Malicious SS7 activity and why SMS should never by used for 2FA

bzs at theworld.com bzs at theworld.com
Tue Apr 20 19:17:04 UTC 2021


Something which binds them together are their insurance underwriters
who generally want to set minimum requirements without having to
review home-brewed security schemes. They want buzzwords and acronyms
to put onto checklists.

Others would be courts (e.g., when lawsuits arise) and government and
other contractors who, similarly, don't want to have to evaluate
beyond checklists of accepted industry practices.

And a major value of standardized practices is precisely so they don't
become competitive advantages particularly by their omission.

It's one reason, for example, car manufacturers are ok with something
like requiring seat belts or air bags, or in many industries
environmental regs, precisely so a competitor can't lower their costs
(and likely prices) by omitting them. Everyone has to have them and up
to some standard, compete on something else.

Perhaps if we began referring to a lot of this as "safety" rather than
"security" that would sink in.

On April 20, 2021 at 06:59 mark at tinka.africa (Mark Tinka) wrote:
 > 
 > 
 > On 4/20/21 01:46, bzs at theworld.com wrote:
 > 
 > > If they want to protect trillions of dollars in assets maybe they need
 > > to toss in a few billion to help, and stop hoping some bad press for
 > > the technical community will shame some geniuses into dreaming up
 > > better security for them mostly for free in terms of research and
 > > specs and acceptance but that's the hard part.
 > >
 > > You know what the net did successfully produce, over and over? Some of
 > > the wealthiest individuals and corporations etc in the history of
 > > civilization. Maybe the profit margins were a little too high and now
 > > we're paying the price, or someone is.
 > >
 > 
 > For the most part, services that (want to) rely on security are 
 > providing their own security solutions. But they are bespoke, and each 
 > one is designing and pushing out their own solution in their own silo. 
 > So users have to contend with a multitude of security ideas that each of 
 > the services they consume come up with. Standardization, here, would go 
 > a long way in fixing much of this, but what's the incentive for them to 
 > all work together, when "better security" is one of their selling points?
 > 
 > If, "magically", the Internet community came up with a solution that one 
 > felt is fairly standard, we've seen how well that would be adopted, a la 
 > DNSSEC, DANE and RPKI.
 > 
 > At the very least, the discussions need to be had; but not as separate 
 > streams. Internet folk. Mobile folk. Telco folk. Service folk.
 > 
 > Mark.

-- 
        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*


More information about the NANOG mailing list