Malicious SS7 activity and why SMS should never by used for 2FA

Michael Thomas mike at
Sun Apr 18 21:18:34 UTC 2021

I wonder how much of this is moot because the amount of actual SS7 is 
low and getting lower every day. Aren't most "SMS" messages these days 
just SIP MESSAGE transactions, or maybe they use XMPP? As I understand a 
lot of the cell carriers are using SIPoLTE directly to your phone.


On 4/18/21 8:24 AM, Mel Beckman wrote:
> Although NIST “softened” its stance on SMS for 2FA, it’s still a bad 
> choice for 2FA. There are many ways to attack SMS, not the least of 
> which is social engineering of the security-unconscious cellular 
> carriers. The bottom line is, why use an insecure form of 
> communication for 2FA at all? Since very good hardware-token-quality 
> OTP apps are freely available, why be so lazy as to implement 2FA 
> using radically insecure SMS?
> Your argument that 2FA is only meant to “enhance” the security of a 
> memorized password is just wrong. 2FA is meant as a /bulwark /against 
> passwords that very often are disclosed by data breaches, through no 
> fault of the password owner. 2FA enhances nothing. It guards against 
> the abject security failures of others.
> Consider this sage advice from 2020, long after NIST caved to industry 
> pressure on its recommendations.
> <>
>   -mel
>> On Apr 18, 2021, at 8:02 AM, William Herrin <bill at 
>> <mailto:bill at>> wrote:
>> On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel at 
>> <mailto:mel at>> wrote:
>>> SMS for 2FA is not fine. I recommend you study the issue in more 
>>> depth. It’s not just me who disagrees with you:
>>> <>
>> Mel,
>> That Schneier article is from 2016. The 3/2020 update to the NIST
>> recommendation (four years later and the currently active one) still
>> allows the use of SMS specifically and the PSTN in general as an out
>> of band authenticator in part of a two-factor authentication scheme.
>> The guidance includes a note explaining the social engineering threat
>> to SMS authenticators: "An out of band secret sent via SMS is received
>> by an attacker who has convinced the mobile operator to redirect the
>> victim’s mobile phone to the attacker."
>> <>
>> The bottom line is that an out-of-band authenticator like SMS is meant
>> to -enhance- the security of a memorized secret authenticator, not
>> replace it. If properly used, it does exactly that. If misused, it of
>> course weakens your security.
>> Regards,
>> Bill Herrin
>> -- 
>> William Herrin
>> bill at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list