Two Factor Authentication (2FA) has surged in use in recent years. Among the general public, Cisco has found that 78% had used 2FA in 2021, up from only 28% in 2017.
Alongside organizations wanting to harden their security perimeters, the continued rise of online banking, crypto, and decentralized finance (DeFi) has been a significant source of 2FA adoption. Cisco also found that 93% of users consider financial services accounts to be the most important to secure via 2FA.
Of all the second factors used to power 2FA, the most common is SMS, with 85% of users reporting they have used SMS for at least one of their 2FA accounts. But as FYEO's team showed at Black Hat USA this year and at Solana Breakpoint in Lisbon, hackers are now developing creative ways to undermine SMS 2FA. This has come in the form of a new security threat – smishing.
What is smishing?
SMS phishing – aka smishing – is the practice of using SMS to carry out the strategies and tactics used in phishing. Unfortunately, smishing has already proven to be a costly strategy that can cost organizations and users considerably, with Coinbase and Crypto.com having suffered significant breaches in the past couple of years and Twilio having reported a smishing attack back in August. In the latter case, Crypto.com customers lost $34m once hackers capitalized on the 2FA bypass exploit.
Worryingly, smishing is becoming more popular with hackers. Smishing attacks grew by over 700% in the first two quarters of 2021 alone. But more concerning, less than 35% of people targeted by a hacker know that they're being smished. All this together makes smishing a very rich niche for hackers that want to wreak havoc on organizations, enterprises, investors, and individuals.
But how exactly do hackers bypass SMS 2FA? What does smishing look like in practice?
#1 – Account recovery
Account recovery systems are integral to guaranteeing user access to their accounts. At the same time, account recovery processes have always represented a soft underbelly to account security. This is no different in the case of SMS 2FA.
Traditionally, a hacker exploited an account recovery process to reset a password. But a smishing-oriented hacker also works towards resetting an account's phone number, usually to a number the hacker has direct access to. With this, a hacker can get direct access to an account.
At first, many professionals might ask how this SMS 2FA bypass has become a pressing problem. Many 2FA systems require users to input their username, phone number, and password before receiving an SMS verification code or beginning account recovery procedures. How can hackers reliably smish an account with such a high barrier to entry?
The answer lies in the vast repository of stolen and leaked data available to hackers, both on clear-net sites and on the darknet. Our team so far has been able to tie one in ten email addresses on the internet to a valid telephone number and has indexed over 500 million phone numbers and email pairs. Once we finish indexing, we think this number will double to over a billion phone and email pairs.
With this data repository, hackers can get their foot in the door with account recovery systems, change an account's password or phone number, and bypass SMS 2FA entirely.
#2 – Social engineering
Even if a hacker doesn't have access to comprehensive account data, they can often resort to social engineering by calling a helpdesk during the account recovery process. Helpdesks are often an especially insecure part of account recovery, with hackers working to persuade representatives over the phone into thinking they're the legitimate owner.
Social engineering is one of the primary tools hackers use, and bypassing SMS 2FA is no different. As with traditional phishing, smishing can see hackers directly approach users and attempt to socially engineer them into surrendering a 2FA verification code.
What's particularly troubling about social engineering in smishing is that SMS messaging is not a secure format. SMS messages have no sender verification whatsoever, meaning hackers can feign any ID in their messages – whether it be the name of a bank, employer, or DeFi account. SMS has no built-in means to verify sender IDs or a "junk" or "spam" filter as email does, meaning many users are caught off-guard by messages claiming to be from a platform they hold an account with.
One of the most popular smishing techniques sees hackers exploit this and feign the ID of the organization a user has an account with via SMS. Typically, a hacker will claim the security of the user's account is compromised and ask the user to share secure information like their password or 2FA SMS verification code via text to avoid an account lockout or reset its credentials. Once the user shares their secure information, the hacker can access the account.
#3 – Proxy sites
Another way hackers can secure user data is by tricking users via convincing proxy sites. Using either a phishing email or a smishing text, hackers can share a URL to a proxy site that mimics the functionality of the legitimate website's login page (or, in particularly intricate cases, an entire website).
Rather than logging in, however, information inputted by a user into a proxy site goes to the hacker. Once a user reaches the 2FA SMS page, a proxy site can file a login request with the legitimate website and have a verification SMS sent to the user's phone. The verification code the user sends to the proxy site is then used to access their account on the real website by the hacker, who can act accordingly.
#4 – SIM jacking
Another way hackers can bypass your SMS 2FA is through a technique that has been used by identity thieves for many years – SIM jacking.
SIM jacking sees an identity thief or hacker impersonate a user by contacting their mobile carrier. A hacker will claim they have a new SIM to activate for the account, with the original SIM or phone having been lost. Employing social engineering and some knowledge of crucial information such as account PINs or security questions, a hacker can have a phone number reassigned to their own SIM.
With that, a hacker can receive 2FA verification codes directly and use them to access any account of their choosing. Worst of all, with a user disarmed by having their phone taken from them, their ability to promptly respond to a hack attempt may be totally undermined.
Protect yourself against smishing
2FA SMS bypassing is only going to grow as a problem. Along with keeping your wits about you to prevent yourself from becoming a victim of social engineering, the best thing you can do to prevent yourself from becoming a victim is by reducing the ability of hackers to make you a target in the first place.
In particular, you need to be alert and aware whether any of your accounts has been breached and your email or password has been made available to hackers. With hackers prioritizing targets they can obtain an email and phone number password match for, real-time information as to whether your private information is available in the wild is crucial.
Thankfully, the FYEO team is working to give you that very data. FYEO Domain Intelligence, FYEO's real-time threat monitoring platform continuously scans for potential data leaks from organizations. Contact us today for a free trial and start protecting your organization.