Malicious SS7 activity and why SMS should never by used for 2FA
Mark Tinka
mark at tinka.africa
Mon Apr 19 04:36:03 UTC 2021
On 4/19/21 05:05, Eric Kuhnke wrote:
> One of my main problems with SMS 2FA from a usability standpoint,
> aside from SS7 hijacks and security problems, is that it cannot be
> relied upon when traveling in many international locations. I have
> been /so many places/ where there is just about zero chance of my
> T-Mobile SIM successfully roaming onto the local network and receiving
> SMS at my US or Canadian number successfully.
>
> What am I supposed to do, take the SIM out of my phone, put it in a
> burner and give it to a trusted family member in North America, just
> for the purpose of receiving SMS 2FA codes (which I then have to call
> them and get the code from manually each time), before going somewhere
> weird?
>
> In the pre covid19 era when people were actually traveling places,
> imagine you've had reason to go somewhere weird and need access to a
> thing (such as your online banking, perhaps?) protected by SMS 2FA,
> but you have absolutely no way of receiving the SMS where you're
> presently located...
>
> Many of the people designing SMS 2FA systems used by people with
> accounts/services in the US 50 states and Canada seem to assume that
> their domestic customers will forever remain in a domestic location.
This is a practical problem that I suffer with one of my South African
providers, every time I traveled to the U.S. in the last 3 years. I
could roam on all GSM networks in the U.S., and even make voice calls,
but SMS's would not get delivered. Delivery of those only resumed the
moment I transited in the Gulf on my way back home. This did not affect
other countries I traveled to.
But you are right, most network operators and SMS authentication
designers do not necessarily work together to account for folk that travel.
Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210419/48d9ca09/attachment.html>
More information about the NANOG
mailing list