Introduction

The National Cyber Coordination and Command Centre (NC4) advises organisations to reduce reliance on SMS-based authentication and service, particularly in multi-factor authentication (MFA). This recommendation arises from rampant banking trojan mobile apps incident affecting Malaysian citizen and recent case where cybercriminal groups, such as the Darcula group, have exploited 2G vulnerabilities to impersonate commercial and government entities, leading to financial scams. NC4 would like to strongly recommend adopting more secure alternatives such as Authenticator Apps, FIDO2 Security Keys, and push notifications.

Impact

Using SMS for authentication, especially in two-factor authentication (2FA), presents significant security risks. Cybercriminals can intercept or spoof SMS messages, gaining unauthorised access to sensitive information. The threat actors can manipulate SMS systems to deceive users, resulting in financial losses and compromised personal data.

Brief Description

SMS has been a prevalent communication tool since its introduction in the early 1990s in Malaysia. Initially, it served as a convenient method for personal messaging and later became integral to various ICT systems for notifications and authentication purposes.

Given the wide deployment of this service, cybercriminals have developed sophisticated malware, such as the banking trojan, which can intercept and forward SMS messages from infected devices. This capability allows attackers to bypass SMS-based two-factor authentication (2FA) by capturing one-time passwords sent via SMS, thereby gaining unauthorised access to victims' financial accounts.

Additionally, the use of SMS blaster devices enables attackers to exploit vulnerabilities in older 2G networks. These devices can force mobile phones to downgrade to 2G, a protocol lacking robust encryption and mutual authentication. By setting up fake base stations, attackers can send spoofed messages that appear legitimate, confusing users and increasing the likelihood of successful phishing attempts.

Notable incident highlighting these vulnerabilities occurred in November 2024. The Royal Malaysia Police, with intelligence support from Maxis, dismantled an SMS blaster operation in the Klang Valley. Four individuals were arrested for operating devices that sent fraudulent messages impersonating Maxis, luring recipients to phishing websites to steal banking credentials. The operation had the potential to target up to 32,000 individuals daily, with estimated losses amounting to MYR117,000.

Recommendation

Organisations are advised to take action to mitigate potential threats that comes with SMS-based service. To enhance security and protect against SMS-based attacks, NC4 strongly recommends the following:

1. Transition to Phishing-Resistant Authentication Methods: Organisations should adopt more secure authentication mechanisms, such as hardware security tokens like FIDO2 security keys, Authenticator Apps, push notification or biometric verification, which offer greater resistance to phishing attempts.
2. Implement Alternative Verification Methods: Utilise services like MyDigital ID, which provide more secure and reliable authentication processes compared to traditional SMS-based methods.
3. Educate Users: Conduct regular awareness programmes to inform users about the risks associated with SMS-based authentication and the importance of recognising phishing attempts.
4. Monitor and Respond to Threats: Establish robust monitoring systems to detect and respond to suspicious activities promptly, thereby mitigating potential security breaches.

References

Google Blog - Keeping your Android device safe from text message fraud
  https://security.googleblog.com/2024/08/keeping-your-android-device-safe-from.html

SMS Blaster Scam Hiding in a Van: New Cyber Threat Emerges
  https://www.techopedia.com/sms-blaster-scam-hiding-in-a-van

Police uncover group using devices to steal personal info from phone users
  https://www.nst.com.my/news/crime-courts/2024/11/1139905/updated-police-uncover%C2%A0group-using-devices-steal-personal-info

NC4-ALR-2018-000002 Fake Bank Negara Malicious APK Alert
  https://www.nc4.gov.my/alert/5a5735aee4b0c825319a39d6