SMS messages are the most popular two-factor authentication (2FA) method. It is used by banks, electronic and crypto-wallets, mailboxes and all kinds of services; the number of users of this method is approaching 100%.

I don’t like this because 2FA by SMS method is unsafe. Reassigning the number from one SIM card to another began at the beginning of the mobile era; this is used for restoring the number when a SIM card is lost. “Digital Money Weaning Specialists” realized that this “overwrite SIM cards” option can be used in fraudulent schemes. After all, the one who controls the SIM card can manage other people’s online banking, and electronic wallets, and even cryptocurrency. And you can take over another person’s number by bribing a telecom employee using fraud or fake documents.

Thousands of SIM swap episodes have been revealed — this is what this fraud scheme has been called. The scale of the disaster suggests that the world will soon abandon the 2FA via SMS. But this isn’t happening — the study says that it is not the users who choose the 2FA method, but the services owners.

We suggest using the secure 2FA method with the delivery of one-time codes via blockchain, and here’s how to apply it to a service.

Million bills

In 2019, SIM swap fraud increased by 63% according to the London police, and the “average check” of the attacker is 4,000 GBP.

SIM swapping is used to steal popular Twitter, Instagram, Facebook, VK accounts, bank accounts, and recently got to cryptocurrencies. According to The Times, the number of people who lost their phone numbers to hacking grows with enormous velocity. Indeed, a Bitcoin entrepreneur, Joby Weeks says that everybody he knows personally in the crypto community has gotten their number stolen. High-profile swapping cases have been covered by mass media since 2016 and in 2019, the number of such cases reached the peak.

Back in May, the US Attorney’s Office in Michigan reported that six individuals were charged with online identity theft. The defendants, aged 19–26, are supposedly connected to a hacking group known as “The Community”. It is said that they performed seven attacks that resulted in the 2.4 million dollars’ worth of cryptocurrency theft. Another well-covered case of SIM scam swap was of Joel Ortiz who was charged with online theft of more than $7.5 million in cryptocurrency and has been sentenced to 10 years in jail.

Joel Ortiz on a university press conference. Two years later, he will be detained for cyber fraud.

A three-step fraud makes you poor as Job’s turkey

SIM scam swappers exploit an operator’s ability to port a phone number to a new SIM and by doing so, they appropriate the victim’s number and use it to reset a PIN. A typical SIM swapping is performed in three steps:

Snooping. Fraudsters get a hold of personal data such as first and last names and phone numbers. It is not surprising how easily they sometimes do that as this information can be found on social media or acquired from an accomplice — customer service representative, for instance. Blocking. Fraudsters call the mobile network operator and block their victim’s SIM card by saying that the phone was lost, for example. Swooping. This step is often performed with the aid of an accomplice or by faking the official documents.

If criminals manage to get access to their victim’s phone number and personal data, they can steal money from credit cards or crypto wallets.

Real live goes more strictly. As soon as criminals pick their victim, they track the phone’s location daily. It costs surprisingly little money — one GP request is about 1–2 cents. After criminals are notified that their victim is in roaming area, they ask for a new SIM card from a manager in a communications store. It costs only $50 and the worst case scenario is that the manager will get fired.

Then, criminals will receive all of the SMS and their victim will not be able to do anything as they are abroad, for instance. At this point, criminals have access to all of the victim’s accounts and try to change passwords as soon as possible.

Constant vigilance!

Sometimes banks cooperate with the victims and withdraw the funds transfer. To that end, fiat money can be returned even if the criminal is never found. However, it is not that easy to do the same with cryptocurrency since it is often untrackable. There are no laws that could protect the cryptocurrency holders from SIM scam swap or other fraud schemes and to this day, not a single crypto exchange managed to compensate the victims’ losses.

If someone wants to win a lawsuit and get their money back, they usually focus on their provider’s malfunction. For example, Michael Terpin, one of the SIM swapping victims, lost $224 million. He is now prosecuting AT&T, a telecommunication provider.

As we have told previously, no existing government has a legal way to protect cryptocurrency holders and to that end, they cannot even insure their funds and get a compensation. Therefore, it is necessary to prevent a possible SIM swap scam, so that people will not have to face the consequences. As the saying goes, better be safe than sorry and to that end, the world needs stronger means of protection.

SIM swapping is not the only 2FA via SMS problem

SMS confirmation codes are also unsafe from a technical point of view. Messages can be intercepted due to fatal vulnerabilities in Signaling System 7 (SS7). 2FA by SMS is officially recognized as unsafe (the US National Institute of Standards and Technology claims this in its Digital Identity Guides).

Moreover, the presence of 2FA often inspires the user with a sense of false security, and he chooses a simpler password. Therefore, such authentication does not complicate, but facilitates the access of an attacker to the account.

And often SMSs come with a long delay or do not come at all.

Other 2FA methods

Of course, besides smartphones and SMS there’s always something else, there are other 2FA methods. For example, one-time TAN codes: the method is primitive but it works — it is still used in some banks. There are systems using biometric data: fingerprints, retinal scans. Another option that seems like a reasonable compromise in terms of convenience, reliability and price is special applications for 2FA: RSA Token, Google Authenticator. And also there are physical keys and other methods.

In theory everything looks logical and reliable. But in practice, modern 2FA solutions have problems, and because of them reality is different from expectations.

According to the study, the use of 2FA is an inconvenience in principle, and the popularity of 2FA via SMS is explained by “less inconvenience compared to other methods” — receiving one-time codes is understandable for the user.

Many users associate 2FA with the fear that access will be lost. A physical key or a list of TAN passwords can be lost or stolen. I personally have a negative experience using Google Authenticator. My first smartphone with this app broke; the efforts to restore access to accounts were huge. Another problem is the transition to a new device. Google Authenticator does not have any export due to security concerns (if the keys can be exported, there’s obviously no security). I once transferred the keys manually and then decided that it was easier to leave the old smartphone in a box on a shelf.

2FA method should be:

Safe — only you should gain access to your account;

Reliable — you get access to your account whenever you need it;

Convenient and accessible — a clear using requiring little time;

Cheap.

We consider blockchain to be the suitable solution.

Use 2FA via blockchain

From a user’s perspective, blockchain 2FA looks the same as receiving one-time codes via SMS. The only difference is the delivery channel. The way to get a 2FA code depends on what the blockchain offers. In ADAMANT, the ways are Web app, Tor, iOS, Android, Linux, Windows, MacOS.

The service generates a one-time code and sends it to the blockchain messenger. Further everything goes as usual: the user enters the code received and logs in.

In my «How a decentralized blockchain messenger works» article I wrote that the blockchain ensures the security and privacy of messaging. On the subject of sending 2FA codes, I will highlight:

One click to create an account; no phone or email address required.

All messages with 2FA codes are end-to-end encrypted using curve25519xsalsa20poly1305.

MITM attack is impossible — each message with a 2FA code is a blockchain transaction signed by Ed25519 EdDSA.

The message containing 2FA code gets into its block. The sequence and timestamp of blocks cannot be changed, therefore the order of messages.

There is no central structure that does checks for the “message authenticity”. This is done by a consensus-based distributed node system, and it belongs to users.

Inability to disable — accounts cannot be blocked, and messages cannot be deleted. Compared to SMS, where a mobile carrier owns a sim card, and can disable or suspend it with no reasons.

2FA codes are accessible from any device at any time.

Delivery confirmation of 2FA message. A service that sends a one-time password and that knows for sure that it has been delivered. No “Submit Again” buttons.

Here’s a comparison table for other 2FA methods:

The user can quickly get an account in the ADAMANT blockchain messenger to receive codes — only a passphrase is used to log in. Therefore the methods of application can be different: you can use one account to get codes for all services, or you can create a separate account for each service.

There is also an inconvenience — an account must have at least one transaction. In order to receive an encrypted message containing a code, you need to know the user’s public key, which appears in the blockchain only with the first transaction. We avoided this the following way: implemented the opportunity to get free tokens in a wallet. However, a more correct solution is to name an account with a public key. (For comparison, an account is U1467838112172792705 which is a derivative of the public key cc1ca549413b942029c4742a6e6ed69767c325f8d989f7e4b71ad82a164c2ada. For the messenger, this is more convenient and readable, but for a 2FA codes sending system this is a limitation). I think in the future someone will transfer “Convenience and Accessibility” of such solution to the green zone.

The cost of sending a 2FA code is really low — 0.001 ADM (~0.00001 USD currently). Again, you can make your blockchain with its own rules and make the price zero.

How to connect 2FA via blockchain to your service

I hope I was able to interest a few readers to add blockchain authorization to their services.

I’ll tell you how to do this using ADAMANT Messenger as an example, and by analogy you can use another blockchain (if any which supports sending 2FA codes exist) or run your own based on ADAMANT.

In the 2FA demo application, we use postgresql10 to store account information.

Connection steps:

Create an account for sending 2FA codes. You will receive a passphrase, which is used as a private key to encrypt messages sign transactions. Add a script to your server to generate 2FA codes. If you already use some other 2FA method with one-time password delivery, you have already completed this step. Add a script to your server to send codes to a user in the blockchain messenger. Create some user interface for sending and entering 2FA code. If you already use some other 2FA method with one-time password delivery, you have already completed this step.

Step 1: Account creation

In ADAMANT, you can create account to send the codes from in the Web app manually. In most cases, this is also more convenient for a user: they know that the service sends 2FA codes from a specific account, and can name it.

If you want to generate accounts programmatically, use ADAMANT Node API, Console or JS API: https://adamant.im/devs/.

Generally, creating an account in the blockchain is the generation of a private key, a public key, and an account address derived from it.

First, the BIP39 passphrase is generated using which the SHA-256 hash is calculated. The hash is used to generate the ‘ks’ (private key) and ‘kp’ (public key). Again using SHA-256 with inversion on the public key, we get the blockchain address.

Step 2: 2FA codes generation

The 2FA code needs to be generated for each user login. We use the speakeasy library, but you can choose any other.

const hotp = speakeasy.hotp({ counter, secret: account.seSecretAscii, });

Validation of 2FA code, entered by user:

se2faVerified = speakeasy.hotp.verify({ counter: this.seCounter, secret: this.seSecretAscii, token: hotp, });

Step 3: Sending the 2FA code

You can use the ADAMANT blockchain node API to send the 2FA code as well as JS API library or the Console. In this example we use the Console — this is the Command Line Interface, a utility that simplifies interaction with the blockchain. To send a message with a 2FA code, you need to the send message command.

const util = require('util'); const exec = util.promisify(require('child_process').exec); … const command = `adm send message ${adamantAddress} "2FA code: ${hotp}"`; let { error, stdout, stderr } = await exec(command);

An alternative way to send messages is to use the JS API library send method.

Step 4: User interface

The user needs the possibility to enter the 2FA code, this can be done in various ways depending on the platform of your app. We are using Vue in our example.

The source code for the blockchain 2FA authorization demo app can be viewed on GitHub: https://github.com/Adamant-im/adamant-2fa. See the Readme for the Live demo link.

Get Blockchain 2FA for free

If you are interested in the ADAMANT 2FA solution, we will be glad to help you and compensate tokens spent on sending verification codes. This offer is limited, so do not hesitate to contact us.

Have a look at how Resfinex exchange secured users’ accounts with ADAMANT 2FA.

ADAMANT TECH LABS is also looking for partners in other aspects of work: https://adamant.im/partners/.