SC Magazine's Australian edition recently published an article entitled $45k stolen in phone porting scam. This article was then rewritten on Help Net Security as "Fraudsters beat two-factor authentication, steal $45k"
The summation of the SC Magazine article:
Call your mobile phone provider on the phone numbers below and insist on additional security questions being added to your account before the number can be ported.
The last paragraph of the Help Net Security article, despite its inaccurate headline, gets closer to the true issue:
But, the bigger problem in all of this is the fact that Australian banks have been informed of the possibility of the "porting" option being misused to mount this kind of attack back in 2009, but a lot of them declined to implement a verification system that would make sure that the number to which they send the additional verification code has not been recently "ported".
The truth is that any use of SMS is a problem and not just because of porting. The list of dangers about the SMS system should be well known by now:
- Criminal pay top dollar for phones that can intercept SMS
- Flawed security lets Sprint account get easily hijacked
- Russian Mobile Operator Leaks Users’ SMS Histories
Carriers are not incented to secure their users accounts. If they increase the difficulty of resetting a password or performing some change, users will start calling support. If you have 100,000,000 users and an extra 2% start calling, it adds up fast. So SMS is really just an email sent to a phone over a provider that barely cares about security. 99% of SMS messages don't require security (and probably 99% of those don't even need to be sent, but that's another story), so don't expect the carriers to add any soon.
If some application warrants two-factor authentication, then it warrants even the most basic risk analysis. Would you start using an unencrypted VPN because it ran on a phone? If a bank outsourced it's VPN service, what types of audits would they do? What kinds of guarantees would they demand? Did the carriers agree to similar demands when financial institutions outsourced their authentication to them?
(I also posted this to Infosec Island.)
PS: If you are using or considering using SMS for authentication because you need the universal availability (ie no smart-phone required) and are concerned about the security implications, please contact us to discuss a new product.