Malicious SS7 activity and why SMS should never by used for 2FA

Mon Apr 19 14:33:37 UTC 2021

https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf

https://www.bjs.gov/content/pub/pdf/vit18.pdf

On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <mel at beckman.org> wrote:

> Can you cite data? Or provide a rational argument other than “they are”?
>
> -mel via cell
>
> On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher at beecher.cc> wrote:
>
> 
>
>> These low-income people are not the targets of identity thieves, spear
>> fishers, or data ransomers.
>>
>
> This is patently false. Low-income / disabled / minority / non-english
> speakers are absolutely targets of scams like those, and in
> significant numbers.
>
>
>
> On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel at beckman.org> wrote:
>
>> Tom,
>>
>> Well, yes, not everyone can afford all technology options. That’s life.
>> One has to wonder how someone who needs to protect online accounts cannot
>> afford a $30 hardware token (which can be shared across several accounts).
>> These low-income people are not the targets of identity thieves, spear
>> fishers, or data ransomers. Unlike you, I AM arguing against something: SMS
>> as a 2FA token. In this case I don’t think we have ignored low-income
>> users, for the same reason that home alarm security aren't ignoring
>> low-income users who can’t afford their products. It’s certainly no reason
>> to hobble security for the rest of us.
>>
>>  -mel
>>
>>
>> On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher at beecher.cc> wrote:
>>
>> HW tokens are great, sure.
>>
>> Except there is a lot of overlap in the Venn diagram between those who
>> still use feature phones and those that spending $30 on said hardware token
>> is financially obtrusive. ( Not to mention that every hardware token I can
>> remember looking at requires an app to set themselves up in the first
>> place, and if this is for the people who can't install apps, that's an
>> interesting circular dependency. )
>>
>> I'm not arguing for or against anything here honestly. I'm just pointing
>> out that we ( as in the technical community we ) have a tendency to put
>> forward solutions that completely ignore what might be reasonably feasible
>> for those of lower income , or parts of the world not as technologically
>> developed as we might be in ourselves, and we should try to shrink that gap
>> whenever possible, not make it worse.
>>
>> On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel at beckman.org> wrote:
>>
>>> Then they can buy a hardware token. Using SMS is provably insecure, and
>>> for people being spear-phished (a much more common occurrence now that so
>>> much net worth data has been breached), a huge risk
>>>
>>>  -mel
>>>
>>> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher at beecher.cc> wrote:
>>>
>>> 
>>>
>>>> As far as I know, authenticators on cell phone apps don’t require the
>>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>>> any Internet or cellular connection
>>>>
>>>
>>> Lots of people still use feature phones that are not capable of running
>>> applications such as this.
>>>
>>> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel at beckman.org> wrote:
>>>
>>>> As far as I know, authenticators on cell phone apps don’t require the
>>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>>> any Internet or cellular connection. The authenticated system generates a
>>>> secret key - a unique 16 or 32 character alphanumeric code. This key is
>>>> scanned by GA or can be entered manually and as a result, both the
>>>> authenticated system and GA know the same secret key, and can compute the
>>>> time-based 2nd factor OTP just as hardware tokens do.
>>>>
>>>> There are two algorithms: HOTP and TOTP. The main difference is in OTP
>>>> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
>>>> TOTP times out after some specified interval - usually 30 or 60 seconds.
>>>> For TOTP, the system time must be synced, otherwise the generated OTPs will
>>>> be wrong. But you can get accurate enough clock time without the Internet,
>>>> either manually using some radio source such as WWV, or by GPS or cellular
>>>> system synchronization.
>>>>
>>>>  -mel
>>>>
>>>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark at tinka.africa> wrote:
>>>> >
>>>> > 
>>>> >
>>>> >> On 4/18/21 05:18, Mel Beckman wrote:
>>>> >>
>>>> >> No, every SMS 2FA should be prohibited by regulatory certifications.
>>>> The telcos had years to secure SMS. They did nothing. The plethora of
>>>> well-secured commercial 2FA authentication tokens, many of them free,
>>>> should be a mandatory replacement for 2FA in every security governance
>>>> regime, such as PCI, financial account access, government web portals, etc.
>>>> >
>>>> > While I agree that SMS is insecure at the moment, I think there still
>>>> needs to be a mechanism that does not rely on the presence of an Internet
>>>> connection. One may not be able to have access to the Internet for a number
>>>> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
>>>> fallback needs to be available to authenticate.
>>>> >
>>>> > I know some companies have been pushing for voice authentication for
>>>> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>>>> >
>>>> > We need something that works at the lowest common denominator as
>>>> well, because as available as the Internet is worldwide, it's not yet at a
>>>> level that one would consider "basic access".
>>>> >
>>>> > Mark.
>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210419/308b4c53/attachment.html>