As cyber threats grow more sophisticated, many businesses still rely on SMS-based MFA (multi-factor authentication) for convenience. But as both recent breaches and rising costs show, it may be time to move on.

What the M&S breach has taught us

In a recent high-profile attack, bad actors exploited and intercepted SMS OTPs from M&S’s systems. This allowed them to compromise admin accounts that appeared secure on the surface. The attackers didn’t break the software, they simply bypassed it by targeting a weak link: SMS delivery.

This kind of exploit is becoming more common, and it’s exactly why regulatory bodies and security leaders (like NCSC) now advise against SMS as a primary authentication method.

NCSC guidance

The details

The M&S cyberattack was attributed to the hacking group Scattered Spider, known for advanced social engineering techniques. The attackers reportedly deceived IT help desk personnel into resetting passwords by impersonating legitimate employees.  This manipulation often involved SIM swapping, a method where attackers convince mobile carriers to transfer a victim’s phone number to a new SIM card, thereby intercepting SMS messages intended for the victim without them knowing.

It’s relatively easy to execute with a little research and social engineering.  Collect PII on the target, often from other publicised breach data or OSINT, then call the mobile carrier’s support team impersonating the victim and claiming the phone is lost or SIM not working.  They then transfer the number to a new SIM and MFA SMS tokens are then delivered to the attacker.

There are also several other ways to intercept SMS messages silently as they travel in plaintext – malware on the device (SMS Stealer), rogue portable cell base stations with a man-in-the-middle attack, and even vulnerabilities in the protocol that is used to route SMS messages between network carriers.  This even led to online accounts being drained at Metro Bank in the UK back in 2019.

The threat of SS7 attacks

The hidden cost of SMS OTPs

Alongside security concerns, SMS OTP delivery costs have soared. Global SMS rates, carrier filtering, and deliverability issues make it expensive, and unreliable to depend on.  SMS OTP’s in the TrustLayer MFA product for example are subject to a fair usage policy.

If you’re using our MFA product and still relying on SMS OTPs (via Entrust), you might be adopting a solution that’s both riskier and less efficient.

The better path: app-based and push authentication

We recommend customers adopt:

  • Smart Push via Entrust ST authenticator app
  • Soft Token Push e.g. via Google Authenticator
  • Hard/Soft Token Challenge
  • Email-based OTPs as a low-friction backup

Not only are these more secure, they’re also far more cost-effective in the long run.

Next steps

  • Review how your users authenticate today.
  • Consider migrating from SMS to app-based or push MFA.
  • Reach out to your TrustLayer account team to plan your migration or discuss options.

Let’s work together to build a more secure, and cost-efficient authentication experience.