Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center Internet Storm Center

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

SMS and 2FA: Another Reason to Move away from It.

Published: 2019-11-18
Last Updated: 2019-11-18 04:55:21 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Developing applications around SMS has become very popular, with several companies offering simple to use APIs and attractive pricing to send and receive SMS. One security-related application of these SMS APIs (for the right or wrong reasons) has been simple two-factor authentication. This time, I don't want to talk so much about the security reasons not to use SMS to authenticate to critical systems, but some of the technical changes that are happening with SMS in the US and Canada.

Carriers in the US are usually not allowed to interfere with message delivery. The issue is similar to the larger "net-neutrality" question. Services considered telecommunication services must not be restricted or filtered, while information services can be restricted. Carriers argued that to curb spam and abuse of text messaging services, they need to be able to apply restrictions.

Late last year, the FCC did issue a ruling allowing carriers to restrict and filter SMS/MMS messages [1].

Starting this spring, some carriers in the US rolled out filters to restrict messages sent by applications. This "A2P" (Application to Person) messages can no longer be sent from regular long-distance numbers. Many small applications use standard long-distance numbers to send messages because they are cheap (typically about $1/month). The alternative is either toll-free numbers or shortcodes. Shortcodes are 5-6 digit long numbers specifically used for SMS, and they can not be used for standard voice calls. They can be very expensive (approx. $1,000/month),

 If your application uses SMS to, for example, notify you of system outages or send you a 2FA code, your messages may not be received if you are using a standard long-distance number to send the messages from. I found that there is often no error message in this case. The easiest (cheapest) solution right now appears to be to move to a toll-free number. They are not very expensive ($2-5/month) if you don't care about the exact number and are willing to accept one of the less known toll-free area codes like 833. For shortcodes, some services offer "shared codes" where your application uses the same shortcode as other applications, but this can be more difficult to use in particular if you are expecting replies.

Of course, there are a few other methods to send messages:

  • Phone companies usually offer email to SMS gateways. These appear to be unaffected. But you will need to know which carrier a particular number is associated with.
  • You could use other messaging services (iMessage, Slack, Telegram...) that have some form of API. But again, you will need to support different services and different APIs making development more difficult, or you may even need to develop a dedicated mobile application.
  • There are some newer messaging standards like RCS. Just last month, the big US carrier finalized an interoperability standard for RCS, and it is still a bit too early to use it. Ultimately RCS is supposed to replace SMS/MMS. It allows for features like group messaging, and rich character sets that users have become accustomed to from other messaging services. The FCC ruling does not cover RCS at this point.



Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Some packet-fu with Zeek (previously known as bro)
Nov 14th 2019
3 days ago by Manuel Humberto Santander Pelaacuteez (0 comments)

An example of malspam pushing Lokibot malware, November 2019
Nov 13th 2019
5 days ago by Brad (0 comments)

November 2019 Microsoft Patch Tuesday
Nov 12th 2019
5 days ago by Johannes (0 comments)

Are We Going Back to TheMoon (and How is Liquor Involved)?
Nov 11th 2019
6 days ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

"slow" half open tests (preparation for attacks?)
created Oct 28th 2019
2 weeks ago by Anonymous (0 replies)

Recommended Desktop Antivirus to use?
created Oct 21st 2019
4 weeks ago by Anonymous (0 replies)

Suspicious Domain Scoring
created Oct 4th 2019
1 month ago by Luke (1 reply)

SANS ISC InfoSec News RSS Feed broken?
created Aug 29th 2019
2 months ago by Adi (2 replies)

created Aug 14th 2019
3 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
5 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (0 comments)