Malicious SS7 activity and why SMS should never by used for 2FA

Julien Goodwin nanog at
Mon Apr 19 04:50:27 UTC 2021

On 19/4/21 2:36 pm, Mark Tinka wrote:
> On 4/19/21 05:05, Eric Kuhnke wrote:
>> In the pre covid19 era when people were actually traveling places,
>> imagine you've had reason to go somewhere weird and need access to a
>> thing (such as your online banking, perhaps?) protected by SMS 2FA,
>> but you have absolutely no way of receiving the SMS where you're
>> presently located...
>> Many of the people designing SMS 2FA systems used by people with
>> accounts/services in the US 50 states and Canada seem to assume that
>> their domestic customers will forever remain in a domestic location.
> This is a practical problem that I suffer with one of my South African
> providers, every time I traveled to the U.S. in the last 3 years. I
> could roam on all GSM networks in the U.S., and even make voice calls,
> but SMS's would not get delivered. Delivery of those only resumed the
> moment I transited in the Gulf on my way back home. This did not affect
> other countries I traveled to.
> But you are right, most network operators and SMS authentication
> designers do not necessarily work together to account for folk that travel.

This is already probably past the point of being on topic here, but you
tickled my personal favorite one of these.

My airline of choice (Qantas) has mandatory SMS second factor, after
perhaps a mobile carrier requiring it for support one of the most
facepalm-worthy uses of SMS 2FA I've seen.

More information about the NANOG mailing list