[peterwwillis]

By taking control of your phone number or the radio network your phone connects to, or attacking the signaling network itself, to intercept information going to your phone number.

Basically, imagine every conceivable way any human or computer might at any point interact with a plaintext signaling packet designed to be passed around the world by different companies and eventually read by people. Now attack all of them. Something somewhere will give it up.

[bdamm]

It's fairly easy to claim the general case, and indeed you're right. But the challenge is that not all attackers have infinite resources, and the ones that effectively do us small fry really can't protect against anyway, because they're already where they need to be.

So specific information on known attack paths is an interesting conversation, because part of the SMS 2FA security is the belief that while 1-off SMS 2FA attacks are possible, they generally don't scale, and so that puts a high cost on carrying out the SMS 2FA, or informs a limit on the value that can be protected by SMS 2FA.

So, good for reddit? Maybe yes. Good for your bank? Maybe not, but maybe yes, depending on the diligence of the customer, the robustness of anti-fraud measures, and the cost of fraud insurance.

[oarsinsync]

> So, good for reddit? Maybe yes. Good for your bank? Maybe not, but maybe yes, depending on the diligence of the customer

Good for Instagram? Maybe no, without much dependence on the diligence of the customer.

https://motherboard.vice.com/en_us/article/vbqax3/hackers-si...

[bdamm]

Alrighty then. Thanks for the enlightening read.

[rrdharan]

And for all that, you get an 11 year old partial dump?

The ROI doesn't seem that high.

[peterwwillis]

Never underestimate the determination of bored Reddit trolls.

(Actually, the attackers were likely cybercriminals looking for the whole database of current users. Even with salted hashed passwords, it's trivial to find commonly used passwords and reuse the e-mail address and password to attack other accounts, such as bank accounts, paypal, amazon, facebook, gmail, etc. Each pilfered account adds up to a payday when you sell them on the black market, for things such as money laundering, account draining, and spam)