Malicious SS7 activity and why SMS should never by used for 2FA

William Herrin bill at
Sun Apr 18 13:28:41 UTC 2021

On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke <eric.kuhnke at> wrote:
> Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.

Hi Eric,

SMS for 2FA is fine. It's understood that a single authentication
factor is not secure enough; that's why you use two. SMS for 1FA is
hugely risky and should not be used for anything important, like
money. SMS for a password reset is an example of 1FA -- your ability
to receive SMS messages at the required phone number becomes the sole
authentication factor needed to access the account.

If the adversary has captured your password -and- reprogrammed your
phone number, what makes you think they lack the wherewithal to have
captured the shared secret used to generate your TOTP code?

Bill Herrin

William Herrin
bill at

More information about the NANOG mailing list