第二因素短信：比它的声誉更糟糕

第二因素短信：比它的声誉更糟糕
Second Factor SMS: Worse Than Its Reputation

原始链接: https://www.ccc.de/en/updates/2024/2fa-sms

通过短信进行的双因素身份验证 (2FA) 是一种常见的安全措施，其中需要以短信形式发送的一次性密码 (OTP) 和固定密码才能访问帐户。然而，由于多种攻击媒介，其可靠性和安全性受到了密切关注。其中包括 SIM 卡交换（允许攻击者控制目标电话号码）以及针对 OTP 泄露的网络钓鱼诈骗。尽管存在这些风险，但与传统密码身份验证相比，2FA-SMS 提供了更高的安全性。最近，混沌计算机俱乐部 (CCC) 透露，短信提供商 IdentityMobile 意外地在线公开了数百万个 OTP。当该公司无意中共享包含 OTP、收件人电话号码、发件人信息（有时还包括其他帐户详细信息）的实时数据流时，就会发生泄露。受影响的公司包括谷歌、亚马逊、Facebook、微软等科技巨头，以及 Telegram、Airbnb、FedEx 和 DHL 等热门平台，泄露的消息总计近 2 亿条。虽然攻击者通常需要密码和 OTP 才能渗透帐户，但在数据中发现了“一键登录”链接的实例，可能无需电话访问即可直接进入。总体而言，虽然 2FA-SMS 代表了对基本密码身份验证的改进，但建议使用应用程序或物理令牌的更安全方法。

一位家庭朋友误入了涉及虚假银行网站的网络钓鱼攻击。她输入了她的双因素身份验证 (2FA) 代码，攻击者使用该代码向新收款人发起转账，导致数千美元的损失 [0]。她使用的两家银行提供不同形式的 2FA——一种通过短信，另一种通过应用程序。尽管由于短信本身缺乏安全性，她认为应用程序版本更安全，但她意识到银行在此事件期间为各种交易发送不同代码的重要性 [1][2]。为了增强安全性，她建议理想的 2FA 系统包括针对特定类型交易定制的令牌，以防止登录令牌被用于添加收款人 [1]。然而，她还没有遇到过这样的系统，并且想知道其他人是否有相同的经历[1]。最后，她讨论了谷歌等广告平台的责任，批评他们明显忽视了验证广告，导致潜在的财务损失[0]。 [0] 参考事件和经验。 [1] 提高安全性的建议。 [2] 特定于上下文的 2FA 令牌的重要性。

原文

WhatsApp code: 2342
You can also tap on this link to verify your phone:
v.whatsapp.com/2342
Do not share this code.

Transfer to DE63 4306 0967 1239 7690 03
Amount: 1,312.00 EUR
TAN: 161161
Please enter this TAN to complete the transaction.
This TAN is valid for 5 minutes.

Why SMS?

Two-factor authentication via SMS (2FA-SMS) is a method to increase the security of authentications. Alongside the static password, a dynamic code sent via SMS is required. The user must enter this code during login to prove they know the password (1st factor: knowledge) and have access to the phone number (2nd factor: possession). Thus, a stolen password alone is not enough to take over the user's account.

Well-Known Attack Vectors

This method has been under attack for some time. Through techniques like SIM swapping or exploiting SS7 vulnerabilities in mobile networks, attackers can intercept SMS messages. Alternatively, users can be tricked through phishing attacks into revealing their one-time passwords. The CCC advised against using SMS as a second factor as early as 2013. Nonetheless, 2FA-SMS is widespread. It offers more security than simple password authentication.

Now Also Viewable Online!

The Chaos Computer Club (CCC) now demonstrates a previously neglected attack on 2FA-SMS: Service providers are commonly used to send these messages. These providers send large volumes of SMS for various companies and services and have access to the SMS content. Thus, the security of the authentication process also depends on the security of these providers.

IdentifyMobile, a provider of 2FA-SMS, shared the sent one-time passwords in real-time on the internet. The CCC happened to be in the right place at the right time and accessed the data. It was sufficient to guess the subdomain "idmdatastore". Besides SMS content, recipients' phone numbers, sender names, and sometimes other account information were visible.

Nearly 200 Million SMS from Over 200 Companies

Over 200 companies that entrusted this provider directly or indirectly through other service providers with the security of their authentication were affected. This included companies like Google, Amazon, Facebook, Microsoft, as well as Telegram, Airbnb, FedEx, and DHL. Over 198 million SMS leaked in total.

By simply viewing the live feed, it would have been possible to:

Take over WhatsApp numbers
Conduct financial transactions or log in to various services without access to the phone, provided the password was known

(Not Yet) a Catastrophe

To truly misuse the SMS codes, attackers would typically still need the password. However, "1-click login" links were also included in the data. For some large affected companies, only individual services were protected by IdentifyMobile. Nevertheless, IdentifyMobile's negligence exposed companies and their customers to significant risk. This is evident from the numerous similar inquiries from data protection departments worldwide now reaching us through all channels.

We are happy to confirm that we did not keep the data. However, we cannot rule out that others may have accessed it.

2FA-SMS is Better Than Nothing, But Other Methods Don’t rely on IdentifyMobile

One-time passwords generated in an app or using hardware tokens are more secure and independent of the mobile network. If this option is available, we recommend using it. And any second factor remains better than just one, the password.