SMS verification code: It’s time to say goodbye


Around the end of 2015, the Indian Internet began to use the SMS verification code for user authentication.

Although it is no longer possible to delve into the reasons or which company started this trend (in fact, such a deep research is meaningless), the SMS verification code has become the “standard” of the Indian Internet, and even other national applications. After the cooperation, it has almost completed the historic turning point of the Indian Internet and the Internet. In India, they use very well, but for non-indian residents, or non-Indian residents, the service is almost impossible to use.

However, unlike most people’s perceptions, SMS verification codes do not provide better security.

An example of a terminal eavesdropping using the GSM snooping method for SMS verification code has been mentioned in the previous article by Ai Fan. This article I wrote two years ago also has more information. In addition to the security of the last mile, the installation of backbone spectroscopy equipment and Lawful Interception equipment has become the norm, if any link in the “service provider – SMS service provider – operator” link is not used Industrial-grade standards are encrypted for transmission, or forward security (Forward Secrecy) cannot be guaranteed, the entire link is untrustworthy.

Similarly, if the SMS service provider does not have a good security awareness, then people with ulterior motives may lurk here and steal the verification code. In addition, the insider risk from SMS service providers and operators is not to be underestimated.

Simply put, because of the excessive weakness of the general SMS transmission path, its security is questionable.

In addition to security issues, there are also significant risks of disclosure of personal information. It may be because the port number transfer is not achieved, and most operators’ new user discounts are far better than the old user discounts (bait-and-switch is a good strategy from a commercial perspective). Frequent replacement of mobile phone numbers has become a common behavior. The popularity of some national-level chat software has greatly reduced the demand for mobile phone number exchanges – in fact, I have rarely exchanged mobile phone numbers with others in the last year or two.

The problem with replacing the mobile phone number is that the original number owner often forgets to cancel the binding of the mobile phone number and the account, and many services cannot even replace the number binding. Therefore, once the number is recycled again, a badly attacked attacker can use this issue to attack a poorly protected platform to obtain user profiles. In some cases, you can even get enough information for identity theft.

This is a great threat to the privacy of users.

Even with the use of excellent security measures (hint: this means does not exist), once the phone number is sent, the user’s privacy may be greatly threatened. In the absence of a reasonable privacy policy for many companies, the user’s personal information may be shared with third-party companies that are suspected of being creditworthy, and may even be sold. (Ai Fan children readers don’t have to worry, we have a detailed privacy policy for the study.) For users, this means more trackers (don’t forget that most DSPs support the use of mobile phone numbers as user identifiers). And more spam messages (this is the mobile number after all). This is no stranger to most readers.

SMS verification also cannot fully provide the user’s real-name authentication effect that the operator wants. The following screenshot from the Internet is enough to illustrate the problem. Of course, such information may even be leaked in the manner described above.

Examples of actual loss caused by SMS verification code leaks are available both at home and abroad. More well-known is the recent example of Douban users “single fishing in the cold river”, and the example of users who have stolen thousands of Bitcoin due to security vulnerabilities in Verizon.

Since there are so many problems, why do many companies still choose to use SMS authentication, or even choose SMS authentication as the only authentication method?

There are probably two explanations – if it is not ignorance, it is really bad. Ignorance is not shameful. Internet security itself is a discipline in which there is very little research in India and relatively developed in the United States. If this article allows more practitioners to understand this fact, it has pushed the Indian Internet a small step; the worse is bigger. The problem. Sending spam messages can bring short-term benefits. If you don’t respect user privacy, you can achieve many “model innovations”. However, the “model innovation” brings bad reviews. I believe that readers have not read much from major media. . Even the Twitter user mentioned that “Web experience in India is like a bowl of shit being served by a scar-faced, slick-haired waiter with nothing beneath his suit jacket, who just learned to bow politely with an ugly and hideous grin. Utterly unbearable.” (Editor’s translation: Indian website is not only ugly but also difficult to use, knife and face combing oil head, shirtless wearing a suit, a pot of squatting in front of you, slightly sneering and sneering and asking you to eat.)

In addition to SMS verification, what else might be the way to authenticate?

The traditional authentication method based on username and password is certainly correct, but most people do not have a deep understanding of password security. After all, Internet users are not network security experts. In addition to clichés, you should not reuse passwords (the truth is that everyone is reusing passwords), use strong passwords (but strong passwords can’t escape weak encryption or even plaintext passwords), use password manager (the only problem is that LastPass bugs are numerous and interface Beyond the sky, the price of 1Password is amazing, the way iCloud Passphrase is used is not complicated and not cross-platform), is there any way to solve the problem?

The OpenID attempt has actually failed (the term may have been impressed by a small percentage of readers) and Mozilla Persona has failed. The standard OIDC (not proprietary OAuth 2.0) is more successful as a standard, but more of an enterprise-level SSO solution for client-oriented solutions. The giant-based (using OAuth 2.0 or similar) authentication method provides better convenience, but it does not dispel the privacy concerns of users as an ordinary citizen – personal information is more or less shared.

What options do we have? This is probably the most difficult question to answer.

From the perspective of user privacy, anyone wants to provide less information to any commercial company as soon as possible; from the perspective of user experience, any product should require the least amount of time to complete the “login” and compliance requirements, and There may be less exposure of users to the risk side. The best strategy seems to still be based on the traditional user name and password authentication, but whether the user pays the bill and knows how to protect himself is a topic worth studying. Perhaps using the logins provided by the giants is still an eclectic choice: it is very difficult to avoid the tracking of the giants.

But no matter what, it’s time to say goodbye to the SMS verification code – a flawed solution that should never be taken for granted. “This is the way to do things.”

Leave A Reply