The Hidden Risks of SMS-Based Multi-Factor Authentication

January 24, 2024

A year ago, I moved from Switzerland back to my native country: France. Such a move involves numerous administrative tasks, one of which is obtaining a new local phone number.

I promptly acquired a new number and began the process of updating my accounts for enhanced security through Multi-Factor Authentication (MFA). However, an unexpected challenge arose with my Amazon account. It appeared that my new phone number was already linked to another user's account, presumably by the previous owner who had not removed it.

I reached out to Amazon's support team, seeking to associate my new number with my account. The support team responded quickly, but they could not help. They explained that they could not alter the details of another person’s account without explicit authorization. I could not use my phone number as an extra layer of security.

Account Takeover: A Real-World Scenario

Amazon's account security mechanism has a unique aspect that could potentially be a double-edged sword in terms of account accessibility. If you possess someone's phone number, you have a surprisingly straightforward path to access their Amazon account. By opting to log in with a mobile number and then selecting to sign in via a verification code sent to that number, bypassing the need to input a password, one can gain entry into an account linked to that number.

Amazon sign in interface and OTP received by sms.

Upon this form of entry, the individual in possession of the phone has a considerable level of control over the account. They are presented with the capability to reset the account password, update the phone number used for MFA, alter the registered email address, and potentially make purchases using the credit card details saved on the account. Notably, this process lacks a critical layer of security: bank validation is not required for transactions on Amazon, leaving a gap that could be exploited for unauthorized purchases.

Breached amazon account because of outdated SMS-based MFA

In my case, although I found myself inadvertently logged into another person’s Amazon account due to the shared phone number, I refrained from making any changes or purchases. My intention was not to misuse the access I had stumbled upon. Instead, I took the responsible step of disassociating the phone number from the account it was previously linked to. This action was crucial for me to secure my own Amazon account with my current phone number, thereby enhancing its security and ensuring that I was the sole user associated with my personal account.

How to remove sms mfa from an Amazon account

This incident highlights the importance of regularly updating and securing account information to safeguard against unauthorized access. It also raises awareness about the potential risks of phone-based authentication methods and underscores the need for users to remain vigilant about their digital security practices.

MFA / OTP Vulnerabilities

SMS-based MFA, including One-Time Passwords (OTPs) and magic links, while popular, have critical security limitations. These weaknesses are not limited to traditional MFA scenarios but extend to various SMS-based authentication methods.

Failing to update your phone number for account security can result in another troubling outcome: the complete loss of access to your own account.

For instance, neglecting to update your Google account with your new phone number can lead to significant access issues, potentially locking you out of your account. This oversight can create a frustrating and challenging situation, even if you remember your password.

Google security validation with verification code

When you change your phone number but fail to update this information in your Google account settings, you inadvertently create a barrier to entry. The problem arises during the verification process, which is a critical step for ensuring the security and integrity of your account. Google, in its efforts to maintain high security standards, often requires a verification code as part of its two-factor authentication process. This code is typically sent to your registered phone number.

However, if your account is still linked to your old number, you won’t receive these essential verification codes. As a result, despite entering the correct password, you'll find yourself unable to complete the login process. This lack of access to the verification code effectively prevents you from confirming your identity and accessing your account.

Google's error message "can't sign you in"

Moreover, the implications of this issue extend beyond just being unable to check emails or update your calendar. It can disrupt your access to all services associated with your Google account, including essential platforms like Google Drive, Photos, and even third-party sites where you use Google to log in.

Additional Limitations of SMS-based MFA

This revelation about Amazon's login process not only raises eyebrows but also serves as a segue into a broader discussion about the inherent risks of relying on SMS-based Multi-Factor Authentication across various platforms.

Here are additional limitations of SMS-based MFA:

1. SMS Encryption and Malware Threats

SMS messages are unencrypted, making them easy targets for interception and unauthorized reading. Sensitive information, like authentication codes, can fall into the wrong hands, leading to account breaches. Though, the technical sophistication required to intercept SMS messages makes this a less likely attack method and most attackers would rather use malware on a device to siphon SMS data.

2. Dependence on mobile networks

Dependence on mobile networks, which can experience outages, renders SMS-based MFA unreliable during critical moments when account access is necessary.

3. SS7 and Sakari Exploits

Contrary to previous concerns, the Signal System 7 (SS7) protocol is no longer as vulnerable to exploitation. However, the ease of forwarding SMS to services like Sakari, achievable with basic social engineering and minimal cost, presents a new threat vector.

4. Social engineering

Attackers can use Social Engineering techniques to trick individuals or mobile service providers into divulging confidential information or transferring a phone number to a new SIM card, bypassing MFA measures.

5. Mass Number Purchases for Account Takeovers

An emerging threat involves attackers mass purchasing phone numbers to attempt large-scale account takeovers, leveraging the vulnerabilities in SMS-based MFA.

> Read how notorious cybercrime group LAPSUS$ bypasses prevention security to target cloud environments

MFA Best Practices

App-based authenticators like Microsoft Authenticator or Google Authenticator are recommended for stronger MFA. However, the issue with OTP and magic link logins remains unresolved, posing a continuous security challenge. In general, make sure you follow the following best practices:

Use a unique and unpublished phone number for SMS-based MFA to reduce risks.
Reserve SMS-based MFA for less sensitive accounts, prioritizing stronger methods for high-risk accounts.
Regularly monitor account activities for any signs of unauthorized access or suspicious activities.

Corporate Implications and Advanced Solutions

The highlighted vulnerabilities of SMS-based MFA, particularly illustrated by incidents such as this Amazon account breach, underscore the urgent need for reinforced digital security strategies. This is especially critical for enterprises, where the stakes are significantly higher due to the volume of sensitive data and financial assets at risk. In the corporate sphere, the implementation of robust MFA methods goes beyond protecting individual users; it's about safeguarding the company's digital infrastructure, intellectual property, and maintaining trust with stakeholders.

Enterprises must prioritize deploying advanced MFA solutions, like biometric verification and security keys, which offer a stronger defense against cyber threats. Additionally, companies should foster a culture of security awareness, ensuring that employees at all levels understand the risks and adhere to best security practices. This collective vigilance is crucial in an era where cyber threats are not only growing in sophistication but also in their capacity to disrupt business operations and inflict long-term damage on an organization's reputation.

FAQs

What is SMS-based Multi-Factor Authentication (MFA) and why is it used?

SMS-based MFA is a security process that uses text messages to deliver a one-time code or link as an additional layer of verification when logging into an account. It is used to enhance security by requiring a second form of authentication beyond just a password.

How can an old phone number linked to an account lead to security issues?

If a phone number is reassigned to a new user but still linked to the previous owner’s accounts, the new user can potentially access those accounts. This can lead to unauthorized access and potential misuse of personal information and financial details.

What are the broader implications of SMS-based MFA vulnerabilities for enterprises?

Enterprises are at greater risk due to the large volumes of sensitive data and financial assets. SMS-based MFA vulnerabilities can lead to significant breaches, financial loss, and damage to reputation. Enterprises must adopt stronger MFA solutions to protect their digital infrastructure.

How can users mitigate the risks associated with SMS-based MFA?

Users can:

Use a unique and unpublished phone number for SMS-based MFA.
Reserve SMS-based MFA for less sensitive accounts.
Regularly update account information, especially phone numbers.
Monitor account activities for signs of unauthorized access.

What is the significance of regular account information updates in digital security?

Regularly updating account information, including phone numbers, helps prevent unauthorized access. If an old phone number is still linked to accounts, it can lead to access issues and potential breaches when the number is reassigned to a new user.

What are the main risks associated with SMS-based MFA?

The main risks include:

Interception of SMS messages: SMS messages are unencrypted and can be intercepted by attackers.
Mobile network dependency: Outages can prevent receiving authentication codes.
SS7 vulnerabilities: Though less common now, attackers can exploit the SS7 protocol to intercept messages.
Social engineering: Attackers can trick individuals or providers into transferring phone numbers.
Mass number purchases: Attackers can buy phone numbers in bulk for account takeovers.

What should you do if your phone number is reassigned and still linked to your accounts?

Immediately update your phone number in all your online accounts. Contact service providers to disassociate your old number from your accounts. Regularly monitor your accounts for any unusual activity and enable stronger MFA methods where possible.

What are the recommended alternatives to SMS-based MFA?

Stronger alternatives include:

App-based authenticators: Such as Google Authenticator and Microsoft Authenticator.
Biometric verification: Using fingerprints or facial recognition.
Security keys: Physical devices that provide an additional layer of security.

What role do Security Operations Centers (SOCs) play in addressing MFA vulnerabilities?

SOCs are crucial in monitoring, detecting, and responding to security threats. Implementing a robust threat detection and response platform within SOCs can help identify and mitigate MFA-related vulnerabilities, enhancing overall security.

How can companies foster a culture of security awareness among employees?

Companies can:

Conduct regular security training and awareness programs.
Encourage best practices for digital security.
Promote the use of strong MFA methods and regular monitoring of account activities.
Ensure employees understand the risks and are vigilant about potential threats.

Implementing these measures and maintaining a proactive approach to digital security can significantly reduce the risks associated with SMS-based MFA.