Todo el mundo le ha enseñado a TI lo horrible que es la seguridad al enviar números SMS para autenticación durante años, incluido yo mismo. Ahora, gracias a algunos excelentes informes de Vice, está claro que la situación del texto es mucho peor de lo que casi todos pensaban. No solo los mensajes de texto tienen fallas de ciberseguridad inherentes, sino que todo el espacio de telecomunicaciones que rodea a la infraestructura de texto es absolutamente espantoso.
The white hat attack demonstrated intercepted and redirected all of the victim's text messages, but it was not a technical takeover. The white hat (who was asked by journalist Vice to try and steal his text messages) simply paid a small fee (€16) to a legitimate SMS messaging and marketing company called Sakari. The white hat had to lie with the user's permission, but no meaningful proof was requested.
"Once (the attacker) can redirect a target's text messages, then it can be trivial to hack into other accounts associated with that phone number," the Vice story reads. "In this case, (the attacker) sent login requests to Bumble, WhatsApp and Postmates, and easily accessed the accounts."
From a computer security perspective, this story gets that much scarier as it explores just how complicated the entire telecommunications universe is when it comes to protecting text communications. This is yet another reason why SMS cannot be trusted for authentication, or for that matter, almost everything.
Consider this from the story: "In Sakari's case, he is given the ability to control the forwarding of text messages from another company called Bandwidth, according to a copy of Sakari's LOA (Letter of Authorization) obtained by Motherboard. Bandwidth told Motherboard that it helps manage number assignment and traffic routing through its relationship with another company called NetNumber. NetNumber owns and operates the centralized, proprietary database used by the industry for text message routing, Service Replacement Record (OSR), Bandwidth said."
For years, the key argument against trusting SMS confirmations has been that they are susceptible to man-in-the-middle attacks, which is still true. But this overview of the infrastructure enabled for text messages means that text takeovers can happen much more easily.
There are many easily accessible applications that make text-based authentication much more secure, such as Google Authenticator, Symantec VIP Access, Adobe Authenticator, and Signal. Why risk unencrypted and easily stolen text messages to access your account or anything else?
For now, let's put aside the fact that it's relatively easy and inexpensive to switch to a more secure version of text confirmations. For now, let's also put aside the operational and compliance risks your team incurs by allowing the company to grant cleartext account access.
How about we just look at the risks and compliance implications of offering third-party access via clear text authentication? Remember this from the Vice article: "The (attacker) sent login requests to Bumble, WhatsApp and Postmates, and easily accessed the accounts."
Once a bad guy takes control of a customer's text messages, it causes a huge ripple effect, where many businesses are poorly accessed. What if a lawyer from one of these other companies sees your business as a deep pocket and argues something like "If (your business) hadn't set off an insecure chain reaction by insisting on using cleartexts as authorization, my client wouldn't he felt comfortable doing the same. Therefore, (your company) should cover our losses. ”Sounds absurd? Maybe, but before your staff allows such an argument to go to court, they'll be settled by handing over a good chunk of your IT budget increase request for next year.
Ensuite, il ya le retour de flamme (financier, perception de la marque, commentaires desagréables sur les mediums sociaux, reduction of the name of new clients, etc.) from your base installée et de vos prospects, even if the possibility of litigation your part.
What about compliance? There are two typical arguments when it comes to defending such reckless behavior with regulators. First: "It was typical industry practice. I can show that 80% of our competition did too." Two: "Back then, we had no reason to believe that cleartext security was that bad."
As for argument one (typical industry practice), that defense will start to go away fast. It will work well to defend this horrible practice for 2020 business, but companies will start pulling out this summer.
As for plot two (who knew?), This story from Vice and her reaction is going to crush that defense as well.
Don't let your company be the last in your industry to ditch clear text messages for authentication.
<p>Copyright © 2021 IDG Communications, Inc.</p>