SMS OTP security and what to do to protect yourself
While explaining our GetOTP: Multi OTP API product to anyone who is willing to listen, this is a question that we have been asked time and time again.
“So, is it or is it not secure?” you ask.
Before we answer that…
Let us go through examples of how you can get hacked even though you’re using SMS OTPs.
1. Malware on your phone
This is the most common form of hacking with the highest rate of success. The attacker infects your smart device with a malicious app, which you downloaded from the internet. The malicious app has permission to access your SMS messages and to connect to the internet to send those messages to the attacker’s server.
This is the biggest reason why we’re seeing an explosion of scams and attacks in recent years, due to the obliquity of the smartphone in our lives.
How to protect yourself
On your part, you can prevent this by not downloading unknown apps from unknown places or companies. Also, apps with few reviews, or that ask for permissions that they shouldn’t have in the first place. For example, if a free gaming app says it wants to access your SMS messages, it’s a red flag.
2. SIM swap attacks
This is a more elaborate form of hacking through social engineering, which targets the human factor.
The attacker will call your mobile carrier, impersonate your identity and get your carrier to reissue another SIM under your name. Once they have the “new” SIM, they can use it on a different device and receive an SMS sent to your number. When this happens, you will lose connectivity on your own device. It’s a telltale sign that you’re being attacked if you were not expecting to lose connectivity.
In order for the attacker to be successful, she or he needs to know something about you, such as your address and your full name. This means that this will most likely be a targeted attack on yourself, and not a full-blown attack affecting many people.
How to protect yourself
Granted, this is not a problem with SMS OTP per se, but a weakness in the human processes within the carrier itself. Carriers can reduce the risk of these attacks by adding checks. A good example is making a call to the real subscriber to confirm through a secondary number or email. In general, by removing as many human elements within the process and automating as much as possible.
On your end, make sure to review how the carrier of your choice implements this process and try going for one that fits what we described above.
3. Compromised SMS Centers
If the SMS centres managed by our mobile carrier themselves that receives and routes SMS to mobile phones are compromised, then anything that you send and receive will be accessible to the attacker.
How can the SMS centres get compromised? Well, it is difficult, but not impossible. Malware attacks that trick the carrier’s employees, or outright illegal acts by rogue employees which break into the SMS centres and leak data come to mind.
Carriers in all legal jurisdictions operate through licenses given to them by the government. In exchange for these licenses, the carriers need to adhere to certain standards of operations, which include security standards. You should expect a higher security standard from your carriers than you would if you’re storing sensitive data in your own home.
How to protect yourself
Again, make sure you’re going with a reputable carrier and hope for the best.
4. Intercepting your mobile traffic
If you’re a particularly important or famous person, like the president of a country, or controversial politician, or even a successful drug lord, then congratulations: This particular attack is for you.
An attacker tries to intercept the traffic between your mobile and the carrier itself in the air, through tools such as an IMSI Catcher or an RTL-SDR radio scanner. These tools are easy to find and use and are common within law enforcement, but the attacker needs to be close to the target and listen to the correct traffic. Remember the stakeout scenes in unmarked vans parked at the side of the street that detectives usually do to catch a criminal? Yes, that is what is required if you’re trying to attack someone with this method.
How to protect yourself
If you’re not a president of a country, or controversial politician, or even a successful drug lord, no need to worry. You’ll probably never have this issue.
5. Fake redirects
Most of the time though, it’s not even the SMS itself.
Man-in-the-middle attacks target you by setting up a fake site or an internet access point. These types of attacks intercept your data and try to either redirect you to a fake site and get you to input a valid SMS OTP sent to your mobile, or try to replicate the verification data which you used to log in to an online service using a valid SMS OTP.
These types of attacks are easy to execute and will be the more common types of attacks.
How to protect yourself
You can avoid them by making sure that you’re accessing sites that are encrypted (they will have HTTPS in their URL) and also not to click on links from emails or SMS which you did not expect to receive or from unknown sources.
6. Brute force attacks
Finally, we have the classic brute force attacks. Attackers will do thousands of attempts with many different combinations of OTPs at the website they want to break, hoping that one of those will be a valid OTP.
How to protect yourself
This is beyond our control, but the website administrators can protect themselves better by rate-limiting: Controlling the number of attempts allowed in a period of time. We have this feature in GetOTP through the usage of Captcha, and if website administrators use our API, they can forget about the nitty-gritty details of trying to implement a secure OTP mechanism.
In conclusion
How secure an SMS OTP directly depends on how secure the receiving device is. Just like the device, the OTP is also vulnerable to physical attacks. If an attacker gains physical access to your device, then all bets are off.
Remember that SMS-based two-factor authentication (2FA) is still better than having your usual username/password combination. Billions of SMS messages are being sent and received every single day, and due to its ubiquity, SMS will not be going anywhere overnight.
Having said that, only having SMS OTP as your only authentication method is not good enough. It should be coupled with email, voice, or a strong login/password mechanism. The usual advice applies here: Set strong passwords with more than 8 random characters using alphabets, numbers, and signs, and never use the same password for different websites.
When we talk about security, it usually boils down to these two things: – There is no silver bullet to “security”. Have different ways to authenticate, like having more than one lock at your door. – It’s always a trade-off of convenience and security. For 99% of us, the usual precautions like not installing what we don’t know and not clicking on strange links, coupled with good passwords and SMS OTP will be enough. Of course, depending on who you are and what you’re going to protect, this will definitely change.
To conclude, SMS OTP is “secure enough” for most of us, but it comes with the condition that all the other parts that surround it, especially the device that receives the SMS OTP is also secure.