In addition to letting you read someone's location, SS7 lets you intercept their SMS messages. This is used by, for instance, criminal groups to intercept 2fa codes or go through SMS-based password reset flows and log into peoples' bank accounts:
Almost everyone have a smartphone. Bank app is much more secure than SMS, because HTTPS allows to encrypt information all the way from bank server to the end device. It's possible to create a much more pleasant UI with single touch rather than typing that OTP. And it's even possible to create more secure solution by requiring fingerprint.
And if Apple and Google would implement some kind of universal solution, every website could utilize this technology making 2FA more secure and usable.
It's kind of strange that we're still using SMS so widely.
Also SMS is not that cheap, while push is free.
Sure, SMS is fine as a fallback option, just like voice call is fine as a fallback option for SMS, but that's about it.
Are there any US consumer bank accounts that can be configured for 2FA other than SMS?
In the brokerage space, Robinhood accepts TOTP and Fidelity accepts Symantec VIP (proprietary TOTP-alike). But I don't know of any checking or savings accounts that can be protected this way.
Woah, interesting! I thought TOTP used a shared secret rather than asymmetric encryption. The only thing I had to give Fidelity was the credential ID. Is that enough to generate or verify codes? It does that require key material that only Symantec has?
Using SMS only as a fallback option is useless because the authentication chain is only as strong as the weakest link.
Bank apps need to be easy to reset if you lose your phone but if you can do that just by receiving an SMS, or by entering a password you can reset using SMS, the system is easily broken.
https://www.vice.com/en_us/article/mbzvxv/criminals-hackers-...