Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> MFA using an SMS is not secure.

Why not? Is it that easy to intercept a SMS or is that just due to poor handling with some providers?



Yes it is.

https://blog.mozilla.org/en/internet-culture/mozilla-explain...


SIM-swap is a real thing, but it has an unreasonably large amount of mindshare in discussions about login security in non-security communities. Phishing is a gazillion times more common because it actually scales. Both SMS and TOTP are equally weak to phishing, yet people frequently shit on services for using SMS and not TOTP.

SMS has weaknesses. Especially if you are a particularly high-interest target. But the benefit of "everybody already has a phone" is immense and the true recovery mechanism for "oh shit I dropped my phone in the toilet" is valuable. Something like a yubikey is the complete solution to login problems that don't involve malware or some security vuln, but they are an extra thing that people need to buy so the pathway to "everybody uses a yubikey" is a mess.

Both Android and iPhone are now offering similar functionality though phones, which mitigates the "you need to buy a new thing" problem, though it is harder to set up an effective backup here.


But this comes down to bad security practices at the telco, doesn't it?

I don't know about other countries, but you can't even buy/activate SIM cards in Germany without "proper" identification through VideoIdent or another system where your passport is checked against. At least that's what I remember.

I'm not sure any type of "I've lost my SIM, please use this one" would work on German carriers without proper ID.

Moving numbers als requires some kind of paperwork, it's not that easy after all.

So... Is this a telco problem or a SMS problem?


Sort of yeah, it wouldn't be possible with my carrier for example as they would just tell you "login online and swap it" because things like switching sim etc. is just something you do there and not something you call them about. And to login to the website you must use the national 2factor authentication.

So essentially they would have to breach the national 2factor authentication system first here.

And there is absolutely no way that you could "social engineer" the guy on the other end of the phone who works for the telecompany as there is no way you shouldn't be able to use their online tools.


No the parent, but I’m assuming they’re referring to the East of SIM spoofing to convince providers you’re another phone number that’s not your own.


More commonly referred to as Sim Swapping.

If you ever notice you lose connection to your carrier: begin to worry.


Yep it is that easy, often all it takes is a suitably phrased "please give me control of this phone number" in a telco's support live chat


See the other comment, it looks like this problem boils down to very bad security practices at the telcos but not a general problem with SMS itself.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: