Malicious SS7 activity and why SMS should never by used for 2FA
Mel Beckman
mel at beckman.org
Sun Apr 18 14:32:45 UTC 2021
Bill,
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:
https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
-mel
On Apr 18, 2021, at 6:31 AM, William Herrin <bill at herrin.us> wrote:
On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke <eric.kuhnke at gmail.com> wrote:
Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
Hi Eric,
SMS for 2FA is fine. It's understood that a single authentication
factor is not secure enough; that's why you use two. SMS for 1FA is
hugely risky and should not be used for anything important, like
money. SMS for a password reset is an example of 1FA -- your ability
to receive SMS messages at the required phone number becomes the sole
authentication factor needed to access the account.
If the adversary has captured your password -and- reprogrammed your
phone number, what makes you think they lack the wherewithal to have
captured the shared secret used to generate your TOTP code?
Regards,
Bill Herrin
--
William Herrin
bill at herrin.us
https://bill.herrin.us/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210418/294424cc/attachment.html>
More information about the NANOG
mailing list