Is SMS 2FA Sufficient Login Protection? - Page 2

Caute_cautim · ‎08-04-2018

Hi All

Given the recent Reddit security breaches and associated issues with SMS and 2FA authentication and NIST back in 2016 recommending that you do not use it. Quite a few Telco's have switched to using SS7 signaling to protect themselves and their clients? Is this sufficient? What is your professional recommendations, given a lot of security groups are discussing this subject at the present time?

https://www.schneier.com/blog/archives/2005/03/the_failure_of.html

https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

https://www.darkreading.com/endpoint/authentication/is-sms-2fa-enough-login-protection/d/d-id/133247...

https://www.schneier.com/blog/archives/2017/05/criminals_are_n.html

What would you recommend to your employers when asked about the subject?

Regards

Caute_cautim

mikkosuomu · ‎08-06-2018

Although SS7 there are issues with SS7 security, abusing it requires still a quite a few resources, i.e. it is not completely trivial. There are, however, other ways to steal the SMS second factor, such as SIM swap and port out scams. These attacks are much more feasible. See e.g. https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/

CISOScott · ‎08-07-2018

I used to think 2FA was a pretty good and robust idea. Then I listened to a social-engineer podcast where they had this hacker on and he told how he had bypassed 2FA through flaws/errors in the cell phone technology. I thought "Well there goes that idea!"

Here is the link to the podcast if you are interested to see how he did it.

h ttps://www.social-engineer.org/podcast/ep-101-flash-bangs-reformation-social-engineer/