There’s no “interception” involved in defeating SMS 2FA. Everyone seems to assume this is a complicated technical SS7 attack. No, nobody is doing that.
-
This Tweet is unavailable.
-
-
This Tweet is unavailable.
-
Replying to @petersongeorged @taviso
SMS 2FA binds to your phone number, not you or your phone. Nobody is going to intercept SS7; they’re going to call a phone company and port your number to their phone.
4 replies 0 retweets 4 likes -
George I agree with you. Generally speaking, 2FA w/SMS is still better than no 2FA. Not sure why it’s even an issue?
1 reply 0 retweets 0 likes -
Replying to @RadiateSystems @tqbf and
Also, before a SIM swap occurs, the attacker would need to know the phone #...I’m not saying it’s impossible but most cell phone #’s are not published.
1 reply 0 retweets 1 like -
What attack do you claim SMS 2FA prevents?
1 reply 0 retweets 0 likes -
Non-state sponsored or targeted credential theft
2 replies 0 retweets 0 likes -
Which "credential theft" attack do you claim it prevents? It doesn't prevent the common ones, phishing, malware, keylogging, etc.
3 replies 0 retweets 0 likes -
How does it not prevent a phishing attack with credential theft?
1 reply 0 retweets 0 likes
Stage 1: "Please enter password", Stage 2: Forward password to target website, Stage 3: "We sent you an SMS, enter code here", Stage 3: Forward phished token to target website.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.