
SMS is not 2FA-secure - sergeant3
https://www.issms2fasecure.com/
======
tptacek
This is great; it's a Princeton research project from Arvind Narayanan's
(@random_walker) group, in which their team made 10 attempts to SIM-swap each
of 5 different carriers, including T-Mobile, AT&T, and Verizon (all three of
which were, weirdly, less secure in some ways than the 2 MVNOs they tested).

Most notably: AT&T and Verizon both use call logs to authenticate SIM swaps
from people who don't know the account PIN; requestors are asked to list
recently made outbound calls, or in some cases _inbound_ calls. A targeted
attacker can trick a customer into making a known call (or, obviously, can
simply call the customer to make inbound call records), and then authenticate
with them.

AT&T uses billing statement data as a factor. But the research team was able
to "spoof" billing statement data by purchasing prepaid refill cards and
applying them to a target's account.

The report also identified a bunch of online services for which SMS was used
not just as a second factor but, through account recovery, as a sole factor,
meaning you're substantially worse off with SMS authentication than you are
without it at those services. The reality is probably worse than the report
highlights, since a lot of account recovery processes are informal and ad-hoc,
and can be socially engineered into relying on SMS.

~~~
cortesoft
So how SHOULD this problem be solved? How should account recovery work?

~~~
adrr
Walk into a store and provide a government ID and the original SIM card. If
customer doesn’t have the sim/phone, send a recovery code to the billing
address on file in lieu of the SIM card.

~~~
chewz
> Walk into a store and provide a government ID and the original SIM card.

This is how it works in Poland since September 2019, after some recent SIM-
swap attacks. You can swap SIM or get a replacement if stolen only at store
showing government ID. It is free of charge with Orange and not always free
with T-mobile.

But this has some downsides in real life.

1) I had to walk my 88 yo Mom to the store to swap SIM card.

2) Every clerk at every shop can do that so for a determined criminal it is
possible to bribe or threaten one.

3) Virtual operators (MVNOs) usually do not have physical locations and there
is a dozen of them.

~~~
Nextgrid
The problem is that the ID is still checked by the clerk. They could be bribed
or tricked by a fake ID.

A recovery code snail-mailed/e-mailed to the account holder when they first
open the account is the correct way to go, and if they can't provide it they
need to go through a lengthy process where many factors are used to
authenticate them (verify their physical address, verify their ID, ask to
confirm last call records, billing details, etc).

~~~
tinus_hn
You can require the clerk to note the document ID to avoid bribery.

~~~
pas
How would this work exactly?

~~~
tinus_hn
The clerk has to use some kind of online system to connect the new sim to the
customers phone number. The system would obviously require the clerk to
authenticate himself and could require him to enter the passport number or
other document ID he checked to verify the customers identity.

If later it turns out this was a sim swapping attack you can verify if the
clerk entered a valid document ID. He can’t do that without having been
presented a proper document, so you can tell if he checked.

~~~
ahaseeb
Its just convenience over security. Lot of things can be done but then the
extra burden that companies have to go through. Think about that people don't
use app based authentication because it's inconvenient even though it matters
to them. How can you expect carriers to do it

~~~
tinus_hn
That’s easy, just make the carrier financially liable for the damages caused
by sim swapping attacks.

------
rckoepke
My understanding is that you don't even need to do a SIM swap, because the SS7
signaling system is insecure. SIM Swap is likely the easiest way as wage-slave
employees are quite pliable to bribes[0]. But if you want to be even more
anonymous, you can apparently re-route texts remotely [1].

0: [https://www.nbcbayarea.com/news/local/mans-1m-life-
savings-s...](https://www.nbcbayarea.com/news/local/mans-1m-life-savings-
stolen-in-cell-phone-scam/192416/)

1:
[https://www.kaspersky.com/blog/ss7-hacked/25529/](https://www.kaspersky.com/blog/ss7-hacked/25529/)

I thought both these vectors were already common knowledge to HN readers.

~~~
Uptrenda
Yep, the security problems with the mobile system are ghastly.

\- Stingrays...

\- Operator app pushes to SIM cards...

\- Secret GSM processors and software internals

\- Voice / text / data "ciphering"

\- Protocol-level "emergency" tracking features

\- Silent SMS (sounds like its from a bad cop show but its actually a real
thing it turns out.) "They do not show up on a display, nor trigger any
acoustical signal when received. Their primary purpose was to deliver special
services of the network operator to any cell phone." \-- sounds like it has a
completely legit use...

The list goes on. It's enough to make anyone want to get the tin foil out. But
at least in this case there's a simple and clear recommendation: --not to use
2-factor auth by SIM--.

~~~
fyfy18
> sounds like it has a completely legit use...

The original purpose of silent SMS was to send voicemail or missed call
notifications to handsets, which would trigger an icon to be displayed on the
device. Sending a regular SMS would be annoying as the user would have to
delete it - after you've listened to your voicemail, another silent SMS can be
sent to turn off the notification. Also originally SMS was stored in the SIM
itself which had limited memory, so it would be not be very convenient if you
didn't receive a voicemail message as your SIM was full. Remember this is a 28
year old feature of GSM.

The tracking argument seems somewhat mute, maybe when this first came to light
10 years ago it wasn't the case, but nowadays I would be very surprised if
operators do not keep detailed logs of all the IMEI (unique identifier for a
given device) and IMSI (same, but for the SIM) that connect to their towers.

------
Andrew_nenakhov
Not in Russia. Numerous examples exist when victim's number was linked to
attacker's sim card to obtain 2FA code, then linked back to victim's sim so he
does not notice anything.

This happened both by government-linked parties, where they are able to coerce
providers to do it, mostly targeting prominent political opposition members.
It also happened without government involvement, done by provider's personnel
with sufficient access and some entrepreneur attitude.

The rule of thumb to protect against it:

\- do not use SMS 2FA

\- if you do, use a foreign SIP number with SMS capabilities

\- if you HAVE to use local sim, use SIM that belongs to someone else and
noone knows you use it

~~~
laurentdc
> if you do, use a foreign SIP number with SMS capabilities

Any good providers? I've tried Twilio SMS forwarding, but different services
(e.g. Steam) reject it for 2FA since they're pretty much considered throwaway
numbers, I suppose there's some sort of blacklist

~~~
Nextgrid
For UK numbers lookup Andrews & Arnold. They have mobile numbers from a
national carrier's numbers block so no way for them to be flagged as VoIP.
They work fine with both calls & SMS.

------
alkonaut
I _want_ my things protected by a human with a process to unlock/reset/..
given some kind of proof of identity.

Because with 99.99% certainty the person that needs to unlock the account is
me, and not an attacker.

Even with a dozen backup yubikeys and spare codes written down I’d _still_ be
much more likely to lock _myself_ out than be attacked.

If it’s one thing I have learned the hard way it’s that the most dangerous
person in the equation is myself. I won’t trust myself with any kind of
security.

~~~
ummonk
My ideal solution for an ultimate reset/unlock solution would be to show up
and have my DNA sampled. Impossible for me to lose the reset key there, and
with appropriate DNA extraction procedures, it is nearly impossible to spoof.

~~~
fiddlerwoaroof
The issue with using permanent characteristics for auth is that you lose the
ability to revoke one credential in favor of another.

~~~
potatoz2
That's not a problem if you have to physically show up though, since no one
can spoof that.

~~~
irjustin
As another person said, you're literally leaving it everywhere you go.

If you need a blood sample, then would donating blood be considered
compromising security?

Identity is what your DNA is. Password is a secret. Your DNA is not a secret.

~~~
GrinningFool
I think requiring you to be physically present and having a human take the
sample in a prescribed manner serves as an effective 'password' \- unless it's
a live sample, the DNA is useless.

~~~
irjustin
I think there's a misunderstanding of what is possible with DNA[0]. We take
DNA from dead stuff all the time.

I will agree with "you have to be physically present" is good enough password.
This is Yubikey, which works fantastic. The problem with DNA is when it is
compromised - you can't throw it away/change it without exorbant effort (bone
marrow transplant? and then you're simply taking on someone else's identity?
is that identity theft?).

[0] [https://www.quora.com/Do-we-require-live-cells-when-
extracti...](https://www.quora.com/Do-we-require-live-cells-when-extracting-
DNA)

~~~
ummonk
I think people are misunderstanding what is being suggested here. The idea is
that, for example, to unlock your bank account, you have to go to the bank
where trusted bank employees will extract your DNA and have it sequenced,
resulting in you being given access again. Others cannot spoof being you in
this scenario because they cannot implant your DNA in themselves.

~~~
irjustin
Ah you're right. I've re-read it and it is physically present someone
verifying you using your DNA.

Which I agree, that works great, but quite narrow in the the use cases at that
point.

------
NKosmatos
Worth noting that this is just for US and for prepaid SIMs, from their paper
“We examined the types of authentication mechanisms in place for such requests
at 5 U.S. prepaid carriers—–AT&T, T-Mobile, Tracfone, US Mobile, and Verizon
Wireless”.

It doesn’t mean that for the rest of the world SMS 2FA is completely secure,
it’s just a lot more difficult (or impractical/impossible) to do a SIM swap so
easily. As mentioned in another comment below, SS7 vulnerabilities are another
attack vector, globally available and without requiring a SIM swap.

~~~
0xffff2
These 5 carriers were studied, but where's the evidence that any other carrier
is any better (or that you're any better off as a post paid customer of AT&T,
T-Mobile or Verizon)?

~~~
dbtx
MetroPCS (prepaid MVNO now something like a subsidiary of TMo) required the
8-digit PIN on the account in order to change IMEIs. A bot would take down all
the info, then if/when it was to a phone you'd never used on their network
before, you got put on hold to wait to talk to a human and provide your PIN
and new IMEI all over again. Then you'd hang up, power off, and move your SIM.
But that was ~18 months ago, before it became "Metro by T-Mobile", so I don't
know.

------
kick
I thought this was going to be one of the otherwise-plaintext black and white
web pages with <h1>NO.</> centered in the middle, but interestingly it's
actual research, and a nice read (even if nothing new) at that.

~~~
33Backpack33
If it's nothing new then why do people keep saying it's better to have SMS 2FA
then to not have it. The research says "websites should eliminate SMS based
MFA altogether".

------
theonething
The answer is no, but is it more secure than no 2FA?

Of course there are much better 2FA options, but for the general public, they
are probably too complicated to use.

Everyone understands SMS.

~~~
Kalium
Have you seen the prompt system, as used by Google, Micosoft, Okta, et al.?

In my strictly personal opinion, responding to a notification that asks if a
login attempt is you is clear enough that people need minimal training to make
use of it. This might just be me, though.

In my career, I've definitely seen people actively choose SMS over other
factors on offer. It was easier for them, and in many cases shouldn't have
been offered. Your point about SMS being better than nothing is wise and true
and insightful, but it's perhaps not always the question as faced in practice.

~~~
sfifs
They (and similar corporate 2FA solutions like PingID and similar systems used
by banks) basically assume uninterrupted access to the internet which is
generally a poor assumption. It often breaks down when you're traveling either
due to network or roaming issues just when you desperately need access.

In all these situations, I've found companies which offer a back up SMS option
very valuable since it usually gets delivered.

~~~
DaiPlusPlus
HOTP-based 2FA systems (like Google Authenticator) do not require internet
connections.

~~~
lol768
Don't most folks uses TOTP-based schemes with Google Authenticator?

Unless you're using HOTP to mean HOTP and all extending schemes.

------
hocuspocus
In Switzerland, we have Mobile ID:
[https://www.mobileid.ch/en](https://www.mobileid.ch/en)

It uses the SIM to implement a challenge-response mechanism where a PIN is
prompted by your phone. While not perfect, it's vastly better than using SMS,
without being less convenient.

I don't know if other places leverage the fact that SIMs are smart cards which
are perfectly able to perform this kind of stuff given the proper
infrastructure.

~~~
chirau
How does this work?

~~~
Nextgrid
Presumably there's an applet in the SIM card that holds a key pair and allows
you to sign stuff by providing the SIM PIN. You interact with it via STK which
is an old standard allowing SIMs to tell the phone to draw rudimentary UIs and
ask the user for input.

------
MrStonedOne
Protip: security is not black and white

The word "secure" is not binary.

sms as a 2fa is secure.

Just not as secure as a authy totp account

...which is not as secure as a unclonable totp system

...which is not as secure as a hardware token based otp system

...which is not as secure as a hardware token that also requires you enter a
pin and a fingerprint to activate it and only communicates using hard coded
encrypted messages with the legit service that issued it.

~~~
offmycloud
To defeat the Authy account recovery process, you need to perform an active
SMS attack (SIM swap, etc) and then prevent the target from seeing the
recovery warning emails for 24 hours. Therefore, Authy customers should only
tell trusted people that they are going on a weekend off-the-grid camping
trip.

------
RcouF1uZ4gsC
The big benefit of SMS for the website is that it outsources the problem of
lost 2FA tokens. What happens if the user loses a yubikey. Or changes phones
and did not back up their TOTP. With SMS authentication, even if the user
loses a phone, they can go down to the local cell phone store and get a new
phone on their number and be back in business without the website having to
get involved.

~~~
0xff00ffee
> What happens if the user loses a yubikey.

Always buy two. ;-)

Joking aside, I've moved almost every 2FA to hard token, soft-token, or google
voice. But the root of trust is still LastPass & Google. I don't see an easy
way out of dependency other than power of attorney. Even worse: I worry what
happens to my protected assets as I age and possibly face memory loss.

~~~
1996
Bad idea: google will disable your google voice after some time of not logging
in.

I got bitten in a bad way!

Hopefully twilio will start creating "recognized" numbers someday, as my
twilio number is unusable for TOTP. There seems to be a blacklist of all
twilio voip numbers.

~~~
0xff00ffee
Interesting! I generally check it once a week. Any idea what their timeout is?

------
danellis
The title is mangled, because someone misparsed the question.

The question is "Is SMS 2FA secure?", not "Is SMS 2FA-secure?" There is no
such property as 2FA-secure.

Title should read: "SMS 2FA is not secure".

~~~
esolyt
I agree. "SMS is not 2FA-secure" implies SMS is not suitable for 2FA at all.
In reality, SMS 2FA is still very valuable to most people, even though it's
not secure enough.

------
frenchyatwork
But how else are you supposed to encourage users to give you their phone
numbers so you can track them better?

~~~
choward
No company would ever do that, right? Especially a social media company.
Clearly there would be public outrage and their stock would plummet.

~~~
robbya
For anyone who doesn't detect the sarcasm or is unfamiliar:
[https://techcrunch.com/2018/09/27/yes-facebook-is-using-
your...](https://techcrunch.com/2018/09/27/yes-facebook-is-using-your-2fa-
phone-number-to-target-you-with-ads/)

------
lmilcin
Just use a token like yubikey. I have a small fleet and am very happy with the
decision.

The only problem is there are very few services that get it right. Get it
right means support multiple tokens and allow to truly disable any other means
of logging in or recovering the password.

Most services seem bent on allowing many ways of logging in without giving a
choice. For example, they will advertise they use 2fa tokens but then if you
can't produce one they will still allow you to log in with SMS or mail (ie.
password recovery by mail). Facebook will not even let you set up tokens
without having SMS set up as a factor and the phone number verified.

I hope slowly developers will get more aware and they will be better tooling
(and stack exchange answers to ctrl+c ctrl+v...) to do it correctly.

~~~
gowld
What about Authenticator? Maintaining a small fleet of yubikeys costs as much
as a whole phone.

[https://play.google.com/store/apps/details?id=com.google.and...](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_US)

~~~
mceachen
Know that if your single phone dies with all your totp credentials, you're
sunk.

~~~
TheDong
Only if they neglected to offer backup codes (which anyone who does TOTP
should).

Otherwise, you can just grab a few backup codes out of your fireproof safe and
register your new totp code, or go to the bank and get them out of your bank
vault.

Sure, the fireproof safe costs as much as a few yubikeys, but if you go the
yubikey route you both need the yubikeys and a fireproof safe and bank vault
for your spare yubikeys too.

~~~
C14L
Fireproof safe? Just use a text file and encrypt it.

Or a password manager file only for TOTP backups.

~~~
lmilcin
Don't use text file. Use regular piece of paper, put it in tamper-evident
envelope and keep register with events regarding envelopes.

When you take something from envelope, note the date, the why, the number of
envelope you opened and the number of envelope you then put the piece of paper
in. Every time you open envelope check with the register that the numbers
agree.

------
skunkworker
And yet my bank (Chase) only supports email and sms 2fa with no option for
OTP/TOTP. Is this just a institution dragging their feet or are there more
regulatory reasons why they won't allow more secure authentication?

~~~
techsupporter
At least they offer codes via email. I can (and do) secure access to my email
account and domain registration with a very long password and a Yubikey.
That’s “good enough” for my purposes.

~~~
Koffiepoeder
Most email is unencrypted during transit, so a state level adversary can still
easily intercept it. For most people this is however sufficient.

~~~
techsupporter
Absolutely, a state-level opponent could get up to some shenanigans though I
would argue that a state has much easier methods to go cracking into my Visa
card. My threat model doesn’t include nation states targeting me specifically
because, simply, if one comes after me I am screwed anyway.

As for email being unencrypted, I think most of it now is encrypted during
transit (thanks to the Big Two providers knocking points off a spam score if a
message does come via TLS) and even if it weren’t the password is also not
known so the second factor is not useful. For example, I just tried to log in
to chase.com and the code they emailed me at 1752 MST is 067315.

If I’ve been phished so hard that posting this is useful, again I’m screwed.

------
professorTuring
Is SMS 2FA Secure? No, I agree.

Is SMS 2FA enough for most of the people today? Yes

Is SMS a cost-benefit solution for most uses? Yes

~~~
lotsofpulp
Is offering or forcing SMS 2FA and not offering an option for only TOTP
asinine? Yes.

It’s free, and requires a tiny bit of additional configuration to enable. No
reason not to offer it.

~~~
StavrosK
In a previous company, one of the employees enabled 2FA for their staff
account (it was mandatory), stored the backup codes on his phone (presumably
as a photo) and it fall in the ocean the next day.

With large enough numbers, you'll see everything, but you don't even need
large numbers to get people whose lives are made more difficult by technology.

~~~
lotsofpulp
Yes, that is exactly what I want. Life should be much more difficult without
the TOTP and backup codes, so much that it takes a great deal of resources to
get around it, if at all possible. Maybe even providing heavy documentation
such as a Facetime call with various proof so that fraudulent actors are
sufficiently deterred.

~~~
spookthesunset
Dude. If somebody wants into your account specifically, they’ll get into it.
2FA, specifically SMS based 2FA, is really about the provider getting mass
compromised because people recycle their password across all their sites.

It great for keeping people using scripted attacks against a huge list of
accounts. It isn’t really to keep people specifically after your account out.

If somebody wants _your shit_ and _specifically your shit_.... they’ll get
it...

~~~
Thorrez
> If somebody wants your shit and specifically your shit.... they’ll get it...

How? I don't think Brian Krebs has been hacked, even though he's extremely
targeted by hackers (his site is literally the benchmark for performing DDOS
attacks on).

------
ahaseeb
DontPort.Com - I built this to fix this. I've been a victim of this 4 times
and was too much frustrated. Unfortunately Sim swap is only one way to get
your 2FA but the risks are much higher which I am working to solve one by one

~~~
stevenwliao
Which common cases does the insurance cover? What uncommon cases does it not?

How do you protect against an insider attack?

------
rvz
You know what's funny? LinkedIn is supposed to be a 'professional' social
network (Microsoft owned) and a friend of mine was asked to add a phone number
'For security purposes'. I knew this was suspiciously involving 2FA SMS + a
bonus of spam callers and I told him to press "Not Now". Whilst the world is
moving to U2F and time-sensitive codes, a security system using SMS 2FA is now
equivalent to a single PC running Windows XP in a bank.

But its not just LinkedIn. Its a huge list of major companies including some
FAANG ones too. Oh dear.

~~~
professorTuring
Not true. Not true by far. That's an over statement. 2FA is only one of two
factors, you need the the password, you need the mobile number and you need to
obtain a duplicate or being close to your victim.

You should be worried if you are a POI or you are being targeted personally.
And if it is so, SIM Swapping it's just one option and if it doesn't work
there are other methods (breaking in, stealing yubikeys, mobiles...)

~~~
Spooky23
You don’t always know if you are a target.

------
solatic
All of this happens because we've outsourced digital identity to the telecom
companies. Telecom companies are not competent at establishing identity. It's
not their job. There is only one entity that is the real root provider of
identity and that is the government.

We are never going to get the benefits of digital identity until the
government wakes up and brings its services into the digital age.

------
baybal2
No, it isn't at all. Moreover, sim swap is not necessary at all.

Anybody with direct access to SS7 can send a fake roaming request for your sim
card.

------
Havoc
Definitely not. In my home country the banks use SMS 2FA.

It's a complete shitshow. Occasionally syndicates manage to get both sides of
2FA lined up (insiders) and clean out someone's account.

Then the bank says not my problem - you didn't keep your password safe. And
the cell provider says not my problem - not intended as security mechanism.
Leaving the customer poor and sht out of luck.

------
acd
Want to point to the Google blog article about the effectiveness of different
2FA techniques. SMS is between 76% targeted -100% autoamted bot effective.

[https://security.googleblog.com/2019/05/new-research-how-
eff...](https://security.googleblog.com/2019/05/new-research-how-effective-is-
basic.html)

------
tenryuu
I don't really trust Authy being used as much as I think anyone else would.
For the sites that I have used it with, an Authy account, or just the app is
not required. Therefore codes are just sent over plain SMS.

Consider this scenario. Twitch now enforces the use of all accounts that want
to stream all require the use of 2FA, after the whole artifact fiasco. Anyone
over the age of 13 is able to do this. I don't expect everyone at this age to
have a phone number, and I assume these people would rely on their parents
phone to pass this.

As authy is completely optional, people may choose to not require another app
for their account, in effort of just quickly jumping through another hoop
blocking them from going live, or the device owner not wanting to have an app
installed.

It just feels weird knowing that this can be a point of failure for a service
that solely relies on a single 2FA method that could from an attack like this
down to the individual and how they operate.

------
trimbo
I'm surprised more websites aren't taking advantage of TouchId. It's so easy
for people to use.

Even login.gov supports it!

[https://www.slashgear.com/chrome-is-adding-touch-id-and-
fing...](https://www.slashgear.com/chrome-is-adding-touch-id-and-fingerprint-
sensor-support-for-web-apps-14545704/)

~~~
Nextgrid
Touch ID and other biometrics are enforced locally.

The device is first enrolled, the website gives the device a secret value
which the device can put in its secure element. When needing to authenticate
again the device checks biometrics _locally_ and if correct then the secure
element releases the secret value which is then either passed onto the website
or used as part of a challenge-response authentication.

This means if you lose or reset your device you can't get back in despite
having the right biometrics.

~~~
trimbo
Yes, that's a security feature. It's also true for Google Authenticator, by
design. You cannot officially back up/share codes because of the potential
vulnerabilities that a backup would open up.

Yubikey has the same problem you describe. If your key stops working, you'd
also be locked out. Yubikeys can spontaneously stop working in my experience.

To mitigate this, sites like login.gov allow you to add multiple devices, so
you can have it on e.g. your laptop and your phone, and yubikeys if you'd
like. I generally do all three for important sites (or multiple Yubikey when
touchID is not offered).

Anyway, my point is that offering TouchID makes a more secure 2FA very, very
convenient for the average person. I'm just surprised more developers haven't
offered it even though it's been in Chrome for a couple years.

------
annoyingnoob
And then there was this... [https://www.vice.com/en_us/article/5dmbjx/how-
hackers-are-br...](https://www.vice.com/en_us/article/5dmbjx/how-hackers-are-
breaking-into-att-tmobile-sprint-to-sim-swap-yeh)

------
scottmcdot
This post [1] makes a very good point...

Using a few old Google accounts, I experimented with Google’s account recovery
options and discovered that if a Google account does not have a backup phone
number associated with it, Google requires you to have access to the recovery
email account OR know the security questions in order to take over an account.
However, if a backup phone number is on the account, Google allows you to type
in a code from an SMS to the device in lieu of any other information.

[1] [https://tech.vijayp.ca/adding-a-phone-number-to-your-
google-...](https://tech.vijayp.ca/adding-a-phone-number-to-your-google-
account-can-make-it-less-secure-f1cc7280ff6a)

------
dzhiurgis
In many European countries SIM cards are actually locked to a number.

If you change your SIM card you'll have to reset your 2FA setup on the banks
site. It's done on the carrier side.

I still hate it tho, as you are locked to a phone number and it sucks when you
move countries a lot.

~~~
Nextgrid
This relies on carrier cooperation. Given they are the ones that caused this
shit-show in the first place I wouldn't trust them to make it right. An
insider capable of SIM-swaps would also be able to override this mechanism.

------
_wldu
The sad part about all of this is the complexity of the new solutions.
Webauthn is strong but fiendishly complex. How did we get here?

Websites used weak hashes (md5 and sha1... efficient to compute and attack) to
store passwords and allowed users to set short, weak passwords (12345,
letmein).

Long passwords randomly generated by password managers and stored as strong
hashes (Argon2id) by websites are secure, not guessable and even
difficult/expensive to attack offline when the database is dumped.

This approach is simple and easily understood by everyone involved (users and
site admins) and would be suitable for the security of 99% of websites.
Leaving 'Account Recovery' as the only remaining challenge.

------
skybrian
It's really too bad nobody tests Google Fi. I wonder if they would hold up
better?

------
peterwwillis
This research doesn't seem complete; particularly the use of a phone number
for authentication, that isn't SMS.

Facebook Messenger uses a phone number either tied to your Facebook Account,
or identified as the phone number on your mobile device, to immediately log
you into a Messenger account, with zero authentication. They literally ask you
"Is this your account?" and you just click "Yes" and you are in that account.
Even if it's not yours.

If you use prepaid phone numbers, or link one to your account, you can often
get into Facebook Messenger accounts that aren't yours.

------
phantom_oracle
The odd thing about SMS 2FA is the amount of critical services that rely on it
as the only method of extra protection.

You want your: bank, utility provider, entity-that-has-lots-of-personal-data-
on-you to offer other secure options.

This might be a costing issue though. When your customers number in the
millions, your call center is probably handling thousands of "im locked out"
issues per day and these need to be handled in x-minutes. Other security
options might cause the time meant to handle these scenarios to increase and
SMS is generally 'simple' compared to them.

------
jimmaswell
The only good solution at this point is to legislate cell carriers to make SMS
more secure. Everyone perceives it as secure, everything uses it for auth, and
it aught to be secure for its own sake.

~~~
9nGQluzmnq3M
The problem here is not SMS itself, but that it's trivial to socially engineer
most operators into transferring somebody else's number to you.

(FWIW, SMS is also insecure in that it's fairly easy to passively snoop on SMS
comms, but that's a separate problem.)

------
darkhorn
In Turkey if you change your SIM card your bank is notified and you cannot
login to your bank account. You have to re-validate yourself with a long phone
call and re-create a new password.

------
choppaface
Word of warning if you know somebody who uses Bank of America: their customer
support has a mechanism to push you a 2nd factor code over SMS and then they
actually ask you for the code over the phone. The text message looks 99%
identical to the 2nd factor code you get when normally logging in to your bank
account.

Support does this to 'verify your identity' and authorize doing arbitrary
things like even moving $100,000 out of your bank account.

And no, their security team won't fix this.

------
exabrial
Apple needs to help move the needle on 2FA/U2F/webauthn. Unfortunately you can
even create an apple Id without a dreaded SMS "authentication".

------
bboreham
This may explain why I get called every week from all over Europe by people
that think they missed a call from me.

I knew it had to be a scam, but hadn’t put the pieces together.

------
hprotagonist
uh.. No, and NIST has been saying this for about 5 years.

------
wiggler00m
Apple is forcing users who upgrade to Catalina to use 2FA and if you do not
have multiple devices this defaults to SMS.

There is no option to turn it off.

------
emersonrsantos
Ran Bar-Zik, from Israel, created a technique to hack most voice 2FA by using
a weak voicemail password. It was largely used in 2019 to hack Brazilian
politicians, including state ministers. The hacked telegram messages were
passed to Glenn Greenwald, linked to Assange.

~~~
leonidasv
Do you have any sources on that (the specific technique that was used)? Google
returned nothing.

AFAIK, they were hacked using plain simple SIM swap/cloning.

~~~
emersonrsantos
[https://politica.estadao.com.br/blogs/fausto-macedo/wp-
conte...](https://politica.estadao.com.br/blogs/fausto-macedo/wp-
content/uploads/sites/41/2019/07/DECIS%C3%83Ospoofing.pdf)

(Portuguese)

------
tim333
It would be nice if the carriers allowed you to specify you wanted to restrict
SIM swapping. When I lost my 3 SIM to get the number transferred to a new one
I went to a 3 store with my passport. I'd be fine with that being the only
method they'd allow.

------
rubyn00bie
I have been saying this for years.

The amount of knowledge one needs to port a phone number is unbelievably
little, and peoples very nature to be helpful works against us. Up until maybe
just very recently you needed the account number of the phone number and the
last four of a social security number... sometimes, just the account number.
Also, the last four of one's social security number is perhaps the shittiest
way to authenticate _ANYTHING_. For many years, a lot of sites online would
show you the last four of an account holder's SSN (and some places still
probably do) if you have an email address, correct name, and phone number or
physical address.

Getting the account number would likely be even easier thanks to helpful store
reps... Just go in and make up an excuse why you need it or forgot it, it's
like "social engineering 101" because it seems so benign to most people. You
already know the name, address, and phone number-- you just "forgot" your id
at home... Or one could just listen to them call each-other write down their
info and then call another store.

With those two things in hand, the phone number is pretty much the attacker's,
and getting it back would take more than enough time for extensive amounts of
damage... ESPECIALLY if that is the only line on the account (or they took all
the lines)... I'd guess a bare minimum with near immediate recognition of the
real problem (your number heisted) and police involvement, probably a minimum
of ~12 hours.

So, if phone numbers are so bad why are they ever used? IMHO, that's because
they aren't to provide security, they're to provide easy tracking between your
virtual life and your physical one. You're only securing the businesses data
pipeline, not your personal data.

If you want 2FA (and everyone should) use Google Authenticator or a Yubikey...
or whatever I'm not trying to shill brands just ideas that work.

------
anonytrary
Unrelated -- I love how the domain name is literally the average Google query
for when this becomes breaking news. Clever to make your domain name a literal
Google query if you want to spread an idea...

------
SimeVidas
Now I only need to find out on which ones of my 200+ accounts this feature is
enabled… Honestly, it would be easier for me if the EU just made it illegal,
forcing services to disable it for me.

~~~
robbya
Why? It's not "secure" but it's more secure than nothing.

The paper mentions some websites that claim to use SMS 2FA, but actually use
SMS as a single factor for password resey. While that's really bad I think the
solution is to fix those broken implementations not to stop using SMS 2FA
everywhere in favor of using nothing.

~~~
33Backpack33
The paper also said, "websites should eliminate SMS based MFA altogether".

------
useful
I know a few people who have been hacked with this method via t-mobile in
order to control chat rooms on telegram and steal crypto.

According to this paper, t-mobile has the smallest surface area, which is sad.

~~~
Swizec
Why sad? _someone_ has to have the smallest

Would it be less sad if it was Verizon?

~~~
scarejunba
To him it's sad because "I know X is vulnerable and X is best" means he's at
risk to the same thing as his friend no matter what he does.

------
Zenst
Worth having a private number on a low or PAYG plan and use that for your
security separate from your main mobile number.

After all, most have a spare phone and great use for those Nokia's.

~~~
1996
This is my conclusion too. A payg that you recharge with cash, so it is
unliked to your name in the telecom operator databases is the best protection
against rogue employees.

------
Pfhreak
What's with all the redacted entries? Without some context, I assume that
these are companies that threatened some sort of legal action if their name
was published?

~~~
ben509
Later in the paper they mention that they're temporarily redacted due to
responsible disclosure rules.

~~~
Pfhreak
They say there are 361 sites pulled from TwoFactorAuth.org's list of sites,
and they were able to access 145 of them.

In describing the set they initially drew from, it seems like they've
described the 17 redacted sites simply by describing their complementary set
(the 128 sites that are secure).

------
surround
[http://isThisYourPaperOnSingleServingSites.com/](http://isThisYourPaperOnSingleServingSites.com/)

------
u801e
I wish more websites (and other application protocols) would support client-
side certificates in addition to the username and password for authentication.

------
egwor
Where were these five providers based? Was it just in the US? I wonder if the
controls are more stringent; my suspicion would be that they are in Europe.

------
bigcohoneypot
What about google voice? I've noticed a lot of sites block it, but it seems as
safe as email for 2fa.

------
frankzen
Haven't we known this for quite some time? I'm just amazing many places still
use it!

------
cglace
Why don’t they just do two verification charges between .01 and .99 to the
card on file.

------
33Backpack33
So can we finally stop saying it's better to have SMS 2FA then to not have
it?!

------
gregoriol
Could using an im service like Matrix to send the authentication token be more
secure?

------
tgdnt
Does anyone know the reason for all the Redacted entries on the interactive
datasets?

------
smacktoward
Short answer: no.

Long answer: nooooooooooo.

------
doctor_eval
Betteridge's law of headlines is an adage that states: "Any headline that ends
in a question mark can be answered by the word no".

[https://en.m.wikipedia.org/wiki/Betteridge's_law_of_headline...](https://en.m.wikipedia.org/wiki/Betteridge's_law_of_headlines)

~~~
jetzzz
The key part here is to only post this comment under headlines for which the
answer in "no".

~~~
doctor_eval
What I normally do is remember the law, and generally I don’t click through
headlines which are questions.

But this one felt more like it would be something a little deeper.

So then I clicked through - and the page fills up with the word “no”.

So I feel pretty duped.

------
dr_dshiv
Isn't perfect the enemy of the good, especially in security?

------
cryptonector
SMS is worse than 1FA.

------
GNOMES
Would be freaking awesome if Wells Fargo understood this...

------
ebg13
People always focus on SIM swaps and signal security, but neither of those
apply to Google voice numbers. So in the context of Google voice, is there
still any reason to not use SMS 2FA?

~~~
lotsofpulp
Bank of America doesn’t send SMS to google voice phone numbers.

~~~
shmoogy
What happens if you port to Google voice, can you no longer access your
account?

~~~
lotsofpulp
I don't know, all I know is I can't receive BoA 2FA SMS on my Google Voice
number. This is what BoA says:

>You are consenting to be contacted at the phone number selected for the
purpose of receiving an authorization code. If you selected text message,
Wireless and text message fees may apply from your carrier. Supported carriers
include: Alltel, AT&T, Cellular One, T-Mobile, Virgin Mobile, U.S Cellular and
Verizon Wireless.

Although I just remembered this person on Hacker News replied to me 1+ year
ago that their Google Voice number does work with BoA 2FA SMS, so maybe it's
just my specific GV phone number?

[https://news.ycombinator.com/item?id=18196014](https://news.ycombinator.com/item?id=18196014)

------
latchkey
When my gf lived in Malaysia, she added her phone number to FB and forgot
about it. Years later, after having moved back to Vietnam, the number was
recycled and someone was able to use that number to gain access to her FB
account and reset the password.

Getting access back to her account took a bunch of steps, including adding her
current number.

The interface for FB really makes it seem like you might lose access to your
account if you don't provide them with your number. Even better is that FB
exposes a small list of your friends (and the total count) of everyone who has
given them their phone number.

tl;dr: Don't add your phone number to FB.

------
goldcd
Compared to what?

Better than not having it? Yes.

Better than committing a 4,096Kb PK to memory and confirming all interactions
with mental arithmetic? No.

~~~
taviso
The article says "We found 17 websites on which user accounts can be
compromised based on a SIM swap alone", that seems like a pretty clear
indication that it can be worse than nothing.

I happen to think the benefits of SMS 2FA, even when working as intended, are
negligible. It seems like a bad idea to waste the finite amount of developer
good will we have asking services to implement it.

Literally the only attack that SMS 2FA has any impact on is credential
stuffing, and even then it's debatable. Credential stuffing is using the
credentials stolen from one service to compromise another. If you don't reuse
passwords, then you don't need SMS 2FA.

If you do reuse passwords - then it seems impossible you're not also
vulnerable to phishing. After all, you're already willing to hand over your
credentials to anyone who asks. SMS 2FA is not a solution to phishing, as the
tokens themselves can be phished.

~~~
goldcd
If you can compromise the account, based on a SIM swap alone, then that site
has 1FA (The phone number).

2FA requires you to have 2 factors at the same time. e.g. When I log onto
amazon from a new browser with valid username+password it additionally
requires me to confirm via my phone number.

1or1FA (e.g. reset your password via SMS if you forget your password) is just
increasing the attack area on 1FA (would be more secure without it).

Problem it's trying to solve, is that it's conventionally unacceptable to lock
people out of their accounts.

~~~
taviso
Let's say that it wasn't you who logged in with a valid username and password,
it was an attacker.

Under what circumstances does the phone number prompt prevent the attacker
from accessing your account?

Perhaps they used phishing? Then they can just phish the SMS code as well.

Perhaps they're a MITM over an insecure channel? Then they can just wait for
you to enter the SMS code.

Perhaps you installed their malware? Then they can just inject some code into
the browser.

------
kdeldycke
From the past few months I'm collecting all resources on the use of SMS as a
2FA: [https://github.com/kdeldycke/awesome-iam#sms-based-
authentic...](https://github.com/kdeldycke/awesome-iam#sms-based-
authentication)

TL;DR: don't.

------
meesterdude
The TLD is the question, the title is the answer.

------
sethgoldsteen
No

------
macmichael01
No Its not

------
official151
Hhhhhh yes you can check more details
[http://www.jobsfinderuae.com/2020/01/accountant-
jobs/](http://www.jobsfinderuae.com/2020/01/accountant-jobs/)

------
krick
Did we ever seriously doubt that? 2FA is just a made-up reason to have your
phone number anyway, all the services that require that don't really want
anything other than that.

------
reaperducer
HN seems to be getting a lot of these submissions lately where the question
asked in the title is the same as the domain name. Sometimes the content of
the page doesn't even answer the question.

Feels like some kind of spammy PageRank manipulation going on. I'm happy to be
wrong about this, but I wanted to see if anyone else has noticed. Maybe I'm
just smoking crack waffles again.

~~~
gowld
This is clearly a PR effort associated with the research paper hosted on the
site.

It's a single-purpose domain name, so the Name of the domain is the same as
the Name of the content on the domain.

