Two Factor Authentication: SMS vs. Tokens
Are one-time passwords sent via cell phone text messages more secure than traditional hardware tokens?
The numbers are staggering. About 750 million airline passengers must remove their shoes every year because one lone nut, Richard Reid (now a resident of a supermax prison in Colorado), once tried to blow up a plane with a shoe loaded with Pentaerythritoltetranitrate (PETN). The hordes of stamping stockinged feet notwithstanding, PETN is not detectable on the scanners used by airport security gatekeepers. A chemical test is needed.
Evidently the illusion of feeling secure is enough to calm skittish nerves. Sheer numbers tell their own story; a classic case of one bad seed spoiling the batch.
It calls to mind the seeds that were stolen from RSA SecurID tokens and subsequently used to attack Lockheed Martin and other unconfirmed defense contractors. These internal seeds comprise a secret key hard-coded into the token itself, and are the logical equivalent of a combination to a vault. Now 30,000 worried RSA customers are looking to have 35 million hardware tokens replaced.
On further probing, it’s interesting to note that the financial and reputational losses suffered by RSA and its customers from using a proven two-factor authentication mechanism was all the result of one bad file and poor judgment on the part of one RSA employee. The take-away is it could’ve happened to anyone and we’ve entered the era of using social engineering to make employees unwitting participants in elaborate hacks.
RSA is calling the attack an advanced persistent threat (APT) and fingers are pointing at Operation Aurora, something that Google experienced last year and claimed it had originated from China. Wherever its origin, the APT is a sophisticated attack that is making RSA throw up its hands not in defeat, but in recognition that “a new defense doctrine” is called for.
In reaching out to IT security experts across the country, many are hollering for a switch away from using tokens in favor of using SMS-based authentication. But is SMS necessarily superior to hardware tokens?
SecurID tokens comprise complex cryptographic algorithms. To steal a few seeds is not enough to get access to all the goods. The tokens generate one-time passwords every 30 or 60 seconds. A hacker would need to do more than intercept the password. He would have to know the token's serial number or clone one, and he’d need ready access to the token’s authentication server, which must match its code with the one generated by the token. Once these two align, access (typically by remote VPN) is possible. Once a SecurID token is compromised, it must be replaced. And to provision millions of new ones cannot be a simple feat.
Security experts weigh in
“Aspects such as deployment, manageability and superior authentication are just a few things that set SMS-based authentication apart,” said Cedric Jeannot, founder of data encryption company I Think Security in Waterloo, ON.
Bank of America uses two-factor SMS authentication whenever a customer wants to make a change to their account, such as setting up a new bill payee. It simply sends a one-time password to the account holder’s cellphone. This is also the model that Brainloop uses on its document security application, in use by the likes of BMW and Deutsche Telekom. Like tokens, the PIN is valid only once and expires after a fixed time.
“SMS is a viable alternative to token-based authentication on the grounds that SMS is much easier to manage and relatively inexpensive,” said Markus Seyfried, CTO at Boston-based Brainloop.
There is also comfort in carrying around a device that nearly everyone already owns. And when you lose it, you notice it immediately, unlike a token that may only be used randomly. More than that, once a token is reported missing, the authentication server administrator will need to be alerted, causing some delay in its being invalidated.
“Users tend to notice the loss of their cell phone very quickly and can react by remotely blocking the SIM card. Because of that, mobile devices are more flexible and a secure part of the data protection infrastructure than token technology,” said Seyfried.
On April 1, Uri Rivner, head of new technologies, consumer identity protection at RSA, wrote a blog, Anatomy of an Attack, that got to the root cause stemming from the SecurID fiasco. He described phishing emails sent to office employees with the email subject reading “2011 Recruitment Plan.” Ironically enough, the email was identified by the spam filter and thrown into the junk file but the employee retrieved it and opened the attached Excel .XLS file anyway.
“The spreadsheet contained a zero-day exploit that installs a backdoor through a [former] Adobe Flash vulnerability (CVE-2011-0609),” Rivner wrote.
Identifying this phishing attack as a typical APT, the malware installed a remote administration payload that allowed the attacker to control the endpoint.
“In our case, the weapon of choice was a Poison Ivy variant set in a reverse-connect [mode] that made it more difficult to detect,” wrote Rivner. Eventually, the attacker sought out users with higher security clearances.
“Requiring users to carry a security token now that SMS-based authentication is available is outdated and, in many cases, reduces the security offered through a properly designed text messaging process," said Scott Goldman, CEO of TextPower, based in San Juan Capistrano, CA, which develops text messaging services for utilities and B2C organizations.
One value of SMS-based authentication is that the SMS is sent, most of the time, from a central entity; the cellphone is just the receiving end.
“For security tokens, in most cases, each device is autonomous. RSA’s SecurID does not connect to the Internet to update its numbers. There‘s a seed, a loading time, and a pre-defined algorithm that generates numbers based on that seed. This is an embedded system. If the algorithm or the seed is compromised, there is no way to update the tokens; they must be collected and new ones distributed,” said Jeannot.
Carly Ann Campo of Envoy Data Corporation, a distributor of smart cards and tokens, takes a contrarian view on the security front yet touts low TCO. “SMS-based tokens are a bit more insecure because the system generates the one-time password and sends it over the air, giving rise to the possibility of unauthorized individuals intercepting the data. A software-based or hard token generates the OTP on the device itself, isolating the data to the physical device. However, for some businesses, the marginal security difference is trumped by the low cost to operate and replace. SMS-based solutions are intuitive due to the commonplace familiarity associated with mobile devices like cellphones. We aren't intimidated by an item we use in our everyday lives.”