The Hidden Risks of SMS-Based Multi-Factor Authentication

January 24, 2024
Lucie Cardiet
Sr. Manager Web & Search Marketing
The Hidden Risks of SMS-Based Multi-Factor Authentication

A year ago, I moved from Switzerland back to my native country: France. Such a move involves numerous administrative tasks, one of which is obtaining a new local phone number.

I promptly acquired a new number and began the process of updating my accounts for enhanced security through Multi-Factor Authentication (MFA). However, an unexpected challenge arose with my Amazon account. It appeared that my new phone number was already linked to another user's account, presumably by the previous owner who had not removed it.

I reached out to Amazon's support team, seeking to associate my new number with my account. The support team responded quickly, but they could not help. They explained that they could not alter the details of another person’s account without explicit authorization. I could not use my phone number as an extra layer of security.

Account Takeover: A Real-World Scenario

Amazon's account security mechanism has a unique aspect that could potentially be a double-edged sword in terms of account accessibility. If you possess someone's phone number, you have a surprisingly straightforward path to access their Amazon account. By opting to log in with a mobile number and then selecting to sign in via a verification code sent to that number, bypassing the need to input a password, one can gain entry into an account linked to that number.

Amazon sign in interface and OTP received by sms.

Upon this form of entry, the individual in possession of the phone has a considerable level of control over the account. They are presented with the capability to reset the account password, update the phone number used for MFA, alter the registered email address, and potentially make purchases using the credit card details saved on the account. Notably, this process lacks a critical layer of security: bank validation is not required for transactions on Amazon, leaving a gap that could be exploited for unauthorized purchases.

Breached amazon account because of outdated SMS-based MFA

In my case, although I found myself inadvertently logged into another person’s Amazon account due to the shared phone number, I refrained from making any changes or purchases. My intention was not to misuse the access I had stumbled upon. Instead, I took the responsible step of disassociating the phone number from the account it was previously linked to. This action was crucial for me to secure my own Amazon account with my current phone number, thereby enhancing its security and ensuring that I was the sole user associated with my personal account.

How to remove sms mfa from an Amazon account

This incident highlights the importance of regularly updating and securing account information to safeguard against unauthorized access. It also raises awareness about the potential risks of phone-based authentication methods and underscores the need for users to remain vigilant about their digital security practices.

MFA / OTP Vulnerabilities

SMS-based MFA, including One-Time Passwords (OTPs) and magic links, while popular, have critical security limitations. These weaknesses are not limited to traditional MFA scenarios but extend to various SMS-based authentication methods.

Failing to update your phone number for account security can result in another troubling outcome: the complete loss of access to your own account.

For instance, neglecting to update your Google account with your new phone number can lead to significant access issues, potentially locking you out of your account. This oversight can create a frustrating and challenging situation, even if you remember your password.

Google security validation with verification code

When you change your phone number but fail to update this information in your Google account settings, you inadvertently create a barrier to entry. The problem arises during the verification process, which is a critical step for ensuring the security and integrity of your account. Google, in its efforts to maintain high security standards, often requires a verification code as part of its two-factor authentication process. This code is typically sent to your registered phone number.

However, if your account is still linked to your old number, you won’t receive these essential verification codes. As a result, despite entering the correct password, you'll find yourself unable to complete the login process. This lack of access to the verification code effectively prevents you from confirming your identity and accessing your account.

Google's error message "can't sign you in"

Moreover, the implications of this issue extend beyond just being unable to check emails or update your calendar. It can disrupt your access to all services associated with your Google account, including essential platforms like Google Drive, Photos, and even third-party sites where you use Google to log in.

Additional Limitations of SMS-based MFA

This revelation about Amazon's login process not only raises eyebrows but also serves as a segue into a broader discussion about the inherent risks of relying on SMS-based Multi-Factor Authentication across various platforms.

Here are additional limitations of SMS-based MFA:

1. SMS Encryption and Malware Threats

SMS messages are unencrypted, making them easy targets for interception and unauthorized reading. Sensitive information, like authentication codes, can fall into the wrong hands, leading to account breaches. Though, the technical sophistication required to intercept SMS messages makes this a less likely attack method and most attackers would rather use malware on a device to siphon SMS data.

2. Dependence on mobile networks

Dependence on mobile networks, which can experience outages, renders SMS-based MFA unreliable during critical moments when account access is necessary.

3. SS7 and Sakari Exploits

Contrary to previous concerns, the Signal System 7 (SS7) protocol is no longer as vulnerable to exploitation. However, the ease of forwarding SMS to services like Sakari, achievable with basic social engineering and minimal cost, presents a new threat vector.

4. Social engineering

Attackers can use Social Engineering techniques to trick individuals or mobile service providers into divulging confidential information or transferring a phone number to a new SIM card, bypassing MFA measures.

5. Mass Number Purchases for Account Takeovers

An emerging threat involves attackers mass purchasing phone numbers to attempt large-scale account takeovers, leveraging the vulnerabilities in SMS-based MFA.

> Read how notorious cybercrime group LAPSUS$ bypasses prevention security to target cloud environments

MFA Best Practices

App-based authenticators like Microsoft Authenticator or Google Authenticator are recommended for stronger MFA. However, the issue with OTP and magic link logins remains unresolved, posing a continuous security challenge. In general, make sure you follow the following best practices:

  1. Use a unique and unpublished phone number for SMS-based MFA to reduce risks.
  2. Reserve SMS-based MFA for less sensitive accounts, prioritizing stronger methods for high-risk accounts.
  3. Regularly monitor account activities for any signs of unauthorized access or suspicious activities.

Corporate Implications and Advanced Solutions

The highlighted vulnerabilities of SMS-based MFA, particularly illustrated by incidents such as this Amazon account breach, underscore the urgent need for reinforced digital security strategies. This is especially critical for enterprises, where the stakes are significantly higher due to the volume of sensitive data and financial assets at risk. In the corporate sphere, the implementation of robust MFA methods goes beyond protecting individual users; it's about safeguarding the company's digital infrastructure, intellectual property, and maintaining trust with stakeholders.

Enterprises must prioritize deploying advanced MFA solutions, like biometric verification and security keys, which offer a stronger defense against cyber threats. Additionally, companies should foster a culture of security awareness, ensuring that employees at all levels understand the risks and adhere to best security practices. This collective vigilance is crucial in an era where cyber threats are not only growing in sophistication but also in their capacity to disrupt business operations and inflict long-term damage on an organization's reputation.