Malicious SS7 activity and why SMS should never by used for 2FA

Mel Beckman mel at
Sun Apr 18 15:30:54 UTC 2021


You don’t even have to bother with social engineering, as Bruce Schneier points out in his blog from last month:

"It turns out that with a little bit of anonymous money — in this case, $16 off an anonymous prepaid credit card — and a few lies, you can forward the text messages from any phone to any other phone.”


On Apr 18, 2021, at 8:24 AM, Mel Beckman <mel at<mailto:mel at>> wrote:

Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for 2FA. There are many ways to attack SMS, not the least of which is social engineering of the security-unconscious cellular carriers. The bottom line is, why use an insecure form of communication for 2FA at all? Since very good hardware-token-quality OTP apps are freely available, why be so lazy as to implement 2FA using radically insecure SMS?

Your argument that 2FA is only meant to “enhance” the security of a memorized password is just wrong. 2FA is meant as a bulwark against passwords that very often are disclosed by data breaches, through no fault of the password owner. 2FA enhances nothing. It guards against the abject security failures of others.

Consider this sage advice from 2020, long after NIST caved to industry pressure on its recommendations.


On Apr 18, 2021, at 8:02 AM, William Herrin <bill at<mailto:bill at>> wrote:

On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel at<mailto:mel at>> wrote:
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:


That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Bill Herrin

William Herrin
bill at<mailto:bill at>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list