I've seen a few threads like this in the last few days. From where I'm standing, it seems to be a US-only issue.
Can anyone please confirm that in a country that does not allow porting numbers without a code being sent to said number, and does not allow interceptions of the type described in the article, that using SMS for MFA is, in fact, secure?
> Can anyone please confirm that [...] using SMS for MFA is, in fact, secure?
Nope.
Nobody's going to be able to give you this reassurance, or least they shouldn't, because it isn't true.
It may not even be better than nothing. For example you get email that says your bank has detected large withdrawals from your account and to fill out a web form if you want them to block these withdrawals. The site linked from the email looks reassuringly authentic, and you get a SMS as you expected during the login process. Genuine right? Nope, you've just been phished and you've helped your attackers by giving your real SMS code to their phishing site.
Maybe if there hadn't been the seemingly genuine SMS message you'd have slowed down and realised that the bank's name isn't spelled "Furst Springfield Bonk" or that it wasn't previously hosted on a $1 per month bulk hosting site under a directory named "/wordpress/cgi-bin/cgi-bin/cgi-bin". Maybe not. Either way the SMS didn't help you.
Also, in most countries with any sort of number portability a minimum wage employee at a phone store is authorised to override this (after all they just checked your photo ID right? Or at least they clicked a box labelled "Check photo ID") and issue sims with your number activated to... well, they're authorised to give them to you, but they can give them to the hot guy who paid for shots for them and all their friends last night. It's only a part-time job, worst case if the boss finds out they get fired. So don't tell the boss.
There are plenty of problems. You should not be relying on SMS for multi-factor authentication in 2021. If you still are, make your way calmly towards the exits, find a solution that actually works.
> and you get a SMS as you expected during the login process
They could also ask you to enter the code from your hardware token, and accept whatever code you type. Phishing is a different story, not really related to SMS.
> Also, in most countries with any sort of number portability a minimum wage employee at a phone store is authorised to override this
I don't know about other countries, but here in Israel when you port to a different network a code gets sent to the number you're porting, which you need to provide to the new network.
Where there might be an issue is if you claim to have lost your SIM card. This happened to my wife recently - they did give her a new one in the store, but I instantly got an email telling me about it, so it's not so easy to do that undetected.
> They could also ask you to enter the code from your hardware token, and accept whatever code you type. Phishing is a different story, not really related to SMS.
To the extent there's a "code from my hardware token" it's some blob of data processed by the web browser and there's no way for a normal user to get it let alone enter it into a phishing site for whatever good that would do.
If you're going to bother overhauling your authentication strategy you need to actually counter real threats like phishing. WebAuthn does that. Deploy WebAuthn.
This is not a SS7 attack. SS7 attacks doesn't work in practice. Eg A lot of carriers in US are CDMA. GSMA Carriers like AT&T has great firewalls in place to block SS7 attacks.
Further, You can detect SS7 attacks. Major Banks already has measures in place...
Any network in existence that has roaming enabled is vulnerable to fake roaming requests, and they cannot be "firewalled."
Seeing you implying that CDMA is somehow more resistant than GSM means you know very little how cell networks work. The telephony layer for both is SS7.
Isn't it? SMS relies on SS7 to exchange messages. It may not be a direct attack on the network itself, but because of outside dependencies and a history of telcos trusting themselves to get it right (or simply not caring when it's wrong), this attack successfully results in messages getting routed elsewhere on the network.
SMS is not secure. Neither is email. Neither is a voice call. Cracked password = easy, free. Getting SMS or voice rerouted? costs money, extra step. A strong, unique password + even SMS 2FA is a relatively safe access control. Ultimately, we're all living with the legacy of a lot of tech that got mass adoption before it was mature (I started my career writing medical device software. I shudder to think how little thought went into security when we were all just trying to get things to work in the 80s).
That's too much of a simplification. At an absolute level, true.
But security is relative and needs to be measured with the threat models you care about.
Intercepting an email from your bank (let's say) to your email server (whoever provides it) is in practice exceedingly difficult, requires the attacker is in control of a transit point between them.
Intercepting SMS, as described in the article, is trivial and can be done by just about anyone who cares to go for it.
Can anyone please confirm that in a country that does not allow porting numbers without a code being sent to said number, and does not allow interceptions of the type described in the article, that using SMS for MFA is, in fact, secure?