I still dont understand this, if SIM Swapping were the problem then it isn't SMS 2FA that is insecure, it is the telco themselves, and specially US Telco.
In many other part of the world, Switching Sim ( SIM Swapping ) requires to show proof of identification, as well as written form and signature.
And any CS accessing customer information are instantly logged, there is no way paying $1000 dollar to change or SIM Swap without going through the proper procedure, ( Should there be one ) and they will be fired for any misconduct.
SMS might not be the best solution to security, but for average Joe, that is near 4 billion of Smartphone users they are better than nothing.
May be had Apple created their own MVNO this problem could be solved.
For the purposes of 2FA implementations it doesn't matter why SMS is insecure, only that it is insecure. Since it's probably not within your power to force your telco to change their insecure business practices, avoiding relying on them for 2FA is your only alternative.
Exactly this. Also want to add that phone numbers were never really meant to function as identity providers. For this reason I think it's important not to use the real number on your cell phone for anything -- VOIP numbers are best if the only method of 2FA offered is phone number.
I agree the problem is that implementation of a backup for 1FA ends up coming back to the phone. But often the target service has no certainty of which mechanisms are going where.
They send to your email.. They use TOTP. They use Oauth, etc, etc. What other things accounts go back to either your SIM or someone stealing your phone, SIM and all?
Even U2F will fall down this hole soon since everyone wants to implement it on phones! Will the attestation certs for phones say multipurpose device that is probably involved in other factors?
By the same logic, no company should ever be held responsible for harm to users of their products caused by product defects: after all, they never made any claims regarding their products being safe to use.
I mean I think the ship has pretty much sailed on this one but I think they've got a case when companies just started using "can receive a text at a given number" as a security verification which suddenly made it the telco's problem to make sure such a thing was secure when before it was a more informal system.
Normal defects are 'easy': you have a contract to obtain a product or service with certain features. If the product or service doesn't have those feature, it is defect and failure of the providing party to comply with the contract.
Of course, no phone contract says anything about securing SIMs (for the purpose of authentication). So it cannot be a defect.
Safe to use is often in relation to bodily harm, which doesn't apply in this case. Outside any specific law, if you use an unencrypted text messaging service between subscribers for authetication purposes, then you are on your own.
In this case, the actual harm is caused by the companies that decided to use text messaging for authentication purpose without verifying that the underlying service is fit for porpose (or having a contract with telcos that explicitly lists this purpose).
Of course, nobody is going after twitter to recover damanges from them.
Sure and Ford never promised cars that wouldn't explode on a rear-end collision
Telcos have a very poor service for the extortionate prices they charge. At some point your phone number is tied to your identity and should be secured as such (ah but nobody cares about that right?)
That's rather bizar logic. An obligation to keep something secure comes either from a specific law, or from something specific in a contract.
The fact something is important to you, and you failed to negotiate that in your contract, doesn't mean that the company providing the service is somehow required to take that into account.
You're telling me that offering a service comes with no guarantee of the service? If I'm paying you, but you're no longer providing the service to me, but to some third party, how is that upholding the contract?
If you order food in a restaurant and someone takes the food from the waiter before you can have it, what would you want the restaurant to do?
The service is that you can receive messages. The service is not that you are the only one who can receive those messages. If someone commits fraud and obtains a SIM with your number then the telco is in general quite willing to correct the error. Maybe they will even given you an extra copy of the messages that were lost.
It's like going to a fast food restaurant and later complaining that the meat is of low quality.
This is really twisted logic you're trying to use.
If I entrust my email to Google, them having corrupt employees who give my email to other people would be a serious issue, for security, privacy and a myriad of other reasons. This is exactly what's happening at phone companies.
I agree with you if you are saying Telcos have no economic incentive to take any security posture for their customers. Regular users cannot fathom that the service they pay for is somehow able to be manipulated and that their communications can be redirected arbitrarily without legal order via technical means.
It is known that there are security issues with ss7 specifically [0][1][2] and the global telecom network was, it seems, never secured. I would conjecture that there are some other problems with mobile phones[3] some that we are not aware of.
I also am in lock step with your claim that this should not be surprising.
Telcos are indeed not paid for security. The security of the telephone network must not be counted on. In fact, military and government business must often be executed on special non-public phone exchanges or SIPRnet. Telcos do not offer any security guarantees, and are rather obstinate toward any demands such as this. Negotiating a more secure service is impossible.
>So it is rather odd to hold telcos reponsible for the failure of some security mechanism they where never part of.
It is certainly not odd. If the general public wakes up and their assigned phone numbers are meaningless, all of their customers will be unhappy, it simply wouldn't pass the sniff test of a 6-year-old.
However, there is positively no incentive for anybody to shop for security in this space. Few living people believe or can even fathom that there could be a problem with using their phones in this manner. Despite the public fraud[2] that has been enabled by the Telco's apparent lack of any security engineering, the market is not providing any security mechanisms for this, I would imagine in part due to the concessions on interoperability made during the development of these global telco protocols.
There (appears to have been) zero work done for the security of this critical system. Customers do not recognize any possible threats, telcos have no interest in improving their networks in this regard, the US government has developed a nickel allergy towards telco regulation in the 30 or 40 years following the 'Bell conclusion. Finally telco's don't care to change, and if they did there would be decades long disputes regarding implimentation.
No, it is wholly unsurprising to find an entrenched, obstinate partner in this field.
Various countries besides the US (often other "Anglo" countries) don't require any identification to get a SIM card, while as you mentioned some countries require identification and sometimes even more steps like physical address verification. In my experience as a tourist, these additional steps are sometimes unnecessarily complex and are often somewhat of a hassle.
An argument can be made that this hassle is worth it for security concerns (which is what they often tend to be sold as) but personally I find it less reasonable for preventing against SIM swap hacks when there are many alternatives to SMS 2FA.
You can also show fake ID at a competing telco sales point and tell them you want to move the number in Sweden. Happened to me that depending on which provider the call was coming from, sometimes it would reach me and sometimes not.
No, In addition to what you have mentioned, and sibling comments have noted about implimentation, it is SMS that is (has been? --But i can't find info if this has been remedied) insecure as well. This is the "SimJacker" whitepaper describing technical means of hijacking among other games.
> it isn't SMS 2FA that is insecure, it is the telco themselves
I have some rope at home. The manufacturers specify it's blue, 8mm, polypropylene and for 'general use' but they don't say anything about its strength. Cost about $5.
If I lift something with it and it breaks, is it the rope's fault, or my fault for selecting the wrong rope?
SMS is the same way - is sim jacking the telco's fault, or is a company using SMS 2FA as dumb as lifting a piano with my $5 rope?
Is it acceptable for anyone to be able to just walk into a store and hijack your phone number? Guess it’s just your fault your grandma now gets to talk to a crook when she calls you.
haha ;-). Yes, you need a signature and legal document, both checked by your random, always late and in a hurry EMS courier when receiving the new SIM package. Same when starting new CC.
I wish. Mine just removed the SMS option. I now have to install an App that wants full telephony access. And is obviously only available in the google play store, requiring me to accept google terms.
Is it safe? I don't know. Doesn't seem to be a widely used standard. Haven't found technical details. Only a mention of "cryptography" in the marketing material. So yeah, I don't really feel much safer.
I think SMS 2FA is fine for the most part, so long as you have a decent password, the problem is when companies introduce recovery numbers and make it back into 1FA
How is it fine for the most part when it’s been shown that thousands of employees working at the mobile network have the ability to forward your number thereby rendering the 2nd factor useless?
More importantly, there simply isn’t a reason why TOTP, a superior actually secure 2nd factor that doesn’t rely on a third party, can’t be offered, unless you want to force the user to cough up their phone number so you can track them.
TOTP is great for you and me, but the average Joe totally does lose their phone and get locked out. Forget recovery codes, what the hell are those, they can’t even keep track of passwords. Authy provides encrypted backups you say? See “can’t keep track passwords”.
Don’t even get me started on physical security keys. I could hardly even convince myself to use one, let alone always having at least one backup. Imagine asking my mom to do that.
At the end of the day, the average Joe needs a recovery mechanism that’s not tied to their memory and doesn’t make their everyday interactions a pita. Phone number is just one step below government IDs (which people would be uncomfortable to supply for most sites) and the challenge response could be easily automated, making it ideal. It’s being ruined because of the incompetence of telecom operators.
I wonder if requiring physical appearance with government ID for a SIM change, and making fraudulent SIM issuance a fireable offense would drastically cut down on SIM jacking. (Before anyone points it out, I do envision fraudsters applying for telecom jobs just to do this.)
Now, I’m not arguing TOTP without recovery phone number shouldn’t be an option. I opt into it whenever possible.
>Don’t even get me started on physical security keys
Well, I haven't seen a single person who wouldn't have one. We use them for cars and houses, though.
And credit/debit cards, I bet you have them too. It's a physical security key to the ATM. Classic 2FA spirit: something you have (the card) + something you know (PIN code).
The point is, people don't have problems with physical security keys. Programmers do (and hardware vendors) do, which means no standards and clunky UI.
Physical key keys go into designated keyholes, and give you physical access to something. Physical cards go into dedicated machines, and give you access to a physical transaction, cash, deposit box, etc. Physical objects for physical access.
Physical U2F keys get in the way of all-digital flows. They also need to interact with all kinds of non-dedicated devices, something they do a less than stellar job of. Bluetooth and NFC keys are young, setup process isn’t great and reliability seems to vary; USB keys require a USB port which might be occupied by other things or available only in another physically incompatible shape.
The keys aren't the problem, the engineers are. In this day and age, every device should have a digital keyhole (NFC, whatever) - and it should not take more than "insert or hold X next to Y".
Re: "physical process": something tells me you didn't type this message telepathically. UX is a physical process, and 99.99% of the time, it's doing something with your hands anyway. (Alexa/Siri/OK Google are a different beast).
If every other phone can have a fingerprint scanner, it can have something for actual keys too.
Moreover, imagine this: your devices could have built-in hardware keys that you can register with your bank/etc should you desire that convenience.
Still proper 2FA: your phone number is just an account, which is at the whim of your service provider, but your device is something you have.
Before pushing stuff like TOTP, we need to get everyone on board with using a password manager correctly. I use one and it's a quality of life improvement as well as a security improvement. I only have to remember one password, and I have all of my credentials on my phone and my browser. It's set to automatically lock after some minutes, so I'm secure most of the time. I just checked and I have over 100 passwords in my password manager, and there's no way I would be able to have a unique password for each one and remember them all.
It's a bit of an "eggs in one basket" situation, but given that people tend to use the same password everywhere, I see it as strictly a step up since it's much less likely for your password manager to be compromised (targeted attack in most cases) than for a site to be hacked.
Once everyone is using password managers consistently, then we can start to talk about TOTP and other 2FA tools, and at first only use it to secure the password manager.
Once we solve the password manager problem, most other problems go away. You don't need to reset passwords if you have it in your password database (your computer won't forget it). You don't have to come up with passwords that match some arbitrary set of requirements, you let your computer do that. If you get recovery codes, stick them next to your passwords in your password manager. If there's a breach, your password manager can likely tell you which accounts are affected, and you can just change those instead of every site that you use that password on.
So yeah, 2FA is nice, but improving how people use the first factor is far more important and actually makes peoples' lives easier.
I have pushed my parents to use a password manager multiple times over the years but failed (it’s as simple as adding them to my existing 1Password subscription). My father being a software engineer out of all professions.
I think it's fine because in order for someone to hack me if I have true 2FA authentication with SMS, they would both have to both get my password, and do some kind of social engineering attack to get access to my messages. If you have a secure password already, that is probably good enough security for the vast majority of people.
Just because the second factor can be compromised, doesn't make it useless. Pretty much any security mechanism can be breached, it's all about increasing the difficulty of an attack until it matches the value of what you are trying to protect. SMS 2FA protects you against untargeted attacks like credential stuffing, which is probably sufficient for 95% of people.
> they would both have to both get my password, and do some kind of social engineering attack to get access to my messages.
You must have not followed any SIM-jacking story, which is the point of this entire thread.
1. They don’t need your password because their goal is a password reset through your recovery phone, or recovery email address “secured” by a recovery phone.
2. They do social engineering on telecom employees (or outright buy them out for a pittance) to not only get access to your messages, but take over your entire link to your cellular network. You’re not involved in any of this.
TL;DR: the second factor makes you less secure, not more. It’s a downgrade from a secure password. It makes you defenseless.
As I said in my first comment, a recovery numbers turns it from 2FA into single factor. Obviously that is less secure, since a phone number is generally less secure than a password. I'm talking about true 2FA over SMS.
Recovery numbers should be stored somewhere safe, like your house. If your attackers have access to your house they could beat you up with a baseball bat instead of going through the trouble with finding your recovery codes and phishing your passwords.
The attacker would have to steal the password and SMSjack someone; that’s a fairly tall order (maybe feasible for targeted attacks, but it should be sufficient to thwart opportunistic attacks.)
The problem is that many sites allow password resets with the SMS, thus rendering it 1F, as GP said.
2FA is more secure than 1FA as it takes more efforts to break. It is enough for many people, but targets that are worth the money and risk of bribing a phone company's employees may need additional security.
I agree when SMS 2FA is strictly in addition to a password, and the phone number isn’t used for account recovery (or marketing), it is theoretically no worse than just a password. The problem is it still with great
2FA, and the kind of sites which do SMS 2FA are exactly the ones incompetent enough to turn it into SMS-based password recovery which is worse than no 2FA.
(The other use of SMS which is somewhat legitimate is as a cost gate to create new accounts. Generally creating a new SMS receiving phone number costs someone more than a new email, so if you want to crudely limit creation of large numbers of accounts by individual users, it can be an option.)
It's not about your password. It's about social engineering. Bad guys call their buddies at some mobile phone co. and get your number switched for a few minutes, then they call your bank and get them to change your password which they do because they trust SMS 2FA which now goes to the bad guys, and then they take your money, and you find out much later. Password quality has zero to do with any of this.
In many other part of the world, Switching Sim ( SIM Swapping ) requires to show proof of identification, as well as written form and signature.
And any CS accessing customer information are instantly logged, there is no way paying $1000 dollar to change or SIM Swap without going through the proper procedure, ( Should there be one ) and they will be fired for any misconduct.
SMS might not be the best solution to security, but for average Joe, that is near 4 billion of Smartphone users they are better than nothing.
May be had Apple created their own MVNO this problem could be solved.