An article in TechCrunch describes changes that the National Institute for Standards and Technology (NIST) is considering to its Digital Authentication Guideline:
For now, services can continue with SMS as long as it isn't via a service that virtualizes phone numbers — the risk of exposure and tampering there might be considered too great. NIST isn't telling for now, but more info will come out as the comment period wears on. But before long all use of SMS will be frowned on, as the bolded passage clearly indicates.
Additional comments are available on Bruce Schneier's blog.
This discussion has been archived.
No new comments can be posted.
NIST Recommends Against Using SMS for 2-Factor Authentication
|
Log In/Create an Account
| Top
| 12 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 4, Insightful) by Anonymous Coward on Saturday August 06 2016, @01:51AM
The way most big sites employ it is entirely to associate accounts with real live people through phone numbers.
(Score: 0) by Anonymous Coward on Saturday August 06 2016, @01:54AM
when you can't depend on the phone system to
keep your dealings private.
tell you who you are talking to.
(Score: 3, Insightful) by frojack on Saturday August 06 2016, @02:02AM
Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.
Apparently they were prepared to accept it as long as SMS traveled via SS7 [wikipedia.org], the side channel that cell systems us to tell your handset a call is arriving. Phone companies used to jealously guard this channel, and charge blood for a text message because it used this signaling channel for non-call related messages.
Now that significant numbers of carriers have pushed text messages off of SS7 for those phones that jump to Voip when it is available, that signaling is all on the internet, as just another packet.
What NIST doesn't say is that SS7 itself is subject to IMSI catchers, (Stingrays - see same link as above).
I'm not buying the objection to SMS based on the fact it might travel by Voip. After all, all that would be needed would be encryption on the Voip channel, which is already supported.
Instead I believe that NIST is warning people away from SMS in general, because you never know how it actually travels these days, and being an arm of the government they can't come out and say that SS7 is vulnerable to Stingrays. Kudos to them for finding another way to tell us the same thing.
No, you are mistaken. I've always had this sig.
(Score: 4, Interesting) by Snotnose on Saturday August 06 2016, @04:04AM
Apparently they were prepared to accept it as long as SMS traveled via SS7 [wikipedia.org], the side channel that cell systems us to tell your handset a call is arriving. Phone companies used to jealously guard this channel, and charge blood for a text message because it used this signaling channel for non-call related messages.
I worked for Qualcomm while the IS-95 spec was being hammered out (early 90s). Part of that spec defined SMS (Simple Message Service) messages. In the CDMA protocol, every few ms (20 ms if memory serves) the handset calls the base station and says "hey, got anything for me?" The BS either says yay, in which case a call is setup, or nay, in which case the handset goes to sleep for another few ms.
Turns out, one of the messages in that transaction had to be 255 bytes long, but the information itself left something like 152 unused bytes. So SMS was created to use those unused bytes (yes chillen, that is why Twitter has a 140 byte limit). Nobody expected SMS messages to be used for much. 90% of my communication now is either face to face, or via texting.
We were flabbergasted when phone companies not only charged $0.10 per SMS, but consumers paid it! This is data the phone company had to send anyway, it cost them more to keep track of who sent what and do billing than it did to actually send the damned messages!
Fast forward a year or two, and people are using SMS all over the place. This was totally unexpected.
Now, some 20+ years later, I get unlimited messaging, some data cap I never go anywhere near reaching, and 60 minutes of talk time. I average maybe 10 minutes/month of talk time. Unfortunately, most of those minutes are the couple hours every few months I spend on hold waiting for tech support.
I came. I saw. I forgot why I came.
(Score: 2) by Snotnose on Saturday August 06 2016, @04:06AM
I really wish I could edit a post within a minute or two of submitting it. Or get better with the preview button.
I came. I saw. I forgot why I came.
(Score: 2, Funny) by tftp on Saturday August 06 2016, @06:09AM
I really wish I could edit a post within a minute or two of submitting it.
You can already, and it is very easy:
> diff -u foo1 foo2
--- foo1 2016-08-05 23:01:54.475719756 -0700
+++ foo2 2016-08-05 23:02:34.796049558 -0700
@@ -1,5 +1,5 @@
Now, some 20+ years later, I get unlimited messaging, some data cap
-I never go anywhere near reaching, and 60 minutes of talk time.
+I never go anywhere near reaching, and 600 minutes of talk time.
I average maybe 10 minutes/month of talk time. Unfortunately,
Anyone who cares can apply the patch - and you may choose to not care about the rest :-)
(Score: 2) by jmorris on Saturday August 06 2016, @02:10AM
I'd guess one of the things they worry about is number portability. For example when I ported my home phone from AT&T to h2o (a MVNO reselling AT&T) nobody from AT&T called to verify the request. Helped move another number from a Net10 cellphone and again nobody called to verify. Would be interested to hear if anybody here has moved a number and actually been contacted before your existing carrier released the number. And hijacking VOIP is going to be just as easy plus the voip switches are connected directly to the Internet and are vulnerable to all the usual attacks any *NIX system is subject to. Get root on one of those and you get a lot of customers.
Now consider how many VOIP providers and MVNO outfits are out there, and that they all have to be plugged directly into the phone system. All the security in the world on the link between the SIM card and the cell network won't help if the switch above the cell specific networking layers can be told to forward your number somewhere else for a couple of minutes. It doesn't take long for somebody to capture the OOB pin code to change the password on your bank account, brokerage account, or even an photobucket or instagram account if there is juicy stuff in it worth stealing.... celebrity nude selfies anyone? How easy is it to do that from top level access at a phone company? How many people even know? And how many zero day exploits are there in that inter-telco interface code that almost nobody has ever seen or audited? NIST is right to worry.
Now on the other hand, an SMS is much better than nothing and is probably good enough for a lot of use cases, especially if the user can't be talked into buying a security token or even installing a frickin' free (F-Droid, Google Play, Apple App Store) app like FreeOTP (formerly Google Authenticator).
(Score: 2) by theluggage on Saturday August 06 2016, @11:02AM
especially if the user can't be talked into buying a security token or even installing a frickin' free (F-Droid, Google Play, Apple App Store) app like FreeOTP (formerly Google Authenticator).
I'd love more services to try and talk me into using such things (and for less services to insist on knowing my first cat's maiden name).
Currently, my main bank account gives me a Chip & Pin reader for my debit card, and uses it for challenge-response checks for adding new payees; Apple offers a 2-factor system using newer iOS devices (but which still requires a SMS message to 'bootstrap' or to use on an older device) - and that's about it.
Personally, I'd rather not use a phone as my "token" anyway as its the personal possession I'm most likely to lose.
(Score: 0) by Anonymous Coward on Saturday August 06 2016, @12:11PM
> ... for my debit card, ...
Am I missing something here? When a card is needed instead of cash (eg., renting a car effectively requires a card), I thought debit cards were to be avoided and credit cards were the way to go?
(Score: 2) by Scruffy Beard 2 on Saturday August 06 2016, @03:33PM
Debit cards don't work for car rentals. Ask me how I know. :P
Credit card companies (banks) like it that way.
With debit cards, you are not going into debt with every purchase. That is why you pay the fees instead of the merchant.
(Score: 3, Informative) by theluggage on Saturday August 06 2016, @04:58PM
Am I missing something here?
Yes. This isn't about using the card for online shopping (where a credit card may have certain legal advantages): its about an additional authorisation factor for online banking & direct money transfers.
Basically, I can go online to get statements, move money between my accounts and make money transfers to registered payees with just the usual sort of password login, but if I want to register a new payee, the website sends me a challenge code: I need to plug my chip&pin debit card into the reader (think: cheap calculator with a card slot, not linked to the computer) unlock it with the card PIN, punch in the challenge and then type the resulting response into the computer. So, someone who hacks my online banking account can cause a fair amount of havoc but they can't add themselves as a payee and transfer out large sums without my card.
NB: "Chip & Pin" is the system that has been working nicely in the UK, EU and elsewhere for the last decade whereby all debit/credit cards now have an embedded chip that can do challenge/response authentication once unlocked by the users PIN (and therefore means that everybody has a handy token that could be used for 2-factor auth). I believe that, in the US, this system is known as "terminal out of order - please swipe card and sign", and PINs are somehow associated with the Number of the Beast - which is probably why the major online retailers don't support card readers (can't see why that would be hard - they already mostly re-direct you to the card company website for SecureCode/Verified By Visa/etc).
(Score: 2) by Scruffy Beard 2 on Saturday August 06 2016, @03:38PM
That may explain why I was not able to port my number from diamondcard.us: it had stopped working. That was why I was switching providers!