- Jun 24, 2016
- 636
NIST Has It Right-SMS Is Not Secure-
By Michael Lynch, Chief Strategy Officer, InAuth:
SOURCE: cybersecuritytrend.com (ARTICLE DATE: 17 Aug 2016)
The National Institute of Standards and Technology (NIST), the non-regulatory agency of the United States Department of Commerce that publishes guidelines to assess the security of products and services in the government and private sector, recently confirmed something security professionals have been saying for a number of years—that SMS is not secure.
Specifically, NIST called out the risk on SMS use for two-factor authentication (2FA) in the latest draft of the Digital Authentication Guideline (DAG). While the guidelines are still under discussion, it is almost a certainty that future versions will discourage the use of SMS-based authentication for out-of-band (OOB) verification, a type of 2FA.
Out-of-band (OOB) verification refers to the use of two separate networks to authenticate a user. When you forget a password and have a temporary one texted to your phone, that’s an example of out-of-band security. This method is believed to make fraud more difficult to commit because two separate and unconnected authentication channels would have to be compromised for an attacker to gain access.
However, it has been well known by security experts for years that SMS is a vulnerable 2FA method, and determined criminals can, in fact, exploit it. Possession of a person’s mobile device is not required as SMS can be intercepted with man-in-the-middle attacks or the message can be forwarded.
Further, criminals can attempt to substitute their own phone number for their victims’ number prior to attempting access. The effectiveness of this technique depends on the organization’s strict adherence to security protocols in changing account information.
For these and other reasons, fraudsters often specifically target SMS as a potential access point. Malicious software can exploit SMS functionality to send fraudulent text messages or fake incoming SMS messages (for phishing). Users may be tricked into clicking fraudulent links or disclosing sensitive personal information. Further, SMS over VoIP should never be used because some VoIP services allow SMS messages to be intercepted..
By Michael Lynch, Chief Strategy Officer, InAuth:
SOURCE: cybersecuritytrend.com (ARTICLE DATE: 17 Aug 2016)
The National Institute of Standards and Technology (NIST), the non-regulatory agency of the United States Department of Commerce that publishes guidelines to assess the security of products and services in the government and private sector, recently confirmed something security professionals have been saying for a number of years—that SMS is not secure.
Specifically, NIST called out the risk on SMS use for two-factor authentication (2FA) in the latest draft of the Digital Authentication Guideline (DAG). While the guidelines are still under discussion, it is almost a certainty that future versions will discourage the use of SMS-based authentication for out-of-band (OOB) verification, a type of 2FA.
Out-of-band (OOB) verification refers to the use of two separate networks to authenticate a user. When you forget a password and have a temporary one texted to your phone, that’s an example of out-of-band security. This method is believed to make fraud more difficult to commit because two separate and unconnected authentication channels would have to be compromised for an attacker to gain access.
However, it has been well known by security experts for years that SMS is a vulnerable 2FA method, and determined criminals can, in fact, exploit it. Possession of a person’s mobile device is not required as SMS can be intercepted with man-in-the-middle attacks or the message can be forwarded.
Further, criminals can attempt to substitute their own phone number for their victims’ number prior to attempting access. The effectiveness of this technique depends on the organization’s strict adherence to security protocols in changing account information.
For these and other reasons, fraudsters often specifically target SMS as a potential access point. Malicious software can exploit SMS functionality to send fraudulent text messages or fake incoming SMS messages (for phishing). Users may be tricked into clicking fraudulent links or disclosing sensitive personal information. Further, SMS over VoIP should never be used because some VoIP services allow SMS messages to be intercepted..
[To read the full article please visit cybersecuritytrend.com]
