Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Another Reason Not to Use SMS for 2FA
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Another Reason Not to Use SMS for 2FA

raindog308raindog308 Administrator, Veteran

https://lowendbox.com/blog/the-syniverse-hack-why-using-sms-for-2fa-is-a-bad-idea/

"For example, in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization (the “May 2021 Incident”). Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals. Syniverse has conducted a thorough investigation of the incident.”

Just who is Syniverse? A company that routes billions of text messages annually for all major US cell phone carriers.

Thanked by 1JasonM

Comments

  • jarjar Patron Provider, Top Host, Veteran

    Just seeing how bad tmobile has been about reissuing sim cards in person to an attacker, I'll never use it again unless forced to. Even then, a secondary number is ideal.

  • Yubikey your friend

    Thanked by 1taizi
  • Authy Desktop with other devices (mobile, tab or other desktops) sync is great so you aren't locked out if one of your devices is lost.

  • jon617jon617 Veteran
    edited October 2021

    Same. Authy on mobile. Watch, too.

    Even still, the idea of 2-factor means the chances of hacks drops a lot. Hard to get both my phone/SIM and my password with entropy.

    But yeah, perhaps something like push notifications to an app may provide better security than SMS.

  • I'm using Aegis Authenticator. Works for me.
    Authy is interesting, but isn't it possible that hacker stoles your phone number and gains access to your Authy? Of course it's harder than using SMS 2FA with the stolen number...

  • vyas11vyas11 Member
    edited October 2021

    I use authy as far as possible.

  • Tony40Tony40 Member
    edited October 2021

    I like Email based 2FA., If you go on Vacation to another country and change your SIM card to another mobile service.. and need SMS for 2FA login your are screw! Already happened to me... In some services you don't have the option to chose your 2FA.

  • jsgjsg Member, Resident Benchmarker
    edited October 2021

    @raindog308

    Just who is Syniverse? A company that routes billions of text messages annually for all major US cell phone carriers.

    To be fair, the problem wasn't in SMS-2FA per se but in a lousy service provider.

    But yes, SMS is indeed not an ideal way ... so e.g. banks have been/increasingly are switching to their own apps - which opens another can of worms, probably the least pesky of which is in the fact that ones app collection grows ...
    Side note: SMS became attractive for hackers because it's so ubiquitous (and riddled with technical deficiencies) - so shifting away from it very highly likely will lead to hackers shifting their focus too, which is even more grave of a concern as Android already is a very attractive target and IOS presumably too, plus there's the question who else gets access to your data/secrets/keys/etc (think "NSA, FISA+FBI, etc.").

    @Andrews said:
    Yubikey your friend

    Yes, but ...
    Key-based 2FA isn't always and for everyone practical. But when/if it is practical it indeed is a good solution.

  • TimboJonesTimboJones Member
    edited October 2021

    Ugh, SMS has never been secure. This was well known even before Snowden, the whole system is poorly designed and hacked inside and out by the three letter agencies worldwide.

  • LordSpockLordSpock Member, Host Rep

    @MGarbis said:
    I'm using Aegis Authenticator. Works for me.
    Authy is interesting, but isn't it possible that hacker stoles your phone number and gains access to your Authy? Of course it's harder than using SMS 2FA with the stolen number...

    You can choose to "encrypt" your codes with another key (password) - so much less likely.

  • DPDP Administrator, The Domain Guy

    @Tony40 said:
    I like Email based 2FA., If you go on Vacation to another country and change your SIM card to another mobile service.. and need SMS for 2FA login your are screw! Already happened to me... In some services you don't have the option to chose your 2FA.

    This has always been my issue when I'm traveling - well not really an issue but more of an inconvenience.

    But I carry 2 phones with me so I'll just put my local SIM onto the other phone, disable data roaming and wait for the SMS.

  • @MGarbis said:
    I'm using Aegis Authenticator. Works for me.

    I used to use Aegis, but recently migrated to Authenticator Pro: https://github.com/jamie-mh/AuthenticatorPro. Aegis doesn't have a watch app - they have a strict stance on being fully open-source, and supporting Google Wear would require the use of a closed-source Google library. Authenticator Pro is less strict about this and does have a Wear app, which works great on my Samsung Galaxy Watch 4.

    Thanked by 1MGarbis
  • more than 2 years using authy, it works well on various devices

  • Most people can somehow recover/reset their account password (talking about general internet account) using their email. But they can also gain access to their email using their phone.

    To call something 2FA, both factors must be completely independent (you can't access one by having access to the other).

    If this is your login situation, you've been using 1FA all along (and that F is your phone, not your extra strong password).

    At the same time, I've had my ass saved by sms account recovery once. It was a lower value google account so I was careless with storing the password. So yeah, security is complicated and not all-or-nothing.

  • @TimboJones said:
    Ugh, SMS has never been secure. This was well known even before Snowden, the whole system is poorly designed and hacked inside and out by the three letter agencies worldwide.

    Forget the agencies. In AU the carriers can transfer a phone number relatively carelessly to another person, the whole mess is susceptible to someone who is good with social engineering.

  • @woteti said:

    @TimboJones said:
    Ugh, SMS has never been secure. This was well known even before Snowden, the whole system is poorly designed and hacked inside and out by the three letter agencies worldwide.

    Forget the agencies. In AU the carriers can transfer a phone number relatively carelessly to another person, the whole mess is susceptible to someone who is good with social engineering.

    The system is based on trust. If you have access to the system, you're trusted.

    Thanked by 1woteti
  • increasingly, i think the majority of people are using SMS only for 2FA, notifications and security related stuff. To that end, I wonder if SMS itself could be developed further so that it could be more secure.

  • jbilohjbiloh Administrator, Veteran
    edited October 2021

    What is security anyways? :open_mouth:

    Thanked by 2Arkas JasonM
  • ArkasArkas Moderator

    Own or Disown got owned by SMS 2FA!

  • In brazil have lot a sim swap scam

  • jon617jon617 Veteran
    edited October 2021

    I'm curious if 2-factoring through a Google Voice number is a safer 2-factor for most accounts since it's not attached to a wireless carrier, sim card, or device. Seems more convenient too, since SMS and phone calls arrive on my computer and GVoice app. Then, protecting the Google account itself with a security key for 2-factor.

  • Daniel15Daniel15 Veteran
    edited October 2021

    @woteti said:

    @TimboJones said:
    Ugh, SMS has never been secure. This was well known even before Snowden, the whole system is poorly designed and hacked inside and out by the three letter agencies worldwide.

    Forget the agencies. In AU the carriers can transfer a phone number relatively carelessly to another person, the whole mess is susceptible to someone who is good with social engineering.

    Made worse by the fact that most Australian banks only support two-factor auth via SMS, and some of them don't support international numbers. MyGov accounts also only support 2FA via SMS, and their only solution for people moving overseas that still need access (eg to file Australian tax returns every year) is to disable 2FA. wow such security

  • JasonMJasonM Member
    edited October 2021

    @jbiloh said: What is security anyways?

    right. In last 10 years with advancement in technology I thought security will improve.
    But it has ultimately became a big mess everywhere, from Google to a hosting company started in corner of my apartment. With data-protection laws, more data is hacked, leaked, and made available in public domain.

    What's next are they going to store data on Mars or Moon?

  • defaultdefault Veteran
    edited October 2021

    @JasonM said:

    @jbiloh said: What is security anyways?

    right. In last 10 years with advancement in technology I thought security will improve.
    But it has ultimately became a big mess everywhere, from Google to a hosting company started in corner of my apartment. With data-protection laws, more data is hacked, leaked, and made available in public domain.

    What's next are they going to store data on Mars or Moon?

    Security can't improve. From a technical perspective it can improve (having U2F + mobile number + fingerprint), but it's also about user's comfort.

    Having 5 Yubikeys (as that company implies is not the comfortable way. Having 1 Yubikey, it's a mess if it's broken or lost. Having authenticator, is a pain if you lost the app. Having SMS seems better because phone number is registered on your name, but others can tap there too it seems.

    It's hard to reach a balance between perfect security with different authentication methods with a daily use comfort.

    Personally, I think the old ways of backup email, with forced recovery if IP changes (big "if" with IPv6), it's the most practical 2FA.

  • OK, requiring 2FA for using your account, but not requiring 2FA for gaining ownership of your account is not 2FA.

    What's the advantage of using the common SMS based 2FA login and only SMS (not 2FA!) based account recovery?
    The design protect against weak, reused, forgotten passwords, compromised computers - these are a lot more common than SMS based account hijacking. And even if your SMS messages are hijacked, you can physically go and change phone, SIM card and mobile carrier.
    It's up to everyone to decide whether it's worth it or not. But before judging someone, you have to remember, not everyone has good key management and backup plans.

    @raindog308 said: too many people can access your SMS

    It is only an issue for bad 2FA implementations. You might as well use public Twitter posts for 2FA, it will be more secure (although not more private) than a single-factor authentication if it is implemented correctly.
    The whole point of multi factor authentication is to make sure nothing in compromised unless more than one authentication channels are compromised.

  • MaouniqueMaounique Host Rep, Veteran
    edited October 2021

    @JasonM said: In last 10 years with advancement in technology I thought security will improve.

    @default said: Security can't improve.

    Not only for that, but the technical advancement in itself leads to lower security, once because technical means are cheaper and cheaper (for bruteforcing) and second because the average joe is further and further behind if he is not in a technical field, and even then.
    You can't "educate" everyone about devices for 2FA if many are still using 12345678 type passwords, also, even for a tech savvy person, even if they take all precautions they can think of, a state actor can and will gain access to their devices if they would like to, not everyone has the latest exploits, especially if they are intentional and/or kept hidden.
    The only almost safe solution (for now) is to keep your sensitive data private on unconnected devices and if you have to get online with it, use a vm with non-permanent disk or an iso mounted in RAM.

  • I've always used SMS. I've never been able to get an Authenticator app to work properly but it's been a while since I tried anything other than Google Auth.

    Example Google Authenticator: Have attempted to use it on multiple phones out of nowhere it randomly decides to just wipe itself. Sometimes after updates and sometimes after restarting the phone.

    Has happened on more than one phone from more than one Manufacturer. Recently I had something that required 2FA and it took me two weeks to get back into my account after rebooting my S21 Ultra.. Fresh setup of Google Authenticator. Rebooted phone the next day and Google Authenticator wiped itself.

  • Symantec VIP works pretty well. I try to avoid Google products.

Sign In or Register to comment.