(CMR) The OfReg is issuing a warning about the dangers of using SMS text messages for user authentication.
From the summer of 2016 industry magazines were stating that:
“SMS-based Two-Factor Authentication (2FA) has been declared insecure and soon it might be a thing of the past.”
After the US National Institute of Standards and Technology (NIST) has released a new draft of its Digital Authentication Guideline that says SMS-based two-factor authentication should be banned in future due to security concerns. The NIST argued that SMS-based two-factor authentication is an insecure process because it's too easy for anyone to obtain a phone and the website operator has no way to verify whether the person who receives the 2FA code is even the correct recipient.
Now the local authorities are agreeing with this position in own paper co-authored by OfReg Deputy CEO & Executive Director ICT and Ian Callow, Manager Fixed and Wireless Services to address the dangers of using text messages as part of the two factor authentication process.
Most websites encourage users to use two factor authentication to verify their identify when logging into various websites and online accounts. Two Factor Authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand – such as a physical token.
Using a username and password together with a piece of information that only the user knows makes it harder for potential intruders to gain access and steal that person's personal data or identity.
Historically, two-factor authentication is not a new concept but its use has become far more prevalent with the digital age we now live in. As recently as February 2011 Google announced two factor authentication, online for their users, followed by MSN and Yahoo.
However, OfReg is reminding user that of all the available options to verify one's identity SMS text messages has inherent dangers because known vulnerabilities which include:
Malware on mobile ‘phones which captures SMS messages;
SIM Swap where a criminal uses personal information to persuade a carrier to transfer mobile service to a new SIM;
Fake cell sites; and
Exploitation of weaknesses in the mobile network signalling systems.
They are recommending that
“Cayman Islands service providers across private and public sectors, including financial services providers, are encouraged to avoid using SMS text messages in any part of their user authentication process.”
The explanatory paper can be found in its entirety here.