nanog mailing list archives

Re: Malicious SS7 activity and why SMS should never by used for 2FA

From: William Herrin <bill () herrin us>
Date: Sun, 18 Apr 2021 06:28:41 -0700

On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke <eric.kuhnke () gmail com> wrote:

Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more 
than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor 
on top of a generic looking 'phone bill'.


Hi Eric,

SMS for 2FA is fine. It's understood that a single authentication
factor is not secure enough; that's why you use two. SMS for 1FA is
hugely risky and should not be used for anything important, like
money. SMS for a password reset is an example of 1FA -- your ability
to receive SMS messages at the required phone number becomes the sole
authentication factor needed to access the account.

If the adversary has captured your password -and- reprogrammed your
phone number, what makes you think they lack the wherewithal to have
captured the shared secret used to generate your TOTP code?

Regards,
Bill Herrin

-- 
William Herrin
bill () herrin us
https://bill.herrin.us/

Current thread:

Re: Malicious SS7 activity and why SMS should never by used for 2FA, (continued)
- - - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Julien Goodwin (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Eric Kuhnke (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Nathaniel Ferguson (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Randy Bush (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA bzs (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA bzs (Apr 20)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
  - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Michael Thomas (Apr 18)