If you use SMS instead of U2F…

SMS 2FA is arguably the weakest kind possible. Instead of the second-factor being tied to your physical device, it’s tied to your phone number.

Attack #1: Retrieving codes by attacking voicemail systems

Many services like Gmail and LinkedIn allow SMS-based account recovery. If you forget your password, you can receive a text to your phone with a code that allows you to log in.

Some services let you receive that code via phone call as well. A robot reads you the code in the call, and if you don’t answer, it goes to your voicemail.

Martin Vigo’s talk on attacking voicemail systems

But voicemails are remotely accessible. If I know your voicemail PIN, I can access yours right now. By default, carriers set a default voicemail PIN for your phone, so if you haven’t explicitly set a PIN, yours is the default.

Attackers are waiting for you to sleep, sending the account recovery call to your phone, and when it reaches your voicemail, logging into your voicemail remotely and listening for the code. Once they have the code — voila, they’re in!

Affected services today include WhatsApp, LinkedIn, and others.

Remediation:

Don’t have phone-based account recovery on any site.

For WhatsApp, you can’t avoid this, so you’ll need to enable the two-factor WhatsApp PIN setting. Call your carrier and disable voicemail. If you don’t want to disable voicemail, at least set a voicemail PIN if you haven’t already.

Attack #2: Phone porting

As described earlier, this is what phone-based account recovery looks like in Gmail.

SMS-based account recovery on Gmail

If you have SMS account recovery set, or SMS 2FA, you are vulnerable to phone porting as well.

An attacker calls your phone carrier, pretends to be you, and asks them to transfer ownership of your phone number to a SIM card they control. All your calls and SMS texts now go to the SIM card they control.

If this happens, and you have SMS-based account recovery anywhere, the attacker can click “Forgot password?”, receive the verification text/call to their phone, and successfully log in as you.

Remediation:

Call your carrier and set a customer support PIN or passphrase while on the phone with the representative. Any future caller claiming to be you can only make changes to your account if they provide the correct PIN/passphrase over the phone. Tell your carrier to lock your phone number to your SIM card, and to reject all requests to port your number to another SIM. Instead of ever using your real phone number, use Google Voice or Google Fi. There are virtual phone numbers which can’t be ported, and have the same authentication protections as a Google account. Set a voicemail PIN or call your carrier and disable it entirely.

Attack #3: Intercepting texts and calls via fake cell towers

Attackers can intercept your texts and calls by spoofing cell towers. If someone knows your password, or eavesdrops your recovery code, they will get access to your account.

BlackHat demo of spoofing a cell tower

There are about a million ways that cell towers can be spoofed, so I won’t spend too much time here.