Malicious SS7 activity and why SMS should never by used for 2FA

Mark Tinka mark at
Tue Apr 20 04:37:55 UTC 2021

On 4/19/21 15:33, Mel Beckman wrote:

> Tom,
> Well, yes, not everyone can afford all technology options. That’s 
> life. One has to wonder how someone who needs to protect online 
> accounts cannot afford a $30 hardware token (which can be shared 
> across several accounts). These low-income people are not the targets 
> of identity thieves, spear fishers, or data ransomers. Unlike you, I 
> AM arguing against something: SMS as a 2FA token. In this case I don’t 
> think we have ignored low-income users, for the same reason that home 
> alarm security aren't ignoring low-income users who can’t afford their 
> products. It’s certainly no reason to hobble security for the rest of us.

Hmmh, I'm not quite sure that is accurate. Low-income folk will 
certainly have a mobile service, even though they might not have enough 
to buy a security alarm once the rent is paid.

Take finance, for example, in places like East Africa, they folk are 
lucky that they don't need a bank account to either put money away or 
transact for everyday needs. In other countries that don't have this 
(mobile money), low-income folk who earn a living will have a bank 
account, and even that one will come with some kind of online access.

The issue isn't so much the product. The issue is that mobile services 
are so basic and fundamental, everybody, regardless of their financial 
position, will have one. The stats say that as of 2020, of the number of 
users around the world using mobile phones, only 46% of them are "smart".


More information about the NANOG mailing list