2 Factor Authentication via SMS Flawed

checkpoint.pngI recently wrote about 2 factor authentication and mobile. If you are either a user of 2 factor authentication or a developer incorporating it into your service then you should take a look at the very recent Eurograbber attack (pdf).

An estimated 36+ million Euros was syphoned from more than 30,000 bank customers across multiple banks across Europe. The protagonists managed to use a trojan on peoples’ desktop to convince them to download an app to their Android/Blackberry devices that then listened for the incoming 2nd factor authentication SMS.

From the user side, this demonstrates how we should be very wary of what we download to our phones in response to incoming email or SMS messages, especially when we are in the middle of a financial transaction.

What can developers do about this? The main problem in this instance is the ability of (rogue) apps to listen in on incoming SMS messages. If SMS messages hadn’t been used then this problem wouldn’t have happened. An alternative example solution is Google Authenticator that’s a self-contained app that provides for the 2nd factor authentication that can’t be listened in on via another download. I think the main learning here is not to base your 2nd factor on a mechanism that isn’t itself secure.