Can We Stop Pretending SMS Is Secure Now?

Can we stop pretending that the faux concern for the security of our accounts by tech giants was anything other than an excuse to harvest our phone numbers?<p>Twitter for example let&#x27;s you sign up without a number but it then suddenly detects &quot;suspicious activity&quot; and demands your number. Many other sites enforce it or heavily nag you in the name of security.

Having username+password+sms is strictly safer than having username+password.<p>To require the attacker to know your phone number and do costly and&#x2F;or time consuming things to get access to it means moving from &quot;script kiddie re-using username+password from leaked user databases&quot; to &quot;targeted attacks&quot;.<p>Sure, it&#x27;s not Safe(tm), but it&#x27;s a big step up from just username+password.

Nobody ever pretended SMS is secure, but it&#x27;s also the only thing that actually arrives on a phone in many rural areas of the world.

I&#x27;ve seen a few threads like this in the last few days. From where I&#x27;m standing, it seems to be a US-only issue.<p>Can anyone please confirm that in a country that does not allow porting numbers without a code being sent to said number, and does not allow interceptions of the type described in the article, that using SMS for MFA is, in fact, secure?

This attack is enabled by VoIP, which is also responsible for callerID spoofing which has led to the tormenting of millions of people daily with phone spam. The gains from VoIP have absolutely not been worth the loss of trust in what was a reliable communication network. I continue to be unimpressed with &quot;deregulation and free markets&quot;, in practice it usually means sharks feasting on confused consumers.

I once had to send a fax that included a letter-head to authorize a domain transfer. Because fraudsters can&#x27;t reproduce letter-head, I guess?

Can we stop submitting Krebs articles and just submit the source instead? Such as this: <a href="https:&#x2F;&#x2F;lucky225.medium.com&#x2F;its-time-to-stop-using-sms-for-anything-203c41361c80" rel="nofollow">https:&#x2F;&#x2F;lucky225.medium.com&#x2F;its-time-to-stop-using-sms-for-a...</a>

Security is relative, NOT absolute.<p>Involving SMS in the authentication process raises the bar significantly for script kiddie attacks using password databases. It also forces a larger and more detailed forensic trail for any attack.

How about we recognize that SMS should be secure and make it so?<p>If the FCC would require mobile providers to add crypto features to SMS that prevent spoofing, would it not be possible to do so?

Interesting. I knew about SIM swaps, but this <i>&quot;off-net text enablement&quot;</i> is new to me. I did know about text-enabled VoiP numbers, but assumed you had to own the DID first. Coupled with the notes about reseller programs with blanket authorizations, it does sound like SMS is truly useless for 2FA.

Just wait until he learns that all you need to intercept an email is a forged LOA!

Having 2fa with SMS is still better than no 2fa at all.<p>Sure, TOPT would be far better, but reading this article I&#x27;m more concerned with how easy it is to get access to someone&#x27;s SMS&#x2F;VoiceMail than anything else.

can we stop pretending electronic communication involving of-the-shelf components is secure?<p>i guess the pandemic has left us with little choice but meeting in person is still the only way to have a private conversation and i guess this won&#x27;t change in the near future given the state of society.

Does using Google Voice for SMS resolve all security concerns?

It&#x27;s rather strange that in 2021, a prominent security research like Brian Krebs doesn&#x27;t have a mobile-friendly website.

Mr Krebs, Please do your due diligence. The attack vector only works for Landlines, VOIP, Toll-free.<p>Upstream agreements already block Mobile carriers.<p>Further, SMS from Short Codes are blocked by default. You can only receive SMS from long-numbers. Eg Wicker ..