Malicious SS7 activity and why SMS should never by used for 2FA

Eric Kuhnke eric.kuhnke at
Mon Apr 19 03:05:17 UTC 2021

One of my main problems with SMS 2FA from a usability standpoint, aside
from SS7 hijacks and security problems, is that it cannot be relied upon
when traveling in many international locations. I have been *so many places*
where there is just about zero chance of my T-Mobile SIM successfully
roaming onto the local network and receiving SMS at my US or Canadian
number successfully.

What am I supposed to do, take the SIM out of my phone, put it in a burner
and give it to a trusted family member in North America, just for the
purpose of receiving SMS 2FA codes (which I then have to call them and get
the code from manually each time), before going somewhere weird?

In the pre covid19 era when people were actually traveling places, imagine
you've had reason to go somewhere weird and need access to a thing (such as
your online banking, perhaps?) protected by SMS 2FA, but you have
absolutely no way of receiving the SMS where you're presently located...

Many of the people designing SMS 2FA systems used by people with
accounts/services in the US 50 states and Canada seem to assume that their
domestic customers will forever remain in a domestic location.

On Sun, Apr 18, 2021 at 5:44 AM Mark Tinka <mark at> wrote:

> On 4/18/21 05:18, Mel Beckman wrote:
> > No, every SMS 2FA should be prohibited by regulatory certifications.
> > The telcos had years to secure SMS. They did nothing. The plethora of
> > well-secured commercial 2FA authentication tokens, many of them free,
> > should be a mandatory replacement for 2FA in every security governance
> > regime, such as PCI, financial account access, government web portals,
> > etc.
> While I agree that SMS is insecure at the moment, I think there still
> needs to be a mechanism that does not rely on the presence of an
> Internet connection. One may not be able to have access to the Internet
> for a number of reasons (traveling, coverage, outage, device, money,
> e.t.c.), and a fallback needs to be available to authenticate.
> I know some companies have been pushing for voice authentication for
> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
> We need something that works at the lowest common denominator as well,
> because as available as the Internet is worldwide, it's not yet at a
> level that one would consider "basic access".
> Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list