Mailing List Archive

Every SMS 2FA should check the current carrier against the carrier when
enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a
few others do this.

--
Tim

On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:

>
> https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80
>
>
> https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
>
>
> Anecdotal: With the prior consent of the DID holders, I have successfully
> ported peoples' numbers using nothing more than a JPG scan of a signature
> that looks like an illegible 150 dpi black and white blob, pasted in an
> image editor on top of a generic looking 'phone bill'.
>
>
>

No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.

-mel via cell

On Apr 17, 2021, at 6:27 PM, Tim Jackson <jackson.tim@gmail.com> wrote:

?
Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this.

--
Tim

On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke@gmail.com<mailto:eric.kuhnke@gmail.com>> wrote:
https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80

https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/


Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.

paypal used to openly support token 2fa, but have since made it nearly
impossible to use hardware tokens. they try very hard to ram sms down
everyones throats.

-Dan

On Sun, 18 Apr 2021, Mel Beckman wrote:

> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> -mel via cell
>
> On Apr 17, 2021, at 6:27 PM, Tim Jackson <jackson.tim@gmail.com> wrote:
>
> ?
> Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this.
>
> --
> Tim
>
> On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke@gmail.com<mailto:eric.kuhnke@gmail.com>> wrote:
> https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80
>
> https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
>
>
> Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
>
>
>

I'd add to that that people probably shouldn't treat phones as a significant increase in security, it's not really the out-of-band device that it used to be/was in the 1990s. Today, it basically equates to a second computer and the probability that the second computer is also compromised isn't overly unrealistic. While the focus is rightfully on SMS, I'd basically consider anything that isn't a hardware token to be more or less the same-- although in fairness the specifics of what we're talking about here doesn't include any of the computers involved, which is a different problem. 18.04.2021, 06:21, "Mel Beckman" <mel@beckman.org>:

No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc. 
 -mel via cell 

On Apr 17, 2021, at 6:27 PM, Tim Jackson <jackson.tim@gmail.com> wrote:
 

&#xfeff;Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this. --Tim
 On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:

https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80"]https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80 https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/"]https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/  Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.  

On 4/18/21 05:18, Mel Beckman wrote:

> No, every SMS 2FA should be prohibited by regulatory certifications.
> The telcos had years to secure SMS. They did nothing. The plethora of
> well-secured commercial 2FA authentication tokens, many of them free,
> should be a mandatory replacement for 2FA in every security governance
> regime, such as PCI, financial account access, government web portals,
> etc.

While I agree that SMS is insecure at the moment, I think there still
needs to be a mechanism that does not rely on the presence of an
Internet connection. One may not be able to have access to the Internet
for a number of reasons (traveling, coverage, outage, device, money,
e.t.c.), and a fallback needs to be available to authenticate.

I know some companies have been pushing for voice authentication for
their services through a phone call, in lieu of SMS or DTMF-based PIN's.

We need something that works at the lowest common denominator as well,
because as available as the Internet is worldwide, it's not yet at a
level that one would consider "basic access".

Mark.

As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.

There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

-mel

> On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>
> ?
>
>> On 4/18/21 05:18, Mel Beckman wrote:
>>
>> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
>
> Mark.

On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
> Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.

Hi Eric,

SMS for 2FA is fine. It's understood that a single authentication
factor is not secure enough; that's why you use two. SMS for 1FA is
hugely risky and should not be used for anything important, like
money. SMS for a password reset is an example of 1FA -- your ability
to receive SMS messages at the required phone number becomes the sole
authentication factor needed to access the account.

If the adversary has captured your password -and- reprogrammed your
phone number, what makes you think they lack the wherewithal to have
captured the shared secret used to generate your TOTP code?

Regards,
Bill Herrin

--
William Herrin
bill@herrin.us
https://bill.herrin.us/

Bill,

SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:

https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

-mel

On Apr 18, 2021, at 6:31 AM, William Herrin <bill@herrin.us> wrote:

?On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.

Hi Eric,

SMS for 2FA is fine. It's understood that a single authentication
factor is not secure enough; that's why you use two. SMS for 1FA is
hugely risky and should not be used for anything important, like
money. SMS for a password reset is an example of 1FA -- your ability
to receive SMS messages at the required phone number becomes the sole
authentication factor needed to access the account.

If the adversary has captured your password -and- reprogrammed your
phone number, what makes you think they lack the wherewithal to have
captured the shared secret used to generate your TOTP code?

Regards,
Bill Herrin

--
William Herrin
bill@herrin.us
https://bill.herrin.us/

On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org> wrote:
> SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:
>
> https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

Mel,

That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Regards,
Bill Herrin



--
William Herrin
bill@herrin.us
https://bill.herrin.us/

Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for 2FA. There are many ways to attack SMS, not the least of which is social engineering of the security-unconscious cellular carriers. The bottom line is, why use an insecure form of communication for 2FA at all? Since very good hardware-token-quality OTP apps are freely available, why be so lazy as to implement 2FA using radically insecure SMS?

Your argument that 2FA is only meant to “enhance” the security of a memorized password is just wrong. 2FA is meant as a bulwark against passwords that very often are disclosed by data breaches, through no fault of the password owner. 2FA enhances nothing. It guards against the abject security failures of others.

Consider this sage advice from 2020, long after NIST caved to industry pressure on its recommendations.

https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html

-mel

On Apr 18, 2021, at 8:02 AM, William Herrin <bill@herrin.us<mailto:bill@herrin.us>> wrote:

On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:

https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

Mel,

That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Regards,
Bill Herrin



--
William Herrin
bill@herrin.us
https://bill.herrin.us/

Bill,

You don’t even have to bother with social engineering, as Bruce Schneier points out in his blog from last month:

https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html

"It turns out that with a little bit of anonymous money — in this case, $16 off an anonymous prepaid credit card — and a few lies, you can forward the text messages from any phone to any other phone.”

-mel

On Apr 18, 2021, at 8:24 AM, Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:

Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for 2FA. There are many ways to attack SMS, not the least of which is social engineering of the security-unconscious cellular carriers. The bottom line is, why use an insecure form of communication for 2FA at all? Since very good hardware-token-quality OTP apps are freely available, why be so lazy as to implement 2FA using radically insecure SMS?

Your argument that 2FA is only meant to “enhance” the security of a memorized password is just wrong. 2FA is meant as a bulwark against passwords that very often are disclosed by data breaches, through no fault of the password owner. 2FA enhances nothing. It guards against the abject security failures of others.

Consider this sage advice from 2020, long after NIST caved to industry pressure on its recommendations.

https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html

-mel

On Apr 18, 2021, at 8:02 AM, William Herrin <bill@herrin.us<mailto:bill@herrin.us>> wrote:

On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:

https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

Mel,

That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Regards,
Bill Herrin



--
William Herrin
bill@herrin.us<mailto:bill@herrin.us>
https://bill.herrin.us/

On 4/18/21 15:04, Mel Beckman wrote:

> As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.
>
> There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

It's quite likely that most institutions (especially financial ones)
will prefer to use their own homegrown app-based authenticators. But
again, those require a smartphone, which is still not the most basic
pathway.

The good news - I just ran a test to log on to my banking profile from
my laptop. I disconnected my phone from the world (Airplane mode) and
while the app complained about not having Internet access, it was still
able to generate a log-on, transaction or re-authentication code. So
that helps. But that's just one of them... the other banks I use either
don't have apps that replace physical authenticators, or require an
Internet connection for 2FA. Thankfully, none of them require SMS to
authenticate.

Nearly all the banks use SMS to either confirm a transaction has taken
place, or to deliver an OTP to complete a transaction (but don't use SMS
to do the initial or follow-up authentication).

Some of them are sending secure messages to confirm (and notify about)
transactions within their apps, in lieu of SMS.

Mark.

On Sun, Apr 18, 2021 at 8:31 AM Mel Beckman <mel@beckman.org> wrote:
> You don’t even have to bother with social engineering [...]
> $16 off an anonymous prepaid credit card — and a few lies

Mel,

What do you think social engineering is? It's a couple well placed
lies that convince someone to do the wrong thing.

Regards,
Bill Herrin



--
William Herrin
bill@herrin.us
https://bill.herrin.us/

Fine. And you think 2FA trivially susceptible to social engineering is OK. “Come on, man”, as Biden would say :)

-mel

> On Apr 18, 2021, at 11:29 AM, William Herrin <bill@herrin.us> wrote:
>
> ?On Sun, Apr 18, 2021 at 8:31 AM Mel Beckman <mel@beckman.org> wrote:
>> You don’t even have to bother with social engineering [...]
>> $16 off an anonymous prepaid credit card — and a few lies
>
> Mel,
>
> What do you think social engineering is? It's a couple well placed
> lies that convince someone to do the wrong thing.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/

On top of this most TOTP and HOTP systems have additional security checks
like blocking reuse of codes, rate-limiting of guesses, and in some cases
acceptance of earlier codes (in TOTP) if the clock skews too far that make
them much stronger options which decreases security but is certainly more
of a convenience factor.

-john


On Sun, Apr 18, 2021 at 6:06 AM Mel Beckman <mel@beckman.org> wrote:

> As far as I know, authenticators on cell phone apps don’t require the
> Internet. For example, the Google Authenticator mobile app doesn't require
> any Internet or cellular connection. The authenticated system generates a
> secret key - a unique 16 or 32 character alphanumeric code. This key is
> scanned by GA or can be entered manually and as a result, both the
> authenticated system and GA know the same secret key, and can compute the
> time-based 2nd factor OTP just as hardware tokens do.
>
> There are two algorithms: HOTP and TOTP. The main difference is in OTP
> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
> TOTP times out after some specified interval - usually 30 or 60 seconds.
> For TOTP, the system time must be synced, otherwise the generated OTPs will
> be wrong. But you can get accurate enough clock time without the Internet,
> either manually using some radio source such as WWV, or by GPS or cellular
> system synchronization.
>
> -mel
>
> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
> >
> > ?
> >
> >> On 4/18/21 05:18, Mel Beckman wrote:
> >>
> >> No, every SMS 2FA should be prohibited by regulatory certifications.
> The telcos had years to secure SMS. They did nothing. The plethora of
> well-secured commercial 2FA authentication tokens, many of them free,
> should be a mandatory replacement for 2FA in every security governance
> regime, such as PCI, financial account access, government web portals, etc.
> >
> > While I agree that SMS is insecure at the moment, I think there still
> needs to be a mechanism that does not rely on the presence of an Internet
> connection. One may not be able to have access to the Internet for a number
> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
> fallback needs to be available to authenticate.
> >
> > I know some companies have been pushing for voice authentication for
> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
> >
> > We need something that works at the lowest common denominator as well,
> because as available as the Internet is worldwide, it's not yet at a level
> that one would consider "basic access".
> >
> > Mark.
>

On Sun, Apr 18, 2021 at 12:03 PM John Adams <jna@retina.net> wrote:
> On top of this most TOTP and HOTP systems have additional security checks
like blocking reuse of codes, rate-limiting of guesses, and in some cases
acceptance of earlier codes (in TOTP) if the clock skews too far that make
them much stronger options which decreases security but is certainly more
of a convenience factor.

Hi John,

On a site, the symmetric key used to generate the TOTP code is stored in
the same database as the user's password. Unencrypted or with readily
reversible encryption since unlike a password it can't be verified by
comparing ciphertext. Your protection is that every site uses a different
TOTP key, just like you're supposed to use a different password, so
compromise of a single site doesn't broadly compromise you elsewhere. It
can also be captured with malware on your phone, the same place an
adversary will sniff your password, which -will- broadly compromise you if
you're also entering the passwords on your phone.

None of these authentication schemes are magic. They all have attack
vectors with varying degrees of difficulty, none of which are particularly
harder than breaking a well chosen password. 2FA doesn't solve this. All it
does is require an adversary to break -two- completely different
authentication schemes in close enough proximity that you won't have closed
the first breach before they gain the second. That's it. That's all it
does.

While attacks on SMS are certainly practical, stop and think for a moment
on how you would scale them up and break 10000 accounts per day. Got a plan
where you're not caught in the first two days? No, you don't.

SMS is not a strong authentication factor. When used well, it's not
intended to be. It's meant to require an adversary to do enough extra work
after having already captured your password that unless they're
specifically targeting you, the odds favor discovering and correcting the
original breach before much harm can be done. For that use and that use
only, it performs about as well as TOTP.

If you can reset your email password with an SMS message and reset your
bank password with an email then SMS has been misused as a very weak single
factor authentication process. Not because SMS offers weak authentication
(that's all it's meant to offer) but because it was used incorrectly in a
process that needed strong authentication.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/

I’m sorry - I think we miscommunicated here.

I was not advocating for TOTP or HOTP for SMS - in fact I’m completely against SMS being used for multi factor auth at all.

-j

Sent from my iPhone

> On Apr 18, 2021, at 12:48, William Herrin <bill@herrin.us> wrote:
>
> ?
> On Sun, Apr 18, 2021 at 12:03 PM John Adams <jna@retina.net> wrote:
> > On top of this most TOTP and HOTP systems have additional security checks like blocking reuse of codes, rate-limiting of guesses, and in some cases acceptance of earlier codes (in TOTP) if the clock skews too far that make them much stronger options which decreases security but is certainly more of a convenience factor.
>
> Hi John,
>
> On a site, the symmetric key used to generate the TOTP code is stored in the same database as the user's password. Unencrypted or with readily reversible encryption since unlike a password it can't be verified by comparing ciphertext. Your protection is that every site uses a different TOTP key, just like you're supposed to use a different password, so compromise of a single site doesn't broadly compromise you elsewhere. It can also be captured with malware on your phone, the same place an adversary will sniff your password, which -will- broadly compromise you if you're also entering the passwords on your phone.
>
> None of these authentication schemes are magic. They all have attack vectors with varying degrees of difficulty, none of which are particularly harder than breaking a well chosen password. 2FA doesn't solve this. All it does is require an adversary to break -two- completely different authentication schemes in close enough proximity that you won't have closed the first breach before they gain the second. That's it. That's all it does.
>
> While attacks on SMS are certainly practical, stop and think for a moment on how you would scale them up and break 10000 accounts per day. Got a plan where you're not caught in the first two days? No, you don't.
>
> SMS is not a strong authentication factor. When used well, it's not intended to be. It's meant to require an adversary to do enough extra work after having already captured your password that unless they're specifically targeting you, the odds favor discovering and correcting the original breach before much harm can be done. For that use and that use only, it performs about as well as TOTP.
>
> If you can reset your email password with an SMS message and reset your bank password with an email then SMS has been misused as a very weak single factor authentication process. Not because SMS offers weak authentication (that's all it's meant to offer) but because it was used incorrectly in a process that needed strong authentication.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/

I wonder how much of this is moot because the amount of actual SS7 is
low and getting lower every day. Aren't most "SMS" messages these days
just SIP MESSAGE transactions, or maybe they use XMPP? As I understand a
lot of the cell carriers are using SIPoLTE directly to your phone.

Mike

On 4/18/21 8:24 AM, Mel Beckman wrote:
> Although NIST “softened” its stance on SMS for 2FA, it’s still a bad
> choice for 2FA. There are many ways to attack SMS, not the least of
> which is social engineering of the security-unconscious cellular
> carriers. The bottom line is, why use an insecure form of
> communication for 2FA at all? Since very good hardware-token-quality
> OTP apps are freely available, why be so lazy as to implement 2FA
> using radically insecure SMS?
>
> Your argument that 2FA is only meant to “enhance” the security of a
> memorized password is just wrong. 2FA is meant as a /bulwark /against
> passwords that very often are disclosed by data breaches, through no
> fault of the password owner. 2FA enhances nothing. It guards against
> the abject security failures of others.
>
> Consider this sage advice from 2020, long after NIST caved to industry
> pressure on its recommendations.
>
> https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html
> <https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html>
>
>   -mel
>
>> On Apr 18, 2021, at 8:02 AM, William Herrin <bill@herrin.us
>> <mailto:bill@herrin.us>> wrote:
>>
>> On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org
>> <mailto:mel@beckman.org>> wrote:
>>> SMS for 2FA is not fine. I recommend you study the issue in more
>>> depth. It’s not just me who disagrees with you:
>>>
>>> https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
>>> <https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html>
>>
>> Mel,
>>
>> That Schneier article is from 2016. The 3/2020 update to the NIST
>> recommendation (four years later and the currently active one) still
>> allows the use of SMS specifically and the PSTN in general as an out
>> of band authenticator in part of a two-factor authentication scheme.
>> The guidance includes a note explaining the social engineering threat
>> to SMS authenticators: "An out of band secret sent via SMS is received
>> by an attacker who has convinced the mobile operator to redirect the
>> victim’s mobile phone to the attacker."
>>
>> https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1
>> <https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1>
>>
>> The bottom line is that an out-of-band authenticator like SMS is meant
>> to -enhance- the security of a memorized secret authenticator, not
>> replace it. If properly used, it does exactly that. If misused, it of
>> course weakens your security.
>>
>> Regards,
>> Bill Herrin
>>
>>
>>
>> --
>> William Herrin
>> bill@herrin.us
>> https://bill.herrin.us/
>

One of my main problems with SMS 2FA from a usability standpoint, aside
from SS7 hijacks and security problems, is that it cannot be relied upon
when traveling in many international locations. I have been *so many places*
where there is just about zero chance of my T-Mobile SIM successfully
roaming onto the local network and receiving SMS at my US or Canadian
number successfully.

What am I supposed to do, take the SIM out of my phone, put it in a burner
and give it to a trusted family member in North America, just for the
purpose of receiving SMS 2FA codes (which I then have to call them and get
the code from manually each time), before going somewhere weird?

In the pre covid19 era when people were actually traveling places, imagine
you've had reason to go somewhere weird and need access to a thing (such as
your online banking, perhaps?) protected by SMS 2FA, but you have
absolutely no way of receiving the SMS where you're presently located...

Many of the people designing SMS 2FA systems used by people with
accounts/services in the US 50 states and Canada seem to assume that their
domestic customers will forever remain in a domestic location.




On Sun, Apr 18, 2021 at 5:44 AM Mark Tinka <mark@tinka.africa> wrote:

>
>
> On 4/18/21 05:18, Mel Beckman wrote:
>
> > No, every SMS 2FA should be prohibited by regulatory certifications.
> > The telcos had years to secure SMS. They did nothing. The plethora of
> > well-secured commercial 2FA authentication tokens, many of them free,
> > should be a mandatory replacement for 2FA in every security governance
> > regime, such as PCI, financial account access, government web portals,
> > etc.
>
> While I agree that SMS is insecure at the moment, I think there still
> needs to be a mechanism that does not rely on the presence of an
> Internet connection. One may not be able to have access to the Internet
> for a number of reasons (traveling, coverage, outage, device, money,
> e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for
> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well,
> because as available as the Internet is worldwide, it's not yet at a
> level that one would consider "basic access".
>
> Mark.
>

On 4/19/21 05:05, Eric Kuhnke wrote:

> One of my main problems with SMS 2FA from a usability standpoint,
> aside from SS7 hijacks and security problems, is that it cannot be
> relied upon when traveling in many international locations. I have
> been /so many places/ where there is just about zero chance of my
> T-Mobile SIM successfully roaming onto the local network and receiving
> SMS at my US or Canadian number successfully.
>
> What am I supposed to do, take the SIM out of my phone, put it in a
> burner and give it to a trusted family member in North America, just
> for the purpose of receiving SMS 2FA codes (which I then have to call
> them and get the code from manually each time), before going somewhere
> weird?
>
> In the pre covid19 era when people were actually traveling places,
> imagine you've had reason to go somewhere weird and need access to a
> thing (such as your online banking, perhaps?) protected by SMS 2FA,
> but you have absolutely no way of receiving the SMS where you're
> presently located...
>
> Many of the people designing SMS 2FA systems used by people with
> accounts/services in the US 50 states and Canada seem to assume that
> their domestic customers will forever remain in a domestic location.

This is a practical problem that I suffer with one of my South African
providers, every time I traveled to the U.S. in the last 3 years. I
could roam on all GSM networks in the U.S., and even make voice calls,
but SMS's would not get delivered. Delivery of those only resumed the
moment I transited in the Gulf on my way back home. This did not affect
other countries I traveled to.

But you are right, most network operators and SMS authentication
designers do not necessarily work together to account for folk that travel.

Mark.

On 19/4/21 2:36 pm, Mark Tinka wrote:
> On 4/19/21 05:05, Eric Kuhnke wrote:
[...]
>> In the pre covid19 era when people were actually traveling places,
>> imagine you've had reason to go somewhere weird and need access to a
>> thing (such as your online banking, perhaps?) protected by SMS 2FA,
>> but you have absolutely no way of receiving the SMS where you're
>> presently located...
>>
>> Many of the people designing SMS 2FA systems used by people with
>> accounts/services in the US 50 states and Canada seem to assume that
>> their domestic customers will forever remain in a domestic location.
>
> This is a practical problem that I suffer with one of my South African
> providers, every time I traveled to the U.S. in the last 3 years. I
> could roam on all GSM networks in the U.S., and even make voice calls,
> but SMS's would not get delivered. Delivery of those only resumed the
> moment I transited in the Gulf on my way back home. This did not affect
> other countries I traveled to.
>
> But you are right, most network operators and SMS authentication
> designers do not necessarily work together to account for folk that travel.

This is already probably past the point of being on topic here, but you
tickled my personal favorite one of these.

My airline of choice (Qantas) has mandatory SMS second factor, after
perhaps a mobile carrier requiring it for support one of the most
facepalm-worthy uses of SMS 2FA I've seen.

On 4/19/21 06:50, Julien Goodwin wrote:

> This is already probably past the point of being on topic here, but you
> tickled my personal favorite one of these.
>
> My airline of choice (Qantas) has mandatory SMS second factor, after
> perhaps a mobile carrier requiring it for support one of the most
> facepalm-worthy uses of SMS 2FA I've seen.

It's interesting that VoWiFi is meant to support both voice and SMS,
domestically and when one travels. So I'm curious why SMS's would not
work with VoWiFi when traveling to a country that won't deliver your
SMS's generically. After all, VoWiFi is, as far as I understand it,
meant to be a direct IP tunnel back to your home network for both
billing and service.

If anyone has more clue about this on the list, I'd really like to know,
as my mobile service providers hardly know what I'm talking about when I
ring them up with questions.

Mark.

I would start with cellular carriers and nations that intentionally take
steps to block anything VoIP as a threat to their revenue model. Or because
anything vpn/ipsec/whatever related is a threat to local Internet
censorship laws.

Plenty of places the sort of ipsec tunnel used for vowifi is not usable on
whatever consumer-grade cellular or local broadband ISP you might find.




On Sun, Apr 18, 2021 at 11:11 PM Mark Tinka <mark@tinka.africa> wrote:

>
>
> On 4/19/21 06:50, Julien Goodwin wrote:
>
> > This is already probably past the point of being on topic here, but you
> > tickled my personal favorite one of these.
> >
> > My airline of choice (Qantas) has mandatory SMS second factor, after
> > perhaps a mobile carrier requiring it for support one of the most
> > facepalm-worthy uses of SMS 2FA I've seen.
>
> It's interesting that VoWiFi is meant to support both voice and SMS,
> domestically and when one travels. So I'm curious why SMS's would not
> work with VoWiFi when traveling to a country that won't deliver your
> SMS's generically. After all, VoWiFi is, as far as I understand it,
> meant to be a direct IP tunnel back to your home network for both
> billing and service.
>
> If anyone has more clue about this on the list, I'd really like to know,
> as my mobile service providers hardly know what I'm talking about when I
> ring them up with questions.
>
> Mark.
>
>

On 4/19/21 11:17, Eric Kuhnke wrote:

> I would start with cellular carriers and nations that intentionally
> take steps to block anything VoIP as a threat to their revenue model.
> Or because anything vpn/ipsec/whatever related is a threat to local
> Internet censorship laws.
>
> Plenty of places the sort of ipsec tunnel used for vowifi is not
> usable on whatever consumer-grade cellular or local broadband ISP you
> might find.

Not sure what that says for the US of A, as that is where this has hit
me so far.

Mark.