Malicious SS7 activity and why SMS should never by used for 2FA

Mel Beckman mel at
Sun Apr 18 03:18:34 UTC 2021

No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.

-mel via cell

On Apr 17, 2021, at 6:27 PM, Tim Jackson <jackson.tim at> wrote:

Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this.


On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke at<mailto:eric.kuhnke at>> wrote:

Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list