6 min read

SMS One Time Passwords (OTPs) are secure, right?

By Dheng Siah on 28/02/19 13:10

Topics: Security

Short answer: No.

You’ve come home from work feeling happy that your time-off has been approved. You Google ‘cheapest flights to Majorca,’ book your flight, and punch in your credit card number. You wait for your phone to buzz before typing in your one time password. After you hit enter, you go to bed feeling happy and secure.

Unfortunately, you aren’t secure, and may not be happy for long. In 2018, Global Banking & Finance reported that banks are starting to move away from SMS OTP. So why is it, that SMS OTP (One Time Passwords) remains one of the most popular methods for implementing 2FA (Two Factor Authentication)?


There is one simple reason: convenience. Most individuals have at least one active phone, so SMS OTP provides a relatively simple method of implementing 2FA.

In most (if not all) cases, more security means less usability, and vice versa. For example, adding an extra form of authentication may add security, however this is an extra step the user needs to perform to gain access. Security and accessibility share a push and pull relationship. When one gains, the other falls. A delicate balance needs to be maintained, and that balance is usually a saddle point of the two. That is, the point where security is deemed to be sufficient (although this is subjective), while maintaining a high level of usability. For many, SMS OTP sits on this (saddle) point and is the ideal compromise of the two.


If once considered relatively secure, what changed, and why? Following the dramatic rise in Bitcoin’s value towards the end of 2017, the world started to accept cryptocurrencies as an alternative investment. The result? A surge in popularity and demand for cryptocurrency wallets. Unfortunately, SMS OTP was one of the most commonly used methods by these sites to implement 2FA. With figurative gold mines now just floating around on the internet, and the ability to stay anonymous, there was now a large incentive to try and break the protection provided by SMS OTP. Some recent examples include prominent eSports star, Doublelift, losing $200,000 worth of cryptocurrency after a SIM swap scam and Coinbase accounts being hacked and drained through exploiting flaws in SS7 (signalling protocols on mobiles networks).


How SMS OTP can be compromised

1) SIM Swapping

The least technical yet most effective approach is SIM swapping. This is a social engineering method, where hackers trick service providers into sending them a replacement SIM for your number, thus allowing hackers to receive your SMS OTPs.

Getting a SIM replaced by your provider is usually an easy task. The process usually involves them asking you a few security questions or providing a memorable answer. Both of which can be directly phished from the victim or may already be readily available from a previous data breach. In addition to this, the phishing attempt may only involve the representative from your service provider, and thus you may fall victim to this even if you yourself follow best practices. Reuters reported that a US investor had filed a lawsuit against AT&T for $224 million, accusing them of gross negligence that resulted in the loss of his cryptocurrency.

2) Vulnerabilities in SS7

Signalling System No.7 (also known as SS7), is a set of protocols that enables calls & text messages to be made on a network. It also ensures other services such as roaming, and billing can be provided and are appropriately handled.

Developed in secrecy in 1975, the protocols specified by SS7 was not open to scrutiny by security experts in the general public. This resulted in vulnerabilities of the protocol at a fundamental level, and were discovered in 2014 by German researchers. These vulnerabilities can be exploited by hackers to gain access to the network. Once in, hackers have full access to the information (phone calls, SMS etc.) being passed throughout the network. And to those that are not able to hack their way in, there is always the option of purchasing access from the dark web.

3) Unencrypted Storage of SMSs

By default, SMSs are stored unencrypted on your device and apps can request permission to read them. Once given, apps will then have full access to all your SMSs and can freely view them. Although not usually for nefarious purposes (E.g. WhatsApp reads your SMS for verification codes), vulnerable apps can be compromised by hackers.

Recently, Google started to tighten developer guidelines, limiting the permissions of third-party apps, including the permission to view SMSs. However, this only applies to third-party apps on Google Play, malware and other third-party apps installed through other means do not play by these rules and restrictions.

4) Phishing One Time Passwords

Paradoxically, the OTPs that are meant to protect you from phishing can be phished. The New York Times reported a conceptually simple MITM method of how this can be carried out. The phish usually starts with an email or a redirect to a malicious site, prompting you to either reset your password or login. This site is made to look as authentic as possible to prevent potential victims from raising any suspicions. When you submit your information, the site acts like a reverse proxy, forwarding the entered information onto the real site. This would then trigger an authentic request for an SMS OTP by the real site, resulting in the victim receiving this text. Once the OTP is entered and submitted, the malicious site then forwards the OTP onto the real site, granting the hacker a legitimate session. With this method, all types of OTPs can be phished, and it is not just SMS OTP that is at risk.


 Alternatives to SMS OTP

1) Hardware Tokens

Hardware tokens are similar to SMS OTP, in the sense that it provides a way of generating a one-time password. However, the key difference is that there is no external communication channel or mobile network involved and therefore cannot be intercepted like SMS OTP. Hardware tokens are an effective alternative against methods 1-3 described above but is still vulnerable to being phished.

2) Biometrics

The use of biometrics for authentication (iris scanning, fingerprint, etc.) can be an effective measure against all of the above-mentioned attacks. This is because biometrics are inherently difficult for attackers to steal. There are however some drawbacks to this alternative. The most risky is that biometric comparison is probabilistic and therefore can be vulnerable to spoofing attacks if the provided information is ‘close enough’. For this reason, the National Institute of Standards and Technology only supports the use of biometrics as an authentication method when used in conjunction with a physical authenticator (something you have), in their Digital Identity Guidelines.

3) Device Registration

Device registration is probably the most effective and convenient alternative out of these three alternatives. Device registration works by preventing any device that has not been previously registered from logging in. As a result, stealing just user credentials and OTP is insufficient to gain access and requires theft of the actual device as well. In addition, device registration is a ‘one-time setup’ and does not require any additional steps beyond the first registration and can be integrated seamlessly with other forms of MFA (Multi Factor Authentication) that might already be in place.


Although SMS OTP is still widely used today to implement 2FA, there are some glaring vulnerabilities with this method and the security it provides can be easily circumvented. As with most cybersecurity related changes, it is better to pre-emptively move away from easily breached methods or to add extra layers of security.


Dheng Siah

Written by Dheng Siah

IT Security Engineer at Azeus UK LTD

Subscribe to the Convene blog to get regular tips and updates on Governance and Digital Transformation!