Malicious SS7 activity and why SMS should never by used for 2FA

Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples’ numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking ‘phone bill’.

Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this.

No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.

-mel via cell

paypal used to openly support token 2fa, but have since made it nearly impossible to use hardware tokens. they try very hard to ram sms down everyones throats.


While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.

I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.

We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".


As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.

There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.


Hi Eric,

SMS for 2FA is fine. It's understood that a single authentication
factor is not secure enough; that's why you use two. SMS for 1FA is
hugely risky and should not be used for anything important, like
money. SMS for a password reset is an example of 1FA -- your ability
to receive SMS messages at the required phone number becomes the sole
authentication factor needed to access the account.

If the adversary has captured your password -and- reprogrammed your
phone number, what makes you think they lack the wherewithal to have
captured the shared secret used to generate your TOTP code?

Bill Herrin


SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:



That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Bill Herrin

Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for 2FA. There are many ways to attack SMS, not the least of which is social engineering of the security-unconscious cellular carriers. The bottom line is, why use an insecure form of communication for 2FA at all? Since very good hardware-token-quality OTP apps are freely available, why be so lazy as to implement 2FA using radically insecure SMS?

Your argument that 2FA is only meant to “enhance” the security of a memorized password is just wrong. 2FA is meant as a bulwark against passwords that very often are disclosed by data breaches, through no fault of the password owner. 2FA enhances nothing. It guards against the abject security failures of others.

Consider this sage advice from 2020, long after NIST caved to industry pressure on its recommendations.



You don’t even have to bother with social engineering, as Bruce Schneier points out in his blog from last month:

"It turns out that with a little bit of anonymous money — in this case, $16 off an anonymous prepaid credit card — and a few lies, you can forward the text messages from any phone to any other phone.”


It's quite likely that most institutions (especially financial ones) will prefer to use their own homegrown app-based authenticators. But again, those require a smartphone, which is still not the most basic pathway.

The good news - I just ran a test to log on to my banking profile from my laptop. I disconnected my phone from the world (Airplane mode) and while the app complained about not having Internet access, it was still able to generate a log-on, transaction or re-authentication code. So that helps. But that's just one of them... the other banks I use either don't have apps that replace physical authenticators, or require an Internet connection for 2FA. Thankfully, none of them require SMS to authenticate.

Nearly all the banks use SMS to either confirm a transaction has taken place, or to deliver an OTP to complete a transaction (but don't use SMS to do the initial or follow-up authentication).

Some of them are sending secure messages to confirm (and notify about) transactions within their apps, in lieu of SMS.



What do you think social engineering is? It's a couple well placed
lies that convince someone to do the wrong thing.

Bill Herrin

Fine. And you think 2FA trivially susceptible to social engineering is OK. “Come on, man”, as Biden would say :slight_smile:


On top of this most TOTP and HOTP systems have additional security checks like blocking reuse of codes, rate-limiting of guesses, and in some cases acceptance of earlier codes (in TOTP) if the clock skews too far that make them much stronger options which decreases security but is certainly more of a convenience factor.


Hi John,

On a site, the symmetric key used to generate the TOTP code is stored in the same database as the user’s password. Unencrypted or with readily reversible encryption since unlike a password it can’t be verified by comparing ciphertext. Your protection is that every site uses a different TOTP key, just like you’re supposed to use a different password, so compromise of a single site doesn’t broadly compromise you elsewhere. It can also be captured with malware on your phone, the same place an adversary will sniff your password, which -will- broadly compromise you if you’re also entering the passwords on your phone.

None of these authentication schemes are magic. They all have attack vectors with varying degrees of difficulty, none of which are particularly harder than breaking a well chosen password. 2FA doesn’t solve this. All it does is require an adversary to break -two- completely different authentication schemes in close enough proximity that you won’t have closed the first breach before they gain the second. That’s it. That’s all it does.

While attacks on SMS are certainly practical, stop and think for a moment on how you would scale them up and break 10000 accounts per day. Got a plan where you’re not caught in the first two days? No, you don’t.

SMS is not a strong authentication factor. When used well, it’s not intended to be. It’s meant to require an adversary to do enough extra work after having already captured your password that unless they’re specifically targeting you, the odds favor discovering and correcting the original breach before much harm can be done. For that use and that use only, it performs about as well as TOTP.

If you can reset your email password with an SMS message and reset your bank password with an email then SMS has been misused as a very weak single factor authentication process. Not because SMS offers weak authentication (that’s all it’s meant to offer) but because it was used incorrectly in a process that needed strong authentication.

Bill Herrin

I’m sorry - I think we miscommunicated here.

I was not advocating for TOTP or HOTP for SMS - in fact I’m completely against SMS being used for multi factor auth at all.


I wonder how much of this is moot because the amount of actual SS7 is low and getting lower every day. Aren’t most “SMS” messages these days just SIP MESSAGE transactions, or maybe they use XMPP? As I understand a lot of the cell carriers are using SIPoLTE directly to your phone.


One of my main problems with SMS 2FA from a usability standpoint, aside from SS7 hijacks and security problems, is that it cannot be relied upon when traveling in many international locations. I have been so many places where there is just about zero chance of my T-Mobile SIM successfully roaming onto the local network and receiving SMS at my US or Canadian number successfully.

What am I supposed to do, take the SIM out of my phone, put it in a burner and give it to a trusted family member in North America, just for the purpose of receiving SMS 2FA codes (which I then have to call them and get the code from manually each time), before going somewhere weird?

In the pre covid19 era when people were actually traveling places, imagine you’ve had reason to go somewhere weird and need access to a thing (such as your online banking, perhaps?) protected by SMS 2FA, but you have absolutely no way of receiving the SMS where you’re presently located…

Many of the people designing SMS 2FA systems used by people with accounts/services in the US 50 states and Canada seem to assume that their domestic customers will forever remain in a domestic location.

This is a practical problem that I suffer with one of my South African providers, every time I traveled to the U.S. in the last 3 years. I could roam on all GSM networks in the U.S., and even make voice calls, but SMS’s would not get delivered. Delivery of those only resumed the moment I transited in the Gulf on my way back home. This did not affect other countries I traveled to. But you are right, most network operators and SMS authentication designers do not necessarily work together to account for folk that travel. Mark.