People don't claim that SMS-2FA is perfect, they claim it's "an improvement". If the issue was SMS hijacking, then that would require a new capability from the attacker. In fact, it can just be phished, and therefore does not require any new capability from attackers.
I'm not sure what I said that you're disagreeing with! It seems completely plausible to me that dumped creds are tested more often than phishing, I don't think I've disputed that?
-
-
I'm disagreeing with SMS 2FA being "basically useless". I don't think the data supports that.
-
Don't have big, systematic data on this but I constantly hear all over the world from people without any 2FA whose accounts get taken over via password reuse and much rarer live phishing of SMS 2FA. I do push people to U2F but, ceteris paribus, SMS 2FA seems way better than none.
- 20 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
I think the bare minimum requirement for "raising the bar" is a new capability the attacker hasn't already demonstrated.
(I worry my replies come off as disagreement rather than nuanced agreement)