Chuckanut
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Why SMS messages are not a good form of 2nd Factor Authentication.
As one person pointed out SMS codes are not something you have, they are something that somebody has sent to you. As such they are subject to a man-in-the-middle attack since SMS is inherently not secure. Not so good.
Geeky stuff below:
https://www.grc.com/sn/sn-612.htm
As one person pointed out SMS codes are not something you have, they are something that somebody has sent to you. As such they are subject to a man-in-the-middle attack since SMS is inherently not secure. Not so good.
Geeky stuff below:
https://www.grc.com/sn/sn-612.htm
"Somehow," they write, "the masses have been led to believe" - yes, well, and we know how - "that phone numbers are inextricably bound to identities and therefore make good authentication tools." Of course we on the podcast, as we've been covering recently, know otherwise.
They say: "There's a reason that Kraken has never supported SMS-based authentication. The painful reality is that your telco operates at the security level"- and I got a kick out of this - "of a third-rate coat check clerk.
Here's an example..."
LEO: Where can you find a coat check clerk these days?
STEVE: Yeah. "Here's an example interaction.
Hacker: Can I have my jacket?
Telco: Sure, can I have your ticket?
Hacker: I lost it.
Telco: Well, do you remember the number?
Hacker: No, but it's that one right over there."
LEO: Oh, boy.
"Telco: Okay, cool. Here you go. Please rate us 10 out of 10 on the survey." Uh-huh. And I won't go on.
But given a choice, you absolutely want time-based authentication, not an SMS message per instance. And if you can disable SMS in favor of anything else for account recovery, that would be good because remember that typically SMS is hopefully only an additional factor. Somebody first has to have your username and your password, and then also another second factor beyond knowing your password. The problem is it's often used for account recovery. I forgot my password. Oh, well, we'll send you a blurb to your phone number in order to recover it. Well, that's the huge Achilles heel in where we are today is account recovery.
Last edited: