Malicious SS7 activity and why SMS should never by used for 2FA

Mark Tinka mark at tinka.africa
Tue Apr 20 04:59:28 UTC 2021


On 4/20/21 01:46, bzs at theworld.com wrote:

> If they want to protect trillions of dollars in assets maybe they need
> to toss in a few billion to help, and stop hoping some bad press for
> the technical community will shame some geniuses into dreaming up
> better security for them mostly for free in terms of research and
> specs and acceptance but that's the hard part.
>
> You know what the net did successfully produce, over and over? Some of
> the wealthiest individuals and corporations etc in the history of
> civilization. Maybe the profit margins were a little too high and now
> we're paying the price, or someone is.
>

For the most part, services that (want to) rely on security are 
providing their own security solutions. But they are bespoke, and each 
one is designing and pushing out their own solution in their own silo. 
So users have to contend with a multitude of security ideas that each of 
the services they consume come up with. Standardization, here, would go 
a long way in fixing much of this, but what's the incentive for them to 
all work together, when "better security" is one of their selling points?

If, "magically", the Internet community came up with a solution that one 
felt is fairly standard, we've seen how well that would be adopted, a la 
DNSSEC, DANE and RPKI.

At the very least, the discussions need to be had; but not as separate 
streams. Internet folk. Mobile folk. Telco folk. Service folk.

Mark.


More information about the NANOG mailing list