Whistleblower warning: 2FA codes sent via SMS are trivially easy to intercept

[Shawn Knight]

Weak Link: Two-factor authentication is designed to harden device security and make unauthorized access even trickier for bad actors. In the imperfect world we live in, however, there's almost always a weak link, and one popular delivery method for 2FA is no exception.

Many implementations of two-factor authentication involve sending a one-time passcode to the end user via SMS. Once entered, the user is logged in and it's business as usual. The problem is the inherent weakness of SMS, and the fact that you really have no idea who else laid eyes on the code before it landed in your inbox.

As Bloomberg highlights, most companies outsource 2FA codes to a third party intermediary in order to save money, but trusting the wrong partner can be costly. To highlight the threat, an industry whistleblower provided Bloomberg with a batch of around one million messages containing 2FA codes that were sent in June 2023.

Each passed through a questionable Swiss company named Fink Telecom Services and contained both auto-generated login codes as well as data regarding the path from sender to recipient. The senders list is a who's who of major tech players including Amazon, Google, Meta, Snapchat, Tinder, Signal, and WhatsApp, just to name a few.

The publication verified the data with independent experts and cross-checked it with publicly available data, and found that it looks to be legit. Fink Telecom CEO Andreas Fink told Bloomberg that legal restrictions prevent them from look at the content of the messages they process, adding that they no longer work in surveillance.

Those interested in a more foolproof solution are encouraged to consider biometric verification or a dedicated authenticator app when possible. The latter generates codes locally, either on a user's phone or on standalone hardware, eliminating the SMS middleman.

This isn't the first time we've heard of issues involving 2FA. Just last month, Valve confirmed that hackers had gained access to phone numbers and SMS 2FA records linked to most accounts. If you haven't already, now would be a good time to change your Steam password and start using a 2FA dongle or app.

Image credit: Allison Saeng, Ed Hardie

Permalink to story:

Whistleblower warning: 2FA codes sent via SMS are trivially easy to intercept

 

[Au Contraire]

So, email, text, perhaps even robotic - AI - voice transmission of 2FA codes can be intercepted. What's new about this? However, isn't the utility of a code time-limited? That is, the attacker would have to intercept, extract one out of how many thousands, evaluate, and attack within how many minutes?

And how is this push to use security apps going to eliminate the problem? All it is doing is focusing attacker research onto ways of penetrating the apps. Given the history of software and hardware deployment (sales), there's no chance a code problem will not be exploited. ". . . there's almost always a weak link . . .".

How is any of this different from the computer age-old security problems we've been hearing about since the '70s? Certainly, using customers as beta testers is not going to alleviate the issue.

 

[mgwerner]

My organization has a solution: Make it so difficult to log in that most people cannot access their own accounts. I am pretty sure they won some sort of security award for their system. Clown world.

 

[hahahanoobs]

I bit the bullet and went all in on passkeys and Microsoft authenticator app for MFA and leave SMS alone whenever I can.