Two factor auth via SMS — just don’t
It is no wonder that you have enabled two factor authentication for most of your accounts. But is it adding any safety? not always.
Today, a friend of mine came with a suspicious SMS that came to him when he tried to log in to his Gmail. Google, as usual sends the SMS via a sender named “Google” to Sri Lanka. But, this SMS was from a local phone number. I tried to login to my account, using SMS as the second factor, and the same peculiar message came to my phone.
Notice the differences in the messages. The wording in the message itself not only is different, but has the word “Kindly”. This is a over-used word in my country and most South Asian countries. Bottom line, this SMS clearly did not originate from the USA. The wording was just not right.
Someone was clearly capturing the legitimate SMS which came from Google, and re-sending the 2-factor code in a different SMS. Lucky for us, this someone was not too smart and used a lazy wording to replace the SMS. Had it been the same wording none of us would have looked at the sender.
Having confirmed that this is actually a thing and its malicious, I posted on facebook asking friends to deactivate the SMS method of 2 factor. (There are many ways you can provide this second factor auth, more on that later) Some reacted well, and others, not so well. This however is a serious issue.
But how did it happen?
To be honest, I am not entirely sure. But I can give a reasonable explanation which could be the case.
Google software teams don’t run a mobile phone or SMS business. At least I don’t think their Fi network is internally used for telecommunication purposes. Therefore, when they want to send an SMS to users, they rely on SMS providers. You can find many like that on the internet. (Locally, I think all our mobile operators do this as a business) These providers connect to yet more providers and after a chain of connections some provider has a connection to a mobile or fixed line operator in a country. Thus paving the way for the SMS to reach you. But, not all these middle men are good. Some rely on cheap alternatives to legal proven ways to deliver messages to cut costs and keep a margin in their business
This behavior is rife with calls. Ever wonder when your family members or friends call you from abroad and their calling line (CLI) appears as if from a local number? That is this exact behavior in calls. Its called illegal call bypassing. It is against the law in Sri Lanka, and when (yes, not if) caught, they will have to pay a hefty fine.
So when these middle men hand over SMS to actual theives, they make use of the messages for real hacks. Like what we saw today.
But how can this affect me? They only get my two factor code! not my password! not even my email.
Yes, that is exactly true. The perpetrators will get the following content
- The two factor code which was sent to you
- Your phone number
Using only this information, nothing is possible. But combine it with additional info, and things become scary.
You log in to shopping sites, register to events or buy tickets with your online identity. Almost all the time, your email is typed when your phone number is typed into a form. Sometimes, these forms are harmless data collectors; say, for a fund that you are donating to a family in need online. These data points are weak links which can be exposed very easily. The people who got your phone number need only have one of these cross check data points to find out what is the email which is usually associated with your phone.
- Know your email
- Know your phone number
- Have access to the two factor code
Yes, the password is missing. Which is the next thing that can be collected. How? Just ask google. Reset your password.
Someone just needs to enter your email and click “forgot the password” and the code will be sent to your mobile with the second factor key which can be used to reset it.
First, tell google to try another reset than the last password and then you will be sent to the phone verification mode. Then he has to enter the phone number found with the email.
The phone will get an SMS. But in this case, if the illegal path is in action, the SMS will come to the hacker.
You might or might not receive an alert at this point. That depends on how dumb the hacker is. If he disables the proxying of SMS to your phone, you will never know until its too late. After the code is typed, Google asks for a new password;
Congratulations. You just lost your account to a hacker.
Remember. This hacker, whoever it was got away with your phone numbers. The data he has is a ticking time-bomb and the real account theft will come at a time you will not expect. He just needs time to cross refer your email. (maybe he already has this data) Before that happens, remove your SMS based two factor and add the Authenticator app as the second factor. You can do that here;
Point your browser to https://myaccount.google.com/security
Select Security and under “Signing into Google”, 2-Step Verification. If you have not added the Authenticator app, do that now. Then remove all “Voice and Text” based methods. (You will not be able to remove your phone SMS method unless you have another method like authenticator or phone pop up set up)
Google themselves have asked users not to use SMS for 2-Step long ago. But it remains a very easy to use method for a second factor. But with this kind of activity, it is better to steer clear of it.
If you have not set up 2-Step Verification yet, do it now. Without it, you only need to type in your password in an infected system or one with a keylogger and you’re done in an instant.
2-Step can be added in the following ways
- Security keys: These are hardware keys which you can buy and register under you account. This is the most secure 2-Step
- Phone popup: A popup appears in a phone which you have signed in with your Google account
- Authenticator app: Install the app and add it into your account by scanning a QR code. You no longer need to be online in the phone to get the code. It will be calculated in your device
- Phone security key: I am actually unaware of how this works. I tried and it failed me :(
Hope your accounts are safe. Thanks for reading.