Last updated: 15 September 2016
“Stop sending secret codes by SMS – it’s not secure!”
This is the substance of the message sent shortly before the summer by none other than the USA’s National Institute of Standards and Technology – unleashing a buzz of comments, questions, and confusion. Let’s try to bring some clarity amidst all the hubbub.
First, what exactly happened?
NIST issued a draft of its Digital Authentication Guideline, which is open to comments by the public. The final version is expected by September, 2017.
Section 18.104.22.168 of these guidelines talks about “Out-of-Band verifiers.” What’s that?
Imagine you’re doing a banking transaction on the internet; that’s the main communication channel. If the bank checks whether it’s really you by sending you a secret code through a different channel – say, by SMS text message – that’s known as Out-of-Band, or simply OOB.
So what the document says is that, to ensure a certain level of security that calls for two-factor authentication, “OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”
This standard’s author also pens a blog, which uses simpler language. Here’s how he explains it in his blog:
“You can use [SMS as an Out-of-Band channel] for now, but it’s on its way out.”
He also explains why:
“Security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse.”
We couldn’t agree more. In fact, I even blogged about the dangers of SMS earlier this year. But Is it really that easy to intercept SMS messages? Surely, network systems are made of cutting-edge technology and the leading operators will protect you, right?
Unfortunately, networks are not as safe as we may think. In fact, we tend to have a rose-tinted view of telecommunications network systems, which are composed of multiple technologies – at least one of them, known as SS7 and used by modern telecommunications networks, dating back to the 1970s. Like all systems, telecommunications networks are only as strong as the weakest link.
The weakness of SS7 makes intercepting SMS messages much easier than we might think. This, at least, seems to be the result of research conducted by vulnerability assessment firm Positive Technologies in its SS7 Security Report, which states that “Vulnerabilities in SS7 based mobile networks allow an intruder with basic skills to perform dangerous attacks” and “an intruder doesn’t need sophisticated equipment.”
Speculation? Scare-mongering? It seems not. Katy Perry was the victim of such an attack earlier this year – which resulted in the attacker resetting her Twitter account’s password, locking Ms. Perry out, and sending racist and homophobic comments in her name.
So what to do if you’re a bank wanting to authenticate your users with Out-of-Band communication?
The NIST document offers a number of recommendations for doing this. Let’s have a look at these recommendations:
The out-of-band device SHALL be uniquely addressable and communication over the secondary channel SHALL be private.
This means that the device must be addressed by something that identifies it uniquely – not something that identifies the user of the device. SMS communication uses a phone number; email communication uses an email address. Both of these can be read from any device or popular messaging services (such as WhatsApp) which rely on your user ID.
The out-of-band authenticator SHALL uniquely authenticate itself […] by establishing an authenticated protected channel to the verifier using approved cryptography.
This means you need to be able to establish a secure channel, which SSL alone – the protocol used to secure internet exchanges – does not always allow. You also need to make sure that only registered devices can connect to retrieve messages – not devices impersonating them.
The key used SHALL be stored in the most secure storage available on the device.
This implies that you have ways to use the best available storage method for each device. Adding your own cryptographic layer is a good way to go beyond platform security tools, which can sometimes be attacked.
If a secret is sent by the verifier to the out-of-band device, the device SHOULD NOT display the authentication secret on a device while it is locked by the owner (i.e., requires entry of a PIN or passcode). However, authenticators MAY indicate the receipt of an authentication secret on a locked device.
A summary of the SMS is usually displayed on the locked screen, meaning a secret code sent by SMS would be visible even when your phone is locked – making it non-compliant. A push notification, on the other hand, allows you to control what is displayed on the locked screen, without revealing secrets.
Mechanisms such as smartphone applications that employ secure communications protocols and uniquely identify the out-of-band device SHOULD be used for out-of-band authentication.
This calls for using embedded security and secure communication layers directly inside mobile applications, without relying on third-party apps.
The recommended solution sounds very much like our Ezio Mobile suite. This suite is composed of two parts that together meet the above requirements:
- Ezio Mobile Secure Messenger provides secure Out-of-Band communication by establishing a protected and authenticated channel with the verifier. Authentication is based on push notifications, which ensures control of what is displayed on the screen.
- Ezio Mobile Protector provides multiple layers of encryption to protect the secret keys on the device, and binds these keys to device-specific information – meaning that a copy of the encrypted key material on a different device will fail the authentication process.
Such a solution (which in our case includes the recently launched new version of Ezio Mobile Protector SDK) will provide a far better user experience while keeping hackers at bay – something I’m sure Katy Perry would appreciate.