Syniverse Short Message Service (SMS) Hack and Two Factor Authentication

By William Beard, Jr on December 2, 2021

(By: William Beard on October 5, 2021)

Executive Summary

Syniverse a Short Message Service (SMS) routing company based out of Hong Kong disclosed on September 27^th, 2021, that it had been hacked for over five years. Reportedly the intrusion affected over 200 of Syniverse’s customers. SMSs are often used for two factor authentication (2FA) and these types of incidents are what has led cyber security specialists to recommend the move away from SMS 2FA.

Background

Syniverse handles billions of SMS messages for companies such at AT&T, T-Mobile, and Verizon. The hack started back in May of 2016 and continued until May of 2021 when Syniverse detected the intrusion. Once the threat actor was in Syniverse’s system they had access to user’s phone numbers, location, and texting data. There have been no details released yet to the extent of the stolen data but, Syniverse has taken the appropriate steps for notifying its customers and the authorities.

Back in 2016 National Institute of Standards and Technology (NIST) started showing disapproval of SMS 2FA. The main reason for this was because of how vulnerable SMS was to attack. Subscriber identity module (SIM) swapping, Man-in the-middle, Malware, and Social Engineering are just a few of the methods threat actors might use to intercept SMS 2FA messages. This has led to a recommendation of more secure methods such as application or hardware based 2FA.

Impact

Syniverse has not released any information on what or if any data was stolen or compromised due to the breach. They have stated that all the affected users have had their account credentials reset or deactivated. The attack itself may have only affected a few hundred of Syniverse’s clients but those clients manage millions of users SMS messaging.

Mitigation

Even with the SMS 2FA being susceptible to attacks like SIM swapping and others it is still better than not having 2FA at all. There are some other better alternatives though such as application based 2FA which allows for higher security to be implemented before the data is sent. Hardware based 2FA takes away the risk of someone being able to intercept the authentication in transit. Another method in that is up and coming uses typing biometrics which could do away with the need for a secondary token application or device. Typing biometrics uses Artificial Intelligence (AI) and computational power to map a user’s typing style on registration and then stores that information in a hash that will be used to validate any new authentications. This method could help cut cost for companies while still having a high level of security.

Relevance

2FA has always been a touchy subject for users because it does add an extra layer of protection, but it also adds an extra step to the access process. SMS 2FA was a way to make that process as un-cumbersome as possible. It does however add another layer of vulnerability that organizations must consider. The battle for information security is always about balancing defense in depth compared to encumbrance of use. SMS 2FA was a step in the right direction and typing biometrics could be 2FA at its best.

References

[1] https://www.securityweek.com/6-ways-attackers-are-still-bypassing-sms-2-factor-authentication

[2] https://securityboulevard.com/2021/10/syniverse-hack-billions-of-users-data-leaks-over-five-years/

[3] https://www.syniverse.com/locations

[4] https://blog.typingdna.com/sms-two-factor-authentication-alternative-for-product-managers/

[5] https://www.securityweek.com/nist-denounces-sms-2fa-what-are-alternatives