Short Codes (aka Messages & Two Factor Authentication from Random Five to Six Digit Numbers)

There are some cool new security features in the latest versions of iOS and Android to help you keep your accounts secure. Android’s updated Messages app and iMessage in iOS 12 both bring simplified one-time passcodes and two factor authentication (2FA) management.

iMessage – iOS 12

iMessage Security code AutoFill
Security code AutoFill. SMS one-time passcodes will appear automatically as AutoFill suggestions, so you never have to worry about memorizing them or typing them again.

 

Android Messages

Copy one-time passwords with one tap
Copy one-time passwords with one tap
Now, when you receive a message with a one-time password or code from a secure site—such as your bank—you can save time by copying that password directly from the message with a tap.

 

With both Apple and Google updating their messaging apps to ease use of text message (SMS) based two factor authentication, I’ve been thinking about why copying a verification code is the feature we need to bring more people to use 2FA. While cutting down steps required to use 2FA will make for a more streamlined experience, there seems to be an opportunity elsewhere to improve general usability of SMS based 2FA.

Understand there has been plenty of discussion regarding the security risks of these features, but putting aside discussion of the entire 2FA ecosystem and the shortcomings of SMS based 2FA, let’s look at a quirk of how people experience 2FA on their phones.

An example

Android Messages two factor authentication shortcut

Take the Capitol One notification from this article discussing the “copy 2FA code” feature in Android Messages. The message from number 227898 says “From Capitol One” and provides a code: 939966. There are two things we need to figure out here. One, that this is in fact the message from Capitol One, and two, this message contains the 2FA one-time passcode we need to complete the log on process.

First off, while the message says it’s from Capitol One, we know from our phishing lessons that we shouldn’t use the content of a message to influence our trust decision making process. The timing of getting this message in relation to attempting to log in to a bank account would make it seem like the message is legitimately from Capitol One, but how can we be sure? What is that 227898 number? Can we look it up like a phone number to verify it is registered to Capitol One?

The second bit of confusion is recognizing the 2FA verification code is 939966 not the big bold 227898 number at the top of the message. Usually the distinction between sender and message is clear with a regular 10 digit phone number or a message from someone in your contact list, but when you are sent a six digit code from a six digit number you need to do more mental processing choose the right number. Google has partially resolved the issue by giving an explicit action to copy the 2FA code, but it feels a little strange not being able to see the actual code in the message.

An aside

Slightly off topic, but while researching YubiKeys (after listening to Scott Hanselman’s podcast with Sarah Squire), I came across Two Factor Auth which maintains a list of sites that support, well, two factor auth. Exploring the various service, I noticed very few banks support usb hardware tokens. Wells Fargo seemed the only big bank with support. Clicking though the WF link from the Two Factor Auth chart, I ended up on the Advanced Access page trying figure out how WF does U2F. It turns out they use RSA SecurID (not usb U2F) which was uninteresting, but the footnote caught my attention:

We always send our text messages from 93557. Incoming calls with an Advanced Access code will come from 1-800-956-4442. We recommend adding these numbers to your phone’s address book so you can easily identify our incoming text messages and calls.

via Wells Fargo Advanced Access

Is this really the case? Every Wells Fargo communication and two factor authentication message comes from 93557? What’s the significance of 93557? And does every company always use the same number?

If so, this is a fantastic piece of advice buried in a random support page

We recommend adding these numbers to your phone’s address book so you can easily identify our incoming text messages and calls.

Why doesn’t every company and service mention this?

An investigation

To figure that out, I first needed to learn what that 5 digit non-phone number is really called. Naturally, I went online and searched “what is the number for two factor sms?”

This article from The Verge was at the top: Facebook admits SMS notifications sent using two-factor number was caused by bug

Not what I was looking for, but at least a clue.

Facebook uses the automated number 362-65, or “FBOOK,” as its two-factor authentication number

So these numbers have some T9 significance (remember landlines and flip phones?).

I figured that if facebook’s number is known, maybe there are some resources that include more of these numbers, so I quickly searched 362-65 and got 297. 😑

After getting rid of the minus sign, there was this Facebook Support link with people confused after receiving a random text seemingly from Facebook with a link to “fb.com”, a non-“facebook.com” website (here’s another example).

They are right to be concerned.

A little more searching, and boom: short codes

Short Codes

Is this a name people knew about? It’s the first time I came across the phrase “short code” even though I have been using the things for some time now.

It turns out there is an official US Short Code registrar run by CTIA and icontectiv:

Short Code Registry

Short Codes offer marketers unique opportunities to engage their audiences via text messaging. Short Codes are five- or six-digit codes that may be personalized to spell out a company, organization or a related word. Many organizations may choose to use Short Codes to send premium messages, which may charge subscribers additional fees for informative or promotional services such as coupons or news updates.

The Short Code Registry maintains a single database of available, reserved and registered short codes. CTIA administers the Common Short Code program, and iconectiv became the official U.S. Short Code Registry service provider in January, 2016.

For more information, please see the Short Code Registry’s Best Practices and the Short Code Monitoring Handbook.

The iconectiv site routes to https://usshortcodes.com/ where you can learn all about registering, case studies, and best practices. But I still want to know how to verify the sender of that 2FA message.

This is where US Short Code Directory comes in.

The U.S. Short Code Directory and the team at Tatango has assumed responsibility for the indexing of these unique phone numbers, creating the industry’s only public address book.

via https://usshortcodedirectory.com/about/

What do you know, the first code in the directory: Facebook, 32665. But wait, that’s not what’s listed in the Verge article… That’s 32665 vs 36265. Not sure what the deal is there, but may be a typo by The Verge (3-F, 2-B, 6-O, 6-O, 5-K in T9).

Just for a sanity check, does the Wells Fargo short code match their Advanced Access list? Yep! And so does the Capitol One code.

Cool! We figured out a way to verify the sender of SMS based 2FA! Remember though, this does not only apply to 2FA, but also other SMS based communication from the company.

Short Codes in the Wild

Check out this recent Wells Fargo ad on YouTube.

Wells Fargo account alert text message from YouTube ad

At the 17 second mark the narrator mentions “alerting you to certain card activity we find suspicious“. How do they do this? By SMS of course. And what number is the alert from? 93733!? NOOOOO! That’s not 93557.  WF was so close. Missed an opportunity to tie everything back to that random support page. The ad has a caveat “Screen images simulated”, so ¯\_(ツ)_/¯. For what it’s worth the phone number to call is in fact for WF Customer Service.

Questions, Concerns & Opportunities

This feels like the tip of the short code iceberg and I still have a lot of questions. How long do short codes last? Do companies change numbers? Can short code be reused? Can I trust that the next time I receive a message from a short code number that it is from the same company as last time? Can messaging apps label the code like caller id?

I don’t have all the answers, but there are definitely more things to be done to help fight the next generation of phishing. As more companies continue to recommend 2FA and send updates over SMS, we need tools in place to ensure we can trust the messages we receive.

Wells Fargo’s advice to add their numbers to your address book is good, as long as the short code (and normal telephone) numbers do not change over time. While it may be uncommon, it is possible for companies switch numbers, and (possibly more common) previously used numbers can become available for a different company to re-register. In the former, people will see an unknown number seemingly masquerading as a service they do use, which should be a cause for suspicion (although benign). For the latter, people will assume trust in the content from number they recognize (creating a phishing opportunity). While instances of these issues may be unsubstantiated (there’s very little info on how short code numbers change hands and “Best Practices” are all about marketing), this is a reason to have service driven trust management keeping track of ownership and identity.

There is an opportunity for services like US Short Code Directory and tatango to provide access to their index of short codes, so companies like Apple and Google can continue to improve their messaging services. If the Short Code Directory had a public API to query and verify short codes, messaging apps could implement a new style of caller id (essentially a DNS for SMS, but not this) to let you know the message from 227898 that says its “From Capitol One”, is legitimately from Capitol One.

At the end of the day, it should be easier to stay safe online, even if improving short codes are just an obscure part of the solution. Now to see if I can get Wells Fargo and The Verge to fix their typos.

Popular Company Short Codes

Disclaimer, I have not received messages from all of these numbers, so I cannot verify their legitimacy nor comprehensiveness. Given the issues noted above, these numbers may change or companies may start using additional numbers for SMS communication (Google already has at least 5. They may consolidate or add another).

Facebook: 32665 and 3266

Twitter: 40404

Google: 22000, 23333 and others

Apple: 272273 and others

Microsoft: 365365, 51789 and others

Amazon: 262966, 58988 and others

Capital One: 227898 and others

Chase: 28107,  24273 and others

Wells Fargo: 93557 and others

Bank of America: 73981 and others

American Express: 25684 and others

Intuit: 75341 and others

Discover: 347268 and others

PayPal: 729725777539

Venmo: 86753

AT&T: 88170, 883773 and others

Verizon: 27589 and others

T-Mobile: 37981

FedEx: 37473 and others

USPS: 28777 and others

Walmart: 40303 and others

Twilio: 22395 and others

Uber: 82722289203

Additional Reading

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s