Re: Malicious SS7 activity and why SMS should never by used for 2FA

[Mark Tinka <mark@tinka.africa>]

On 4/19/21 05:05, Eric Kuhnke wrote:

> One of my main problems with SMS 2FA from a usability standpoint, 
> aside from SS7 hijacks and security problems, is that it cannot be 
> relied upon when traveling in many international locations. I have 
> been /so many places/ where there is just about zero chance of my 
> T-Mobile SIM successfully roaming onto the local network and receiving 
> SMS at my US or Canadian number successfully.
>
> What am I supposed to do, take the SIM out of my phone, put it in a 
> burner and give it to a trusted family member in North America, just 
> for the purpose of receiving SMS 2FA codes (which I then have to call 
> them and get the code from manually each time), before going somewhere 
> weird?
>
> In the pre covid19 era when people were actually traveling places, 
> imagine you've had reason to go somewhere weird and need access to a 
> thing (such as your online banking, perhaps?) protected by SMS 2FA, 
> but you have absolutely no way of receiving the SMS where you're 
> presently located...
>
> Many of the people designing SMS 2FA systems used by people with 
> accounts/services in the US 50 states and Canada seem to assume that 
> their domestic customers will forever remain in a domestic location.

This is a practical problem that I suffer with one of my South African 
providers, every time I traveled to the U.S. in the last 3 years. I 
could roam on all GSM networks in the U.S., and even make voice calls, 
but SMS's would not get delivered. Delivery of those only resumed the 
moment I transited in the Gulf on my way back home. This did not affect 
other countries I traveled to.

But you are right, most network operators and SMS authentication 
designers do not necessarily work together to account for folk that travel.

Mark.