Malicious SS7 activity and why SMS should never by used for 2FA

[...]

In the pre covid19 era when people were actually traveling places,
imagine you've had reason to go somewhere weird and need access to a
thing (such as your online banking, perhaps?) protected by SMS 2FA,
but you have absolutely no way of receiving the SMS where you're
presently located...

Many of the people designing SMS 2FA systems used by people with
accounts/services in the US 50 states and Canada seem to assume that
their domestic customers will forever remain in a domestic location.

This is a practical problem that I suffer with one of my South African
providers, every time I traveled to the U.S. in the last 3 years. I
could roam on all GSM networks in the U.S., and even make voice calls,
but SMS's would not get delivered. Delivery of those only resumed the
moment I transited in the Gulf on my way back home. This did not affect
other countries I traveled to.

But you are right, most network operators and SMS authentication
designers do not necessarily work together to account for folk that travel.

This is already probably past the point of being on topic here, but you
tickled my personal favorite one of these.

My airline of choice (Qantas) has mandatory SMS second factor, after
perhaps a mobile carrier requiring it for support one of the most
facepalm-worthy uses of SMS 2FA I've seen.

It's interesting that VoWiFi is meant to support both voice and SMS, domestically and when one travels. So I'm curious why SMS's would not work with VoWiFi when traveling to a country that won't deliver your SMS's generically. After all, VoWiFi is, as far as I understand it, meant to be a direct IP tunnel back to your home network for both billing and service.

If anyone has more clue about this on the list, I'd really like to know, as my mobile service providers hardly know what I'm talking about when I ring them up with questions.

Mark.

I would start with cellular carriers and nations that intentionally take steps to block anything VoIP as a threat to their revenue model. Or because anything vpn/ipsec/whatever related is a threat to local Internet censorship laws.

Plenty of places the sort of ipsec tunnel used for vowifi is not usable on whatever consumer-grade cellular or local broadband ISP you might find.

Not sure what that says for the US of A, as that is where this has hit me so far.

Mark.

As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn’t require any Internet or cellular connection

Lots of people still use feature phones that are not capable of running applications such as this.

Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk

-mel

Most regular folk (especially those that may not have smartphones) who have the option of SMS or a key fob will end up using SMS because it does not cause them to spend time standing in a queue in a building to give up cash.

Their belief that SMS is secure (enough) has nothing to do with whether it actually is. It's all about convenience, and how much they can get done without speaking to human.

If a key fob can be sent to them - preferably for free - that would help.

Mark.

HW tokens are great, sure.

Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can’t install apps, that’s an interesting circular dependency. )

I’m not arguing for or against anything here honestly. I’m just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse.

This!

Nowadays, the businesses that tend to do very well while seeming like a black box to most of their customers, are the ones who are consistently solving problems from the perspective of real people, at scale.

If you solve it for 1, you solve it for 10,000 - and then the rest of exponential impact.

Mark.

I’d add to that that people probably shouldn’t treat phones as a significant increase in security, it’s not really the out-of-band device that it used to be/was in the 1990s. Today, it basically equates to a second computer and the probability that the second computer is also compromised isn’t overly unrealistic. While the focus is rightfully on SMS, I’d basically consider anything that isn’t a hardware token to be more or less the same-- although in fairness the specifics of what we’re talking about here doesn’t include any of the computers involved, which is a different problem.

Tom,

Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren’t ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us.

-mel

I'd add to that that people probably shouldn't treat phones as a
significant increase in security, it's not really the out-of-band
device that it used to be/was in the 1990s. Today, it basically
equates to a second computer and the probability that the second
computer is also compromised isn't overly unrealistic.

by the same attacker? raises the bar a bit. it's just a second factor,
not a guarantee.

i am a fan of the google token and don't like having to carry a
different hw token for everyone who wants to hw 2fa me.

but i think $ubject is correct. sms 2fa is roadkill.

randy

These low-income people are not the targets of identity thieves, spear fishers, or data ransomers.

This is patently false. Low-income / disabled / minority / non-english speakers are absolutely targets of scams like those, and in significant numbers.

Can you cite data? Or provide a rational argument other than “they are”?

-mel via cell

https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf

https://www.bjs.gov/content/pub/pdf/vit18.pdf

I don’t see any data showing that poor people are targets of Account access attacks. Can you point out the specific data you think supports your claim?

-mel via cell

Can you point out the specific data you think supports your claim?

I can, but I’m not going to, because that’s not what this side discussion has been based on.

You said :

These low-income people are not the targets of identity thieves, spear fishers, or data ransomers.

I just showed you data that shows they are, but now are trying to move the goalposts with new quantifiers. I think this discussion has run its course for me. Take care.

It's all about convenience, and how much they can get
done without speaking to human.

Hi Mark,

Convenience is the most important factor in any security scheme. The
user nearly always has a choice, even if the choice is as
rough-grained as "switch to a different company." If your process is
too onerous (the user's notion of onerous) then it simply won't be
used. An effective security scheme is the strongest which can be built
within that boundary.

If a key fob can be sent to them - preferably for free - that would help.

Hint: carrying around a separate hardware fob for each important
Internet-based service is a non-starter. Users might do it for their
one or two most important services but yours isn't one of them.

Regards,
Bill Herrin

The goal of U2F is one key fob that works on many services. Implementation is pretty simple and the hardware is inexpensive.

It appears that William Herrin <bill@herrin.us> said:

If a key fob can be sent to them - preferably for free - that would help.

Hint: carrying around a separate hardware fob for each important
Internet-based service is a non-starter. Users might do it for their
one or two most important services but yours isn't one of them.

You think?

R's,
John