[judge2020]

The main issue with SMS is that it's unencrypted and often intentionally being piped to third party firms for advertising and whatnot, so whatever you do it probably isn't advisable to send anything you wouldn't want people seeing (eg. I wouldn't suggest doing email via it). If you have even the smallest data cap, https://lite.cnn.com can be used for your news and https://mail.google.com/mail/u/0/h/ (/h/ at the end) will load the mostly pure HTML version of Gmail, or even just imap (without automated push/pull) is pretty lightweight on data usage.

[Areibman]

If this is the case, why do so many apps use SMS for 2FA and sending unique links? Are MITM attacks over SMS common?

[Robotbeat]

Well… it’s not necessarily a good idea to do 2FA with SMS. Additionally, the codes sent by SMS are usually very time-sensitive, like 5 minutes.

And it means someone has to have compromised both your computer and your SMS in order to defeat the 2FA. Which doesn’t make it impossible. But it’s not trivial to coordinate those things.

[judge2020]

But, to add, sim swap attacks are a known issue and anything of value becomes a target. The main issue is that retail employees in 'authorized reseller' locations are allowed to make changes to accounts with the PIN of the account holder, but that is often easy to guess or is easy to figure out by anyone that does enough digging into someone's life.

https://www.cnn.com/2020/03/13/tech/sim-hack-million-dollars...

https://youtu.be/caVEiitI2vg?t=145 (tldr he got cold called to set up 'extra security', gave the attacker a PIN number, and the attacker used that to impersonate them within a T-Mobile store and swap the sim card from the phone into a new phone, thus receiving SMS 2fa codes for their accounts).

[ufmace]

On the level of individual accounts, SMS has proven to be vulnerable to compromise. These attacks are pretty labor-intensive though. On the level of an app or service, SMS 2FA is still a big net gain in blocking account compromise though. Individual users, especially anyone who is at a particular risk for targeted attacks, would be wise to seek out more secure solutions.

[robin_reala]

MITM isn’t common, but the big problem with SMS for 2FA is that mobile numbers are portable. If your number gets ported without your consent then your 2FA codes gets sent to a device you don’t control.[1] NIST stopped recommending SMS 2FA half a decade ago for this reason.[2]

[1] https://en.wikipedia.org/wiki/SIM_swap_scam

[2] https://www.schneier.com/blog/archives/2016/08/nist_is_no_lo...

[snarf21]

Most companies suck at security. Most users suck at security. Convenience > Security. It is sad that SMS as 2FA account recovery actually adds an attack vector. It is less bad as an out-of-band check if you have a password authentication from a known and finger printed computer.

[jabroni_salad]

because SMS already has near-universal adoption. As much as I love my yubikey I don't know anyone (in the real, not HERE) who uses one for a personal account.

[_wldu]

End user convenience.

[masswerk]

Rather, adminstrative convenience. Mind that SMS-based 2FA replaced one-time pads (TANs), which required physical handling.