top | item 22998942

(no title)

He writes: "Of course if that’s a major problem, then offering 2FA logins and password verification via cell phone wouldn’t make much sense either."

But this is not necessarily true, as spoofing a source phone number of an SMS is a lot easier than receiving an SMS that was sent to another number.

discuss

paxys|5 years ago

He also skips over the fact that 2FA means second factor. Even if insecure it's still better than nothing.

hombre_fatal|5 years ago

Only if 2FA doesn't open up customer support channels that defeat the point of 2FA, like the common "oops I lost my phone lol" channel attack that gives you access to an account if you can provide the other factor.

(Still) works against Amazon btw: https://medium.com/@espringe/amazon-s-customer-service-backd...

I'd say 2FA is often worse than 1FA because customer support systems are rarely prepared to say "sorry, can't give you access to your account :/". Because 99.9% of the time, it really is a user accidentally locked out of their account.

unknown|5 years ago

[deleted]

alpb|5 years ago

Not if you live in a surveillance state such as many middle-east countries.

Many Telegram accounts were compromised in Iran a while ago because of this. https://www.wired.com/2016/08/hack-brief-hackers-breach-ultr... Similarly I know for a fact that in many countries your GSM provider stores your texts so you can view/reply them from their web portal. (As you can imagine despite an attacker might not have your SIM card, they might find your user/pass to log in your GSM provider's portal.)

Also state-sponsored actors do tap into GSM operators since SMS is not end-to-end encrypted. Add this to the previous attack vector and you'll see that wiretapping inbound SMS is surprisingly not that hard.

azernik|5 years ago

Resistance to state actors is a pretty high bar.