Is SMS One Time Password (OTP) secure?
While explaining our GetOTP: Multi OTP API product to anyone who is willing to listen, this is a question that we have been asked time and time again.
“So, is it or is it not secure?” you ask.
Before we answer that…
Let us go through some common examples of the ways you can get hacked, even though you’re using SMS OTPs to access your favorite services online.
Malware on your phone
This is arguably the most common form of hacking with the highest rate of success. The attacker infects your smart device with a malicious app, which you downloaded from the internet. The malicious app has permissions to access your SMS messages and to connect to the internet to send those messages to the attacker’s server.
I believe this is the biggest reason why we’re seeing an explosion of scams and attacks in recent years, due to the obliquity of the smart phone in our lives.
On your part, you can prevent this by not downloading unknown apps from unknown places or companies, or apps with very little reviews, and also apps which wants permissions that they shouldn’t have in the first place (for example, if free gaming app says it wants to access your SMS messages, it’s a red flag)
SIM swap attacks
This is a more elaborate form of hacking through social engineering, which targets the human factor.
The attacker will call your mobile carrier, impersonate your identity and get your carrier reissue another SIM under your name. Once they the “new” SIM, they can use it on a totally different device and receive SMS sent to your number. When this happens, you will lose connectivity on your own device, and it’s a telltale sign that you’re being attacked if you were not expecting to lose connectivity.
In order for the attacker to be successfull, she or he needs to know something about you, such as your address and your full name. This means that this will most probably a targeted attack on yourself, and not a fullblown attack affecting many people.
Granted, this is not a problem with SMS OTP per se, but a weakness in the human processes within the carrier itself. Carriers can reduce the risk of these attacks by adding checks (make a call to the real subscriber to confirm through a secondary number or email) and removing as much human elements within the process (automate as much as possible these checks).
Compromised SMS Centers
Well, if the SMS centers managed by our mobile carrier themselves that receives and routes SMS to mobile phones are compromised, then obviously anything that you send and receive will be accessible to the attacker.
How can the SMS centers get compromised? Well, it is difficult, but not impossible. Malware attacks that trick the carrier’s employees, or outright illegal acts by rouge employees which break into the the SMS centers and leak data comes to mind.
Carriers in nearly all legal jurisdiction operate through licenses given to them by the government. In exchange for these licenses, the carriers need to adhere to certain standards of operations, which includes security standards. You should expect a higher security standard from your carriers than you would if you’re storing sensitive data in your own home.
Intercepting your mobile traffic
If you’re a particular important or famous person, like the president of a country, or controversial politician or even a successful drug lord, then congratulations: This particular attack is for you.
An attacker basically tries to intercept the traffic between your mobile and the carrier itself in the air, through tools such as an IMSI Catcher or an RTL-SDR radio scanner. These tools are relatively easy to find and use and are common within law enforcement, but the attacker needs to be physically close to the target and listen to the correct traffic. Remember the stakeout scenes in unmarked vans parked at the side of the street that detectives usually do to catch a criminal? Yes, that is what is required if you’re trying to attack someone with this method.
Most of the time, it’s not even your SMS OTP…
Most of the time though, it’s not even the SMS itself.
Man-in-the-middle attacks target you by setting up a fake site or an internet access point. These types of attacks intercept your data and tries to either redirect you to a fake site and getting you to input a valid SMS OTP sent to your mobile, or just simply trying to replicate the verification data which you used to log into an online service using a valid SMS OTP.
These types of attacks are relatively easy to execute, and will be the more common types of attacks. You can avoid them by making sure that you’re accessing sites that are encrypted (they will have https in their URL) and also not to click on links from emails or SMS which you did not expect to receive or from unknown sources.
Finally, we have the classic brute force attacks. Attackers will just do thousands of attempts with many different combinations of OTPs at website they want to break, hoping that one of those will be a valid OTP. This is beyond our control, but the website administrators can protect themselves better by rate limiting: Controlling the amount of attempts allowed in a period of time. We have this feature in GetOTP through the usage of Captcha, and if website administrators use our API, they can forget about the nitty-gritty details of trying to implement a fairly secure OTP mechanism
How secure a SMS OTP is directly depending on how secure the receiving device is. Just like the device, the OTP is also vulnerable to physical attacks. If an attacker gains physical access to your device, then all bets are off.
Remember that SMS-based two factor authentication (2FA) is still better than just having your usual username/password combination. Billions of SMS messages are being sent and received every single day, and due to the obiquity of it, SMS will not be going anywhere overnight.
Having said that, only having SMS OTP as your only authentication method is not good enough. It should be coupled with email, voice or a strong login/password mechanism. The usual advice applies here: Set strong passwords with more than 8 random characters using alphabets, numbers and signs, and never use the same password for multiple websites.
When we talk about security, it usually boils down to these two things:
– There is no silver bullet to “security”. Have multiple ways to authenticate, like having more than one lock at your door.
– It’s always trade-off of convenience and security. For the 99% of us, the usual precautions like not installing what we don’t know and not clicking on strange links, coupled with good passwords and SMS OTP will be sufficient. Of course, depending on who you are and what you’re going to protect, this will definitely change.
To conclude, SMS OTP is “secure enough” for most of us, but it comes with the condition that all the other parts that surrounds it, especially the device that receives the SMS OTP is also secure.