top of page

How to Easily Hack SMS Based OTP?

Before we begin, let’s review the basics of multi-factor authentication (MFA). MFA has three types of authentication – something you know, something you have, and something you are. The problem with using one or more factors in the first type, something you know, is that humans can easily be tricked into giving up the secret. One of the most common mistakes is using two-factor authentication (2FA) combination of passwords plus a short message service (SMS) delivered one-time passcode (OTP).

There are many ways which SMS-based 2FA is not ideal as a security measure. Just in case anyone is not familiar with SMS, it is the channel that text messaging uses. A major concern with SMS is that it still relies on “codes” known to the human, and anything that humans know, they can divulge. Let us walk through a relatively low-tech method which hackers use to gain access to SMS 2FA-protected accounts.

The attack starts out with an email sent to a user asking for credential reset or asking the user to log into their account to verify some activity. The link in the email will direct the user to a phishing site that is set up to resemble the actual legitimate site.

The user enters their credentials into the phishing site. The credentials are recorded by the hacker, and subsequently entered into the legitimate site by the hacker.

The legitimate site generates an SMS one-time password (OTP), and sends it to the user- usually in the form of a string of alphabetic characters or a six or eight-digit numeric code.

The user manually types in OTP into the phishing site, and the attacker types the OTP into the legitimate site, thereby gaining access.

The hacker has easily bypassed the additional protections of SMS in essentially the same manner the original username and password were compromised. They asked the user for their secrets. There are much more sophisticated variations of this attack, but because the hacker can simply ask the user for the information sophistication is not necessary.

So how do we solve this problem?

If we want more secure authentication, we have to employ more than one type of authentication. By adding something you have, with something you know, this becomes much more secure than using two methods of something you know. The popular method of something you have is to send an OTP in a secure token to the device.

This too has a security vulnerability in that you can still trick humans into presenting this token to fake sites and services. This is because the authentication is one-way, user to the server. Anyone with a secure token can pass the authentication check. To make the method truly secure, you need to employ a method that is Full Duplex Authentication® (FDA).

With FDA this and even the most complex variations of OTP phishing are virtually eliminated due to the difficulty of interception and the inability of the user to share a secret.

FDA performs a unique highly secure authentication sequence whereby the server sends metadata to the user device, so the server can complete the validation of the authentication request. However, the user’s private key is not yet invoked. The server validates itself to the user by sending both static and dynamic context necessary to prove its identity to the mobile application. Only then does the mobile application invoke the private key of the user to authenticate. A third type of authentication can also be performed before the private key is shared – a biometric, which most mobile devices support today.

Passwordless, certificate-based authentication like FDA, take the vitally important task of securing authentication out of our all to fickle human hands and allow the underlying purpose-built security mechanisms to do their job. Factoring large prime numbers and other such algorithmic calculations create much better secrets than humans, and once user-generated passwords are removed from the equation, there is no longer anything for the user to divulge.

As an added benefit FDA intrinsically reduces the need for CAPTCHA due to the way it is implemented. Bots cannot simply programmatically register or authenticate accounts, so the username and password spraying attacks are mitigated.

The foundation for future security must include eliminating passwords. This is why we created NoPass™. In less time and effort than the user authenticating with passwords and SMS OTP, NoPass performs 3FA with two taps on a screen. The technology is here, and it is just a matter of stepping out of the past, moving into the future, and implementing, and as an added benefit, passwordless authentication with FDA, which can dramatically improve user experience by simplifying the authentication process. Passwordless is a win-win.

bottom of page