INFO5301 NIST Digital Identity Guidelines
Exercise 10:
10.1 What is the NIST recommendation in using SMS based authentication, e.g. one-time
code delivered over SMS?
Answer: To account to the evolving threats, NIST places certain additional restrictions on
authenticator types, specific classes or instantiations. Use of a RESTRICTED authenticator
entails the risk of an authentication error be borne by the organization and the subscriber.
In such a scenario, the CSP shall;
1. Offer the subscribers at least one alternative authenticator that is not restricted, and
can be used to authenticate at the required AAL.
2. Notify the subscribers regarding the security risks and the available alternatives
3. Provide meaningful notice to subscribers regarding the security risks of the RESTRICTED
authenticator and availability of alternative(s) that are not RESTRICTED.
4. Address any additional risk to subscribers in its risk assessment.
5. Develop a migration plan for the possibility that the RESTRICTED authenticator is no
longer acceptable at some point in the future and include this migration plan in its
digital identity acceptance statement.
10.2 What are the known vulnerabilities in SMS authentication? Find references to reported
successful attacks exploiting such vulnerabilities.
Answer: Numerous security breaches recently indicate that SMS authentication is highly
insecure. For example, in 2018 attackers were able to compromise the SMS authentication of
several Reddit employees to breach some Reddit databases [1]. Also, on multiple occasions
SMS authentication has been successfully breached by attackers to empty bank accounts and
virtual currency wallets [2, 3]. Many other such incidents were reported, including popular
services provided by Google, Yahoo, and LinkedIn.
The fact that SMS was not designed to be a secure channel makes such attacks quite feasible.
Also, the way mobile operators manage their customers plays a vital role in making SMS
authentication less secure. Possible attacks against SMS authentication include:
1. SMS interception/hijacking: As a result of the less secure signalling protocols used in
mobile networks, especially the legacy protocols such as SS7, SMS messages can be inter-
cepted before being delivered to the legitimate receiver. This includes One-Time Codes
(OTCs) sent by SMS for SMS authentication purposes. Conventionally, as the telecom net-
works are closed networks and only a limited people have access to them, let alone know the
inner workings of the networks, security is usually based on implicit trust. Nodes within the
network, and across different networks, trust each other without any mutual authentication
and are not prepared for instances where a rogue node sends requests. In 2017, attackers
successfully intercepted the SMS authentication used by some German banks by creating
a fake mobile network and sending messages to the O2-Telefonica mobile network (a Ger-
man mobile network provider) pretending the target customers were in the fake network.
O2 network responded to the requests and sent all the subsequent messages to the rogue
network allowing the attackers to access the subsequent SMS one-time codes [4].
Information Security Management Page 6of 9