Introduction
SMS text messages are a convenient way for organisations to communicate with their customers. However, they’re not ideal when used to send sensitive information, such as one-time passcodes in a multi-factor authentication system.
While the qualities of SMS make it a valuable business tool, the technology was never intended to be used to transmit high risk content. Consequently, there are a number of inherent weaknesses in the ecosystem which support SMS.
These weaknesses mean that, where the value of the message content is of interest to bad actors, they are increasingly attempting to exploit SMS.
Advice
The National Cyber Security Centre (NCSC) has written some great guidance on this subject. Their original article can be found here, and I’ve summarised the main points below.
This guidance does not rule out the use of SMS for transmitting sensitive data. Instead, the NCSC advise that you should understand how your organisation uses SMS, and determine whether to put in place additional controls. Any organisation using SMS must have a clear understanding of how and where the technology is used and take steps to mitigate or reduce associated risks, where appropriate.
Why SMS is popular
The Short Messaging Service (SMS) was originally developed as an engineering signalling system. It was not designed as a method for transmitting secure messages.
SMS has a number of qualities that make it attractive for business use:
- ubiquity – the vast majority of mobile phones globally support the SMS protocol making it easy/cheap to develop services
- familiarity – consumers understand SMS
- timely – SMS messages generally get delivered, globally, within a few seconds
- inexpensive – relatively low cost to use
- reliability – the store and forward nature of SMS means it is often seen as a ‘fire and forget service’
Organisations, particularly banks, use SMS for the following purposes:
- to send information to customers
- to send one-time passcodes to customers
- to confirm a questionable transaction
General threat protection advice
- Know your estate – understand where and how your organisation uses SMS and assess the level of associated risk.
- Consider alternatives to SMS – in some cases there may be alternatives to SMS, such as the Push Notifications offered by the iOS and Android ecosystems.
- Protect the integrity of customer phone numbers – keep any underlying database safe, particularly where mobile numbers are stored as these could be changed and diverted as part of a coordinated attack
SMS attacks
Attacks on SMS typically see ‘take over’ of the phone number, or the International Mobile Subscriber Identity (IMSI), a globally unique code that identifies a mobile network subscriber. This allows the attacker to receive, and potentially reply to, SMS messages intended for the genuine customer.
To mitigate this threat
- Defend against SIM Swaps – attackers use social engineering to convince mobile phone retailers into transferring a genuine customer’s phone number (MSISDN) to a new SIM.
- Defend against SS7 attacks – Signalling System 7 (SS7) is the ‘glue’ that allows mobile networks to operate. It also permits separate networks to interoperate – for example when a handset from operator A is roaming on operator B’s network, in a different country.
- Defend against Malware attacks – there have been a number of reported cases where the handset has been infected with malware which receives the SMS (hiding it from the genuine customer) and forwards it to the attacker.
In conclusion
Think very carefully before allowing the use of SMS in your business, particularly where important or sensitive information is being sent or received.
Thanks to NCSC for this info on how to protect SMS messages - a great source of cyber security advice from the Government at ncsc.gov.uk. Crown Copyright, content reproduced under license
