Monday, July 20, 2009

SMS Two Factor Authentication and SIM cloning

Kees Leune pointed out the utility of Google's SMS two factor authentication earlier today. Using this becomes an interesting potential vulnerability when combined with the much discussed Nokia 1100 cloning vulnerability discussed in recent months. The threat model used by criminals in Europe is described in the Ultrascan article:

Further investigations revealed that, in particular East European gangs, were buying this German Nokia 1100, were able to hack this model to insert any mobile phone number and use it for criminal purposes, especially to intercept the mobile (sms) TAN code during on-line banking fraud.
This doesn't mean that you shouldn't use the two factor authentication for your password resets - an additional hurdle to attackers resetting your password is a good one. Instead, you simply need to remain aware that any service that allows resets could be attacked. The Nokia 1100 is only a first example of what will likely be an ongoing threat as we use SMS and other technologies for more of our transactions.

No comments: