
2 factor auth just isn't safe - rbrakus
https://hackernoon.com/is-your-2-factor-auth-based-on-a-pinky-swear-and-late-90s-it-security-859f50f25c8b
======
algesten
I'd rewrite that title to say SMS based security isn't safe. This is by no
means limited to 2 factor auth, there are still many many sites using SMS for
"account recovery", which arguably is even worse (since 2fa should in theory
also require your password).

But then SS7 is probably neither here nor there, since getting a new SIM with
someone else's mobile number is likely to be way easier (and require less tech
knowledge).

Go into your mobile network shop, ask to replace your faulty SIM, make up some
sob story why didn't bring your ID. Did they say NO? Try the next shop.

Also the security around the terminals they use to switch SIMs in those shops
are often very lax. Just last month I saw an example of both account sharing
AND leaving the terminal unlocked with me next to it.

