Re: Malicious SS7 activity and why SMS should never by used for 2FA

[Dan Hollis <goemon () sasami anime net>]

paypal used to openly support token 2fa, but have since made it nearly 
impossible to use hardware tokens. they try very hard to ram sms down 
everyones throats.

-Dan

On Sun, 18 Apr 2021, Mel Beckman wrote:

> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did 
> nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory 
> replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, 
> etc.
>
> -mel via cell
>
> On Apr 17, 2021, at 6:27 PM, Tim Jackson <jackson.tim () gmail com> wrote:
>
> ???
> Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number 
> is ported out. BofA and a few others do this.
>
> --
> Tim
>
> On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke () gmail com<mailto:eric.kuhnke () gmail com>> wrote:
> https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80
>
> https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
>
>
> Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG 
> scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 
> 'phone bill'.