many of these attacks are including a call component, it's very important that we include employee and customer education for voice phishing (Vishing). This is essentially social engineering trickery using a phone call instead of an email. The key here is that these scammers can appear to be from a legitimate phone number from a bank, etc. but still be a scam. Also, the best thing to do is hang up and call the individual or organization the caller claimed to be from in order to verify the request. As most organizations do not cold call individuals asking for personal information, most cases will turn out to be a scam.
- Ransomware- If you performed the Ransomware Self-Assessment Tool, https://www.csbs.org/sites/default/files/2020-10/R-SAT_0.pdf, you may recall that question #10 points to using an application that generates a security code, not a code pushed via SMS. In this case, SMS verification can be circumvented in order to install ransomware.
- Account takeover- A story I heard recently which gave me pause regarding the takeover of SMS verification. An individual had a compromised email account along with having their SMS verifications redirected to the hacker. The hacker then went through this individual’s online accounts using email and SMS verifications to take over the accounts one by one. Since that SMS verification was compromised, it took an extra effort to verify the individual’s legitimacy with their partner organizations, giving the scammer extra time to inflict more damage.
I’m not saying there won’t be a time when the other MFA verification technologies will be targeted as SMS is currently. We all know the scammers go after the weak links until those tactics are not fruitful enough to be worth their time and effort. Until then, we can do our part by moving to verifications such as application notifications or other means of MFA and educating our users and customers to protect their personal and professional lives.
If you are looking for help with your security program, we would love to help you! Contact support@bedelsecurity.com for more information.
Sources:
Krebs on security
- https://krebsonsecurity.com/2021/09/the-rise-of-one-time-password-interception-bots/
- https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/
- https://krebsonsecurity.com/2021/09/the-rise-of-one-time-password-interception-bots/
Coinbase
Isbuzznews