Re: Malicious SS7 activity and why SMS should never by used for 2FA

[John Adams <jna () retina net>]

I’m sorry - I think we miscommunicated here.

I was not advocating for TOTP or HOTP for SMS -  in fact I’m completely against SMS being used for multi factor auth at 
all. 

-j

Sent from my iPhone

> On Apr 18, 2021, at 12:48, William Herrin <bill () herrin us> wrote:
>
> 
> On Sun, Apr 18, 2021 at 12:03 PM John Adams <jna () retina net> wrote:
> > On top of this most TOTP and HOTP systems have additional security checks like blocking reuse of codes, 
> > rate-limiting of guesses, and in some cases acceptance of earlier codes (in TOTP) if the clock skews too far that 
> > make them much stronger options which decreases security but is certainly more of a convenience factor. 
>
> Hi John,
>
> On a site, the symmetric key used to generate the TOTP code is stored in the same database as the user's password. 
> Unencrypted or with readily reversible encryption since unlike a password it can't be verified by comparing 
> ciphertext. Your protection is that every site uses a different TOTP key, just like you're supposed to use a 
> different password, so compromise of a single site doesn't broadly compromise you elsewhere. It can also be captured 
> with malware on your phone, the same place an adversary will sniff your password, which -will- broadly compromise you 
> if you're also entering the passwords on your phone.
>
> None of these authentication schemes are magic. They all have attack vectors with varying degrees of difficulty, none 
> of which are particularly harder than breaking a well chosen password. 2FA doesn't solve this. All it does is require 
> an adversary to break -two- completely different authentication schemes in close enough proximity that you won't have 
> closed the first breach before they gain the second. That's it. That's all it does. 
>
> While attacks on SMS are certainly practical, stop and think for a moment on how you would scale them up and break 
> 10000 accounts per day. Got a plan where you're not caught in the first two days? No, you don't.
>
> SMS is not a strong authentication factor. When used well, it's not intended to be. It's meant to require an 
> adversary to do enough extra work after having already captured your password that unless they're specifically 
> targeting you, the odds favor discovering and correcting the original breach before much harm can be done. For that 
> use and that use only, it performs about as well as TOTP. 
>
> If you can reset your email password with an SMS message and reset your bank password with an email then SMS has been 
> misused as a very weak single factor authentication process. Not because SMS offers weak authentication (that's all 
> it's meant to offer) but because it was used incorrectly in a process that needed strong authentication.
>
> Regards,
> Bill Herrin
>
>
> -- 
> William Herrin
> bill () herrin us
> https://bill.herrin.us/