Our identity (in the form of a username or email and password) is brought into play, over and over again, as the gateway to perform an increasing array of functions. Everything is fair game, from business application software to more critical services like online banking.
Recent research from Centrify indicates that over a quarter of us enter a password online more than 10 times a day, or 3,500 to 4,000 times a year. In fact, 42 per cent of respondents in the UK and 37 per cent in the US say they create more than 50 new account profiles a year.
It follows that online identity is a challenge. There is a tendency for users toward simplifying the process by using the same username and password, making it easy for fraudsters to gain access to multiple accounts with a single hack.
Clearly there is a real need to add an additional layer of security or user authentication to a myriad of online services. Combining something you know (e.g. username / password), with something you have (phone, physical token) is significantly more secure as it can’t easily be exploited remotely. As such for years, two-factor authentication (2FA) has been regarded as the answer to the online access headache.
It requires users to use both something they know (like a password) and something they have (like a mobile phone). After a password is entered a second code (usually a randomised number) is sent to the user’s mobile device via an SMS and only after they enter it will a user get access to any given service.
Google’s Gmail, Linkedin, PayPal, Evernote, Dropbox and many others all have two factor authentication built in as a standard feature.
Adding this secondary line of protection is essential, and the best way to do it seemed to be with a one-time passcode sent by SMS. Indeed, as much as 20 per cent of all A2P (application to person) messaging on the CLX network comes from authentication. Banks, social networks and others have clearly found the process effective.
But in 2016 SMS 2FA was held out as fallible. An announcement made by the National Institute of Science and Technology (NIST) in the US noted that it had found flaws in 2FA via SMS messages, and said it was considering these risks and may “deprecate” SMS in future standards.
Specifically NIST was concerned that hackers could exploit flaws in the SS7 protocol that operators use to enable roaming on their networks. In some very sophisticated cases hackers can fool the phone network into thinking a device is on another network allowing for a 2FA SMS to be intercepted.
Theoretically this might be the case but if we peel back a few layers, it’s evident that the risk has been hugely over-exaggerated. In reality, the only people who could repeatedly exploit this SS7 protocol flaw at scale would be rogue employees inside a carrier that operates a GSM network – the equivalent of a Facebook staffer accessing your Facebook account.
Many critics of SMS for 2FA ignore the real weaknesses of SS7 and instead cite examples SIM Swap incidents whereby the attacker convinces a carrier to provide a replacement SIM card or to port a number to another carrier as evidence that SMS should not be used for 2FA. Even though these exploits are very real, they are not weaknesses or SMS but rather weaknesses of business processes and controls. Carriers are not the only companies who suffer from these weaknesses, and there are many examples of social engineering being used to access domain name registrars, email providers, and social media accounts to name but a few.
The reaction against SMS ignores the fact that it is generally safe and – most important – users are habituated to it because it is convenient and ubiquitous.
Moreover, it’s important to be realistic and offer the best possible security that people will actually adopt. In other words, there’s always a balance between security and ease of use. In this respect for the vast majority of online services, 2FA SMS is the best option we have. When looking at realistic alternatives to SMS such as ‘Time-based One-time Password’ (TOTP) apps, the evidence seems to be clear that getting a normal non-technical user to download a different app for each online service is very unlikely, and as such the alternative is a retrograde step to the username and password system.
Rather than deprecate SMS as a security standard, the solution should be to fix the known SS7 vulnerabilities rather than to prevent the use of SMS for 2FA. This is something that many operators are doing by installing SS7 firewalls to mitigate against these and other risks like grey routing.
While it’s always possible to close loopholes in a system, it’s much harder to reduce people’s tendency to be ‘taken in’. It’s a fact that it is social engineering – and not technical hacks – that is behind most attacks. Criminals persuading a network call centre agent to deactivate or port the original SIM, and provide a new one. Or phishing users with a spoof text message or email with the aim of tricking the consumer into disclosing personal data such as bank details or passwords for online services by masquerading as a brand that the consumer is familiar with (like their bank). In recent CLX MEF consumer research for example, we found that 33 per cent of mobile users have received a phishing message in the last year. Carriers will need to tighten controls to ensure these exploits are eradicated as these issues go beyond SMS and 2FA.
It is in fact two-factor authentication that can help to reduce these attacks, because it makes access so much more complex than merely trying to gain someone’s username or password. First published by CLX Communications
When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.
Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
Cookie Statement
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
Cookie details
Cookie Subgroup | Cookies | Cookies used |
---|---|---|
eu5.mm.sdi.sinch.com | ASP.NET_SessionId | First Party |
community.sinch.com | AWSALB , LiSESSIONID | First Party |
appengage.sinch.com | dd_cookie_test_ | First Party |
tickets.sinch.com | atlassian.xsrf.token , JSESSIONID | First Party |
cockpit2.sinch.com | SESSION | First Party |
engage.sinch.com | instapage-variant-xxxxxxxx | First Party |
dashboard.sinch.com | cookietest | First Party |
brand.sinch.com | PHPSESSID , AWSALBCORS | First Party |
sinch.com | __cf_bm , OptanonConsent , TEST_AMCV_COOKIE_WRITE , OptanonAlertBoxClosed , onesaasCookieSettings, QueryString, functional-cookies, performance-cookies, targeting-cookies, social-cookies lastExternalReferrer, lastExternalReferrertime, cookies, receive-cookie-deprecation _gdvisitor, _gd_session, _gcl_au, _fbp, _an_uid, _utm_zzses, lpv | First Party |
mediabrief.com | __cf_bm | Third Party |
recaptcha.net | _GRECAPTCHA | Third Party |
cision.com | __cf_bm | Third Party |
techtarget.com | __cf_bm | Third Party |
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous.
If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Cookie details
Cookie Subgroup | Cookies | Cookies used |
---|---|---|
community.sinch.com | ValueSurveyVisitorCount | First Party |
buzz.sinch.com | instap-spid.8069 , instap-spses.8069 | First Party |
appengage.sinch.com | _dd_s | First Party |
sinch.com | AMP_TLDTEST , rl_page_init_referrer , rl_trait , _vis_opt_s , __q_state_dp56h9oqwhna9CoL , cb_user_id , __hstc , rl_anonymous_id , rl_user_id , initialTrafficSource , _vwo_uuid , _vwo_uuid_v2 , rl_page_init_referring_domain , _hjIncludedInSessionSample_xxx , apt.uid , __hssrc , test_rudder_cookie , cb%3Atest , __hssc , rl_group_trait , _hjAbsoluteSessionInProgress , _vwo_referrer , _vwo_sn , _vis_opt_test_cookie , _hjFirstSeen , _hjTLDTest , _hjSession_xxxxxx , s_sq , _vwo_ds , rl_group_id , _vis_opt_exp_n_combi , s_cc , _gclxxxx , cb_anonymous_id , cb_group_id , apt.sid , rl_session , _uetvid , AMP_899c7e29a9 , _hjSessionUser_xxxxxx | First Party |
brand.sinch.com | AMP_TEST | First Party |
engage.sinch.com | no-cache , instap-spses.85bb , instap-spid.85bb | First Party |
www.sinch.com | d-a8e6 , s-9da4 | First Party |
nr-data.net | JSESSIONID | Third Party |
sinch-en.newsroom.cision.com | _ga, _gid | Third Party |
sinch.in | _ga_xxxxxxxxxx, _gat_UA-XXXXXX-X, _gid, _ga | Third Party |
terminus.services | terminustb | Third Party |
g.fastcdn.co | instap-spses.85bb | Third Party |
hello.learn.mailjet.com | pardot, visitor_id, visitor_id##### | Third Party |
www.googletagmanager.com | userId | Third Party |
hello.learn.mailgun.com | visitor_id#####, visitor_id | Third Party |
dev.visualwebsiteoptimizer.com | _vwo_ssm | Third Party |
box.com | box_visitor_id | Third Party |
app.box.com | z, cn | Third Party |
sinch-tfn.paperform.co | laravel_session | Third Party |
go.sinch.in | visitor_id#####, visitor_id | Third Party |
Qualified | __q_local_form_debug | Third party |
Rudderstack | rudder.inProgress, rudder.3156dd1f-7029-4600-ae54-baf147d9af20.queue, rudder.3156dd1f-7029-4600-ae54-baf147d9af20.ack, rudder.3156dd1f-7029-4600-ae54-baf147d9af20.reclaimStart, rudder.3156dd1f-7029-4600-ae54-baf147d9af20.reclaimEnd, | Third party |
6sense | _6senseCompanyDetauls, _6signalTTL | Third party |
Appcues | apc_local_id, apc_user | Third party |
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device.
If you do not allow these cookies, you will experience less targeted advertising.
Cookie details
Cookie Subgroup | Cookies | Cookies used |
---|---|---|
investors.sinch.com | visitor_id | First Party |
community.sinch.com | VISITOR_BEACON , LithiumVisitor | First Party |
sinch.com | _uetsid , ajs_user_id , _gcl_aw , ajs_group_id , AMCV_ , __utmzzses , _fbp , _gcl_au , AMCVS_ | First Party |
go.latam.sinch.com | visitor_id##### , pardot | First Party |
linkedin.com | li_gc, bcookie, lidc, AnalyticsSyncHistory, UserMatchHistory, li_sugr | Third Party |
pi.pardot.com | lpv151751, pardot | Third Party |
hsforms.com | _cfuvid | Third Party |
google.com | CONSENT | Third Party |
sinch.in | _gclxxxx, _gcl_au | Third Party |
www.linkedin.com | bscookie | Third Party |
bing.com | MUID, MSPTC | Third Party |
www.facebook.com | Third Party | |
hello.learn.mailgun.com | pardot | Third Party |
www.youtube.com | TESTCOOKIESENABLED | Third Party |
dev.visualwebsiteoptimizer.com | uuid | Third Party |
g2crowd.com | __cf_bm | Third Party |
pardot.com | visitor_id#####, visitor_id | Third Party |
tracking.g2crowd.com | _session_id | Third Party |
hubspot.com | __cf_bm, _cfuvid | Third Party |
doubleclick.net | test_cookie, IDE | Third Party |
youtube.com | CONSENT, VISITOR_PRIVACY_METADATA, VISITOR_INFO1_LIVE | Third Party |
go.sinch.in | pardot | Third Party |
liadm.com | lidid | Third Party |
www.google.com | _GRECAPTCHA | Third Party |
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these services may not function properly.
Cookie details
Cookie Subgroup | Cookies | Cookies used |
---|---|---|
portal.sinch.com | pnctest | First Party |
partner.appengage.sinch.com | _dd_s | First Party |
investors.sinch.com | First Party | |
community.sinch.com | LithiumUserInfo , LithiumUserSecure | First Party |
tickets.sinch.com | selectedidp | First Party |
engage.sinch.com | ln_or | First Party |
cockpit2.sinch.com | CSRF-TOKEN , NG_TRANSLATE_LANG_KEY | First Party |
sinch.com | apt.temp-xxxxxxxxxxxxxxxxxx , hubspotutk , ajs%3Acookies , cf_clearance , ajs%3Atest , __tld__ , __q_domainTest , pfjs%3Acookies , ajs_anonymous_id | First Party |
auth.appengage.sinch.com | AUTH_SESSION_ID , KEYCLOAK_3P_COOKIE , KEYCLOAK_3P_COOKIE_SAMESITE , KC_RESTART , AUTH_SESSION_ID_LEGACY | First Party |
www.recaptcha.net | _GRECAPTCHA | Third Party |
boxcdn.net | __cf_bm | Third Party |
d2oeshgsx64tgz.cloudfront.net | cookietest | Third Party |
sinch-np.paperform.co | XSRF-TOKEN, laravel_session | Third Party |
vimeo.com | __cf_bm, vuid | Third Party |
sinch-ca-sc.paperform.co | XSRF-TOKEN, laravel_session | Third Party |
box.com | site_preference | Third Party |
app.box.com | bv | Third Party |
sinch-tfn.paperform.co | XSRF-TOKEN | Third Party |
cision.com | cf_clearance | Third Party |
These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.
Cookie details
Cookie Subgroup | Cookies | Cookies used |
---|---|---|
community.sinch.com | ln_or | First Party |
sinch.in | _fbp | Third Party |
youtube-nocookie.com | CONSENT | Third Party |
youtube.com | YSC | Third Party |