July 22, 2020

MNOs Slaying Their Golden Goose in A2P by not Securing SMS

A2P messaging is an enormous revenue stream for operators, with a market worth over $60 billion – but as its popularity and ubiquity increases, so too do threats to its security. SMS remains vulnerable to a variety of attacks, and the industry response is less than encouraging. If security does not improve, MNOs stand to lose massively. 

Is 2FA secure for subscribers?

On more than one occasion I have seen presentations from the industry about an SMS interception attack – where an attacker would steal a 2FA password. This happens because of inadequate signalling protection on the home network of the victim subscriber.

In the aftermath of such a presentation, a predictable pattern of comments and questions follow. Some of these (rightfully) focus on things like “How can we prevent this happening again?” along with some suggestions about how to do so. Then inevitably another type of comment will emerge: “Why is this application or enterprise using SMS for 2FA anyway? We all know it is insecure.” This typically receives some significant support as well.

The golden egg

The attitude shown in the latter comment really is telling of the potential disconnect between departments in any given operator. A2P SMS is a very significant revenue stream for operators. I am not sure that the finance department in any MNO would be impressed by such thinking from their fraud/security representatives, regardless of how correct they may be.

It may be the case that people in the know are aware of the vulnerabilities in SMS, but this view isn’t widely known within many enterprises that rely on SMS for two factor authentication. I highly doubt that when an MNO attempts to sell the benefits of A2P SMS to enterprise customers, the pitch ends with: “By the way, watch out because this really isn’t secure.”  

Cracks emerge

Many operators seem to want it both ways: they want everyone to use SMS for 2FA, and reap the rewards in revenue – but at first sign of a security issue, the response is “SMS isn’t secure anyway.” As inaction continues in signalling security, some enterprises are already seeing these security flaws for themselves and many choose another way of doing 2FA.

Luckily, SMS is still extremely popular due to its ubiquitous support on all handsets, and the fact that it is the incumbent technology. The old saying prevails: “If it ain’t broke, don’t fix it.” SMS 2FA still works, which means enterprises are less inclined to invest to fix something that they do not consider to be broken. However, enough complacency over SMS security from MNOs will change this attitude.

Secure the goose, protect the egg

SMS does not need to be insecure. Yet nothing is achieved without some effort, and investment is required to make SMS secure. It’s only natural that operators might be unwilling to part with their hard earned revenue for security that they don’t deem essential.

However, the reality is that an investment in signalling security will pale in comparison to the loss of a valuable revenue stream in A2P SMS if the industry continues to wash its hands of responsibility for securing this lucrative channel. If operators want to keep A2P, SMS security is essential. 

Tags: , ,

Categorised in:

July 22, 2020