Should the average user with no special access rights be worried about SMS-based 2FA being theoretically interceptable?What can a hacker do if I publish my email id and password but have 2FA on all of my accounts?

how to write a condition for all elements of a list

Writing style in academic English

Do the holes in Jacquard loom punched cards represent input data or program code?

What makes skew characters of the symmetric group special?

How to compare the signature of two functions?

Why is Euler's Formula for Planar Graph Not Working Here?

Why scrap an A380 with only almost 10 years?

How do you help a new player evaluate complex multiclassing options without driving them and yourself crazy?

process numerical input arguments of mixed ints, floats, and "array-like" things of same length>1

can i hook up a single phase switch to a electric wood splitter?

Should high school teachers say “real numbers” before teaching complex numbers?

Do fresh chilli peppers have properties that ground chilli peppers do not?

Possible way to counter or sidestep split-second spells (like Trickbind) in a particular situation

My code seems to be a train wreck

How do I move C: drive to the top of the File Explorer "This PC"?

What about orion ISS missions?

What can I do at Hong Kong Airport for 13 hours?

Is there any obvious warning when auto-pilot is disengaged or when the mode changes?

How do you preserve fresh ginger?

Is there an appropriate response to "Jesus Loves You"?

How do you say "to play Devil's advocate" in German?

Can Mathematica provide a reliable estimate of the numerical error from NDSolve?

Dropping "to be" and other verbs in Latin?

Character Development - Robert Baratheon



Should the average user with no special access rights be worried about SMS-based 2FA being theoretically interceptable?


What can a hacker do if I publish my email id and password but have 2FA on all of my accounts?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









51


















Security experts are constantly discouraging users from using SMS-based 2FA systems, usually because of worries the auth code could be intercepted by an attacker, either through a SIM swap or a MitM attack.



The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service. Attacks like the one that breached Reddit last year, where a Reddit administrator had his SMS 2FA token intercepted.



You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider). The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent. The way I interpret this, the only people who should actively avoid SMS-based 2FA systems are those who are likely to be targeted for specific attacks, but those are few and far between.



Consider an average Joe, who has about 100 accounts, but doesn't use a password manager (so he has password reuse). He doesn't have special access to any major services. He doesn't have any celebrity status or special usernames anywhere. He is a regular, non-management employee at his office with no special access to his company codebase or product. Put a different way, he's unlikely to ever be the target of an attack specifically targeted at him.



In this context, should Joe be concerned that the SMS-based 2FA he uses for Facebook, Twitter, Google, Dropbox, Slack and Nest has theoretical vulnerabilities?










share|improve this question




















  • 2





    @SoufianeTahiri Actually no, it's not terribly secure, but it's still better than nothing, and the vast majority of people with online accounts have a way to receive SMS. TOTP is better, but there are more barriers to getting people to use it (have to install an app, have to actually open the app to use it instead of getting a notification with the code, etc). This doesn't mean SMS it's good enough and you shouldn't be worried, it just raises the bar a bit for attackers.

    – AndrolGenhald
    Sep 20 at 13:46







  • 1





    @AndrolGenhald, Yep I know it's not terribly secure, but as Nazll said there is no "known" way to scale the attack, so except if you're a high-profit target, there is almost NO need to worry about SS7/SIM swapping or any other similar attacks... The question was not which is better TOTP or 2FA (and yes I agree with you, TOTP is more secure)

    – Soufiane Tahiri
    Sep 20 at 14:53






  • 4





    Even though Alice is not a high-value target, if by attacking Alice's Slack account, the attacker gains access sufficient to reveal that Bob is a high-value target, the attack was of value. Many attacks against "average" people, are not about the person attacked, but gaining the ability to attack someone that person knows, so its hard to make a value judgement about an attack against an "average user with no special access rights."

    – Randall
    Sep 20 at 19:35






  • 3





    The main problem with weak second factors like SMS and even email is when it is used as the sole factor for things like account recovery. This can’t be turned off on some larger services because they don’t want to deal with the recovery support. This is why for example Google for their high security setting severely restrict the recovery options and require redundant second factor tokens to begin with.

    – eckes
    Sep 21 at 14:09






  • 1





    As a comment, there have been widescale attacks against SMS 2FA protecting German bank accounts. The banks in general have moved to more secure proprietary 2FA mechanisms.

    – Martin Bonner supports Monica
    Sep 23 at 9:10

















51


















Security experts are constantly discouraging users from using SMS-based 2FA systems, usually because of worries the auth code could be intercepted by an attacker, either through a SIM swap or a MitM attack.



The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service. Attacks like the one that breached Reddit last year, where a Reddit administrator had his SMS 2FA token intercepted.



You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider). The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent. The way I interpret this, the only people who should actively avoid SMS-based 2FA systems are those who are likely to be targeted for specific attacks, but those are few and far between.



Consider an average Joe, who has about 100 accounts, but doesn't use a password manager (so he has password reuse). He doesn't have special access to any major services. He doesn't have any celebrity status or special usernames anywhere. He is a regular, non-management employee at his office with no special access to his company codebase or product. Put a different way, he's unlikely to ever be the target of an attack specifically targeted at him.



In this context, should Joe be concerned that the SMS-based 2FA he uses for Facebook, Twitter, Google, Dropbox, Slack and Nest has theoretical vulnerabilities?










share|improve this question




















  • 2





    @SoufianeTahiri Actually no, it's not terribly secure, but it's still better than nothing, and the vast majority of people with online accounts have a way to receive SMS. TOTP is better, but there are more barriers to getting people to use it (have to install an app, have to actually open the app to use it instead of getting a notification with the code, etc). This doesn't mean SMS it's good enough and you shouldn't be worried, it just raises the bar a bit for attackers.

    – AndrolGenhald
    Sep 20 at 13:46







  • 1





    @AndrolGenhald, Yep I know it's not terribly secure, but as Nazll said there is no "known" way to scale the attack, so except if you're a high-profit target, there is almost NO need to worry about SS7/SIM swapping or any other similar attacks... The question was not which is better TOTP or 2FA (and yes I agree with you, TOTP is more secure)

    – Soufiane Tahiri
    Sep 20 at 14:53






  • 4





    Even though Alice is not a high-value target, if by attacking Alice's Slack account, the attacker gains access sufficient to reveal that Bob is a high-value target, the attack was of value. Many attacks against "average" people, are not about the person attacked, but gaining the ability to attack someone that person knows, so its hard to make a value judgement about an attack against an "average user with no special access rights."

    – Randall
    Sep 20 at 19:35






  • 3





    The main problem with weak second factors like SMS and even email is when it is used as the sole factor for things like account recovery. This can’t be turned off on some larger services because they don’t want to deal with the recovery support. This is why for example Google for their high security setting severely restrict the recovery options and require redundant second factor tokens to begin with.

    – eckes
    Sep 21 at 14:09






  • 1





    As a comment, there have been widescale attacks against SMS 2FA protecting German bank accounts. The banks in general have moved to more secure proprietary 2FA mechanisms.

    – Martin Bonner supports Monica
    Sep 23 at 9:10













51













51









51


6






Security experts are constantly discouraging users from using SMS-based 2FA systems, usually because of worries the auth code could be intercepted by an attacker, either through a SIM swap or a MitM attack.



The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service. Attacks like the one that breached Reddit last year, where a Reddit administrator had his SMS 2FA token intercepted.



You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider). The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent. The way I interpret this, the only people who should actively avoid SMS-based 2FA systems are those who are likely to be targeted for specific attacks, but those are few and far between.



Consider an average Joe, who has about 100 accounts, but doesn't use a password manager (so he has password reuse). He doesn't have special access to any major services. He doesn't have any celebrity status or special usernames anywhere. He is a regular, non-management employee at his office with no special access to his company codebase or product. Put a different way, he's unlikely to ever be the target of an attack specifically targeted at him.



In this context, should Joe be concerned that the SMS-based 2FA he uses for Facebook, Twitter, Google, Dropbox, Slack and Nest has theoretical vulnerabilities?










share|improve this question














Security experts are constantly discouraging users from using SMS-based 2FA systems, usually because of worries the auth code could be intercepted by an attacker, either through a SIM swap or a MitM attack.



The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service. Attacks like the one that breached Reddit last year, where a Reddit administrator had his SMS 2FA token intercepted.



You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider). The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent. The way I interpret this, the only people who should actively avoid SMS-based 2FA systems are those who are likely to be targeted for specific attacks, but those are few and far between.



Consider an average Joe, who has about 100 accounts, but doesn't use a password manager (so he has password reuse). He doesn't have special access to any major services. He doesn't have any celebrity status or special usernames anywhere. He is a regular, non-management employee at his office with no special access to his company codebase or product. Put a different way, he's unlikely to ever be the target of an attack specifically targeted at him.



In this context, should Joe be concerned that the SMS-based 2FA he uses for Facebook, Twitter, Google, Dropbox, Slack and Nest has theoretical vulnerabilities?







multi-factor sms threat-modeling






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Sep 20 at 8:11









NzallNzall

6,7195 gold badges24 silver badges39 bronze badges




6,7195 gold badges24 silver badges39 bronze badges










  • 2





    @SoufianeTahiri Actually no, it's not terribly secure, but it's still better than nothing, and the vast majority of people with online accounts have a way to receive SMS. TOTP is better, but there are more barriers to getting people to use it (have to install an app, have to actually open the app to use it instead of getting a notification with the code, etc). This doesn't mean SMS it's good enough and you shouldn't be worried, it just raises the bar a bit for attackers.

    – AndrolGenhald
    Sep 20 at 13:46







  • 1





    @AndrolGenhald, Yep I know it's not terribly secure, but as Nazll said there is no "known" way to scale the attack, so except if you're a high-profit target, there is almost NO need to worry about SS7/SIM swapping or any other similar attacks... The question was not which is better TOTP or 2FA (and yes I agree with you, TOTP is more secure)

    – Soufiane Tahiri
    Sep 20 at 14:53






  • 4





    Even though Alice is not a high-value target, if by attacking Alice's Slack account, the attacker gains access sufficient to reveal that Bob is a high-value target, the attack was of value. Many attacks against "average" people, are not about the person attacked, but gaining the ability to attack someone that person knows, so its hard to make a value judgement about an attack against an "average user with no special access rights."

    – Randall
    Sep 20 at 19:35






  • 3





    The main problem with weak second factors like SMS and even email is when it is used as the sole factor for things like account recovery. This can’t be turned off on some larger services because they don’t want to deal with the recovery support. This is why for example Google for their high security setting severely restrict the recovery options and require redundant second factor tokens to begin with.

    – eckes
    Sep 21 at 14:09






  • 1





    As a comment, there have been widescale attacks against SMS 2FA protecting German bank accounts. The banks in general have moved to more secure proprietary 2FA mechanisms.

    – Martin Bonner supports Monica
    Sep 23 at 9:10












  • 2





    @SoufianeTahiri Actually no, it's not terribly secure, but it's still better than nothing, and the vast majority of people with online accounts have a way to receive SMS. TOTP is better, but there are more barriers to getting people to use it (have to install an app, have to actually open the app to use it instead of getting a notification with the code, etc). This doesn't mean SMS it's good enough and you shouldn't be worried, it just raises the bar a bit for attackers.

    – AndrolGenhald
    Sep 20 at 13:46







  • 1





    @AndrolGenhald, Yep I know it's not terribly secure, but as Nazll said there is no "known" way to scale the attack, so except if you're a high-profit target, there is almost NO need to worry about SS7/SIM swapping or any other similar attacks... The question was not which is better TOTP or 2FA (and yes I agree with you, TOTP is more secure)

    – Soufiane Tahiri
    Sep 20 at 14:53






  • 4





    Even though Alice is not a high-value target, if by attacking Alice's Slack account, the attacker gains access sufficient to reveal that Bob is a high-value target, the attack was of value. Many attacks against "average" people, are not about the person attacked, but gaining the ability to attack someone that person knows, so its hard to make a value judgement about an attack against an "average user with no special access rights."

    – Randall
    Sep 20 at 19:35






  • 3





    The main problem with weak second factors like SMS and even email is when it is used as the sole factor for things like account recovery. This can’t be turned off on some larger services because they don’t want to deal with the recovery support. This is why for example Google for their high security setting severely restrict the recovery options and require redundant second factor tokens to begin with.

    – eckes
    Sep 21 at 14:09






  • 1





    As a comment, there have been widescale attacks against SMS 2FA protecting German bank accounts. The banks in general have moved to more secure proprietary 2FA mechanisms.

    – Martin Bonner supports Monica
    Sep 23 at 9:10







2




2





@SoufianeTahiri Actually no, it's not terribly secure, but it's still better than nothing, and the vast majority of people with online accounts have a way to receive SMS. TOTP is better, but there are more barriers to getting people to use it (have to install an app, have to actually open the app to use it instead of getting a notification with the code, etc). This doesn't mean SMS it's good enough and you shouldn't be worried, it just raises the bar a bit for attackers.

– AndrolGenhald
Sep 20 at 13:46






@SoufianeTahiri Actually no, it's not terribly secure, but it's still better than nothing, and the vast majority of people with online accounts have a way to receive SMS. TOTP is better, but there are more barriers to getting people to use it (have to install an app, have to actually open the app to use it instead of getting a notification with the code, etc). This doesn't mean SMS it's good enough and you shouldn't be worried, it just raises the bar a bit for attackers.

– AndrolGenhald
Sep 20 at 13:46





1




1





@AndrolGenhald, Yep I know it's not terribly secure, but as Nazll said there is no "known" way to scale the attack, so except if you're a high-profit target, there is almost NO need to worry about SS7/SIM swapping or any other similar attacks... The question was not which is better TOTP or 2FA (and yes I agree with you, TOTP is more secure)

– Soufiane Tahiri
Sep 20 at 14:53





@AndrolGenhald, Yep I know it's not terribly secure, but as Nazll said there is no "known" way to scale the attack, so except if you're a high-profit target, there is almost NO need to worry about SS7/SIM swapping or any other similar attacks... The question was not which is better TOTP or 2FA (and yes I agree with you, TOTP is more secure)

– Soufiane Tahiri
Sep 20 at 14:53




4




4





Even though Alice is not a high-value target, if by attacking Alice's Slack account, the attacker gains access sufficient to reveal that Bob is a high-value target, the attack was of value. Many attacks against "average" people, are not about the person attacked, but gaining the ability to attack someone that person knows, so its hard to make a value judgement about an attack against an "average user with no special access rights."

– Randall
Sep 20 at 19:35





Even though Alice is not a high-value target, if by attacking Alice's Slack account, the attacker gains access sufficient to reveal that Bob is a high-value target, the attack was of value. Many attacks against "average" people, are not about the person attacked, but gaining the ability to attack someone that person knows, so its hard to make a value judgement about an attack against an "average user with no special access rights."

– Randall
Sep 20 at 19:35




3




3





The main problem with weak second factors like SMS and even email is when it is used as the sole factor for things like account recovery. This can’t be turned off on some larger services because they don’t want to deal with the recovery support. This is why for example Google for their high security setting severely restrict the recovery options and require redundant second factor tokens to begin with.

– eckes
Sep 21 at 14:09





The main problem with weak second factors like SMS and even email is when it is used as the sole factor for things like account recovery. This can’t be turned off on some larger services because they don’t want to deal with the recovery support. This is why for example Google for their high security setting severely restrict the recovery options and require redundant second factor tokens to begin with.

– eckes
Sep 21 at 14:09




1




1





As a comment, there have been widescale attacks against SMS 2FA protecting German bank accounts. The banks in general have moved to more secure proprietary 2FA mechanisms.

– Martin Bonner supports Monica
Sep 23 at 9:10





As a comment, there have been widescale attacks against SMS 2FA protecting German bank accounts. The banks in general have moved to more secure proprietary 2FA mechanisms.

– Martin Bonner supports Monica
Sep 23 at 9:10










5 Answers
5






active

oldest

votes


















48



















There is no real concept of an "average user with no special access rights". From the perspective of an attacker the main point is if the effort needed for an attack is less then the gain of the attack. Even an "average user" might have crypto wallets or precious twitter accounts. Sometimes the gain of an attack is also not that obvious, like when a seemingly unimportant target is hacked as the initial step in a larger delivery chain attack against a more precious and better protected target.



For some examples of successful attacks see



  • My SIM swap attack: How I almost lost $71K, and how to prevent it

  • Here's how I survived a SIM swap attack after T-Mobile failed me - twice

  • SIM swap horror story: I've lost decades of data and Google won't lift a finger





share|improve this answer




















  • 3





    Yes, but what I mean is, why would an attacker bother trying to social engineer a CS rep into swapping a sim out or try and intercept an SMS through a MitM attack by being at the right place, when the average service has millions of other accounts that are probably not 2FA secured?

    – Nzall
    Sep 20 at 14:32






  • 5





    @Nzall: because (to cite myself) "the main point is if the effort needed for an attack is less then the gain of the attack". If the other less protected accounts have nothing interesting to offer then why waste precious time? Sure, if there is another less protected account which is a similar worthy target then one would likely attack this one first.

    – Steffen Ullrich
    Sep 20 at 14:47







  • 2





    Also: medium.com/coinmonks/…

    – Andrew Savinykh
    Sep 21 at 1:33






  • 2





    So what's your answer to the question? All users should worry about this? [I find answers with a clear answer or conclusion to be clearer overall and less ambiguous]

    – NotThatGuy
    Sep 21 at 14:51












  • @NotThatGuy: The attacks are targeted and take some effort to do. This means that you likely will be attacked only if you have something valuable to steal (direct attack) or if you have the trust or connection to somebody who might be a worthy target (attacking you as the first step in attacking others by using trust relationships). You probably better know than me if you are a worthy target then.

    – Steffen Ullrich
    Sep 21 at 19:16


















15



















Like many things, there is a tiny bit of truth in there, but overall it is a non-issue in practice and incidents are reported/perceived totally out of perspective.

Most stuff, including every new system that comes up every few months and that completely obsoletes everything else is usually based on personal financial interests, dogma, belief, and snake oil. So, recently, SMS-TAN was obsoleted. And the world didn't stop.



How dare I say it's a non-issue? There's some very real security breaches!



First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such (which is usually the first factor).

Without providing the first factor, you do not even get to trigger the SMS to be sent. If the legitimate account owner triggered it, then he is currently in the process of logging in, i.e. he has a TLS connection going. The TAN won't work for anything but for the action it was triggered for either, so it's not really useful for much.



You eavesdrop my SMS? Well go ahead. What are you going to do? Unless you also have a gun so you can force me to step away from the keyboard, or you can spoof my IP address and have subverted TLS so much that you can successfully take over the connection (really, WTF? who do we defend against in this threat model?), there is not much you can do. I mean, there's reasonable things to expect, and unreasonable things. Do I need to defend against the possibility of a 2km large meteor hitting my house? If someone can take over my TLS connection, then I have more serious problems than SMS being interceptable.



Unless of course it was you who initiated the SMS-TAN in the first place, which means you must already know my password.



So a reddit sysadmin gave away his admin password or had such a pathetically bad password that it was easy to social-engineer. Or, something else that is outright face-palm scary, whatever. Took a girl he met in the bar the night before to his workplace to impress her, logged in, and walked away? Something the like?

Wow, clearly the fact that SMS can be intercepted was the problem!



SMS 2FA is the same as every other 2FA. It is a little extra hurdle that an attacker has to take, once they have the first factor. It's not much, but it's better than nothing. For the casual attacker on a random target, that little extra makes the difference between "doable" and "not doable". For example, you may get to know my Google password by chance, but you do not know my phone number (or where I even live). So, technical difficulties aside, how are you going to intercept my SMS at all?



Will 2FA stop a targetted attack by a determined attacker? Well no, it probably won't. But what will? I can always tie your girlfriend to a chair and have you watch me cut off fingers until you perform the authentication. Make it five factor authentication if you will, it won't take more than two or three fingers.



On the basis that SMS-TAN is insecure, my bank replaced TAN via SMS with a totally insecure pair of custom-made apps that will allow a transaction to be initiated, and confirmed, without ever a password or such being entered. Android's biometry API telling it "yeah, OK" is enough. It's been demonstrated that facial recognition is easy to trick.

So yeah, this is definitively so much better and more secure than having to enter a password over TLS (which is stored in Keepass) and to receive a TAN via SMS, which is worthless to anyone else.



The simple truth is, sending SMS-TAN costs money, and that stupid little app doesn't...






share|improve this answer




















  • 3





    Obligatory xkcd.

    – TemporalWolf
    Sep 20 at 22:21






  • 19





    "First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such" <-- this is blatantly false. In practice, basically every single service that allows and encourages SMS "2FA" is actually delivering SMS 1FA: they allow account recovery via just the phone number/SMS, without requiring the password.

    – R..
    Sep 21 at 1:16







  • 1





    @R.: That may be true, but it is irrelevant. Not few services will email you a password reset link, or worse, a plaintext password (which means they have a plaintext password stored). So, yeah, some people just get it wrong. Does that have any implications to proper 2FA? No. This is like the recommendation back in 2018 to no longer encrypt email because some exploits in the mail client could (maybe) allow an attacker to read them. Sure, no encryption at all is a good solution! Why not deliberately leave your door wide open because someone could drive a truck into it to break in.

    – Damon
    Sep 21 at 16:50






  • 1





    @SteffenUllrich: Some truth in it, but what I meant to say is that the first factor is not perfect. Nothing is perfect. A second factor (or third) is not perfect either, but to the average wannabe hacker it's undefeatable. It won't stand against a targetted governmental attack or organized crime, sure. But like I said, you do not even know my phone number, so how are you going to intercept my SMS? Neither do you know my password, so how do you get them sent? That's assuming a no-shit implementation that doesn't just send out SMS like that, or displays "Sending confirmation to 01234567890"_.

    – Damon
    Sep 21 at 16:54






  • 2





    @Damon: Even an "average user with no special access rights" (whatever this is) might be a worthy target of a targeted attack because he has valuable stuff himself or might be a step to get access to valuable stuff (delivery chain attack). And SIM swap is actually not that hard to do as several examples from the past show, i.e. no need for "governmental attack or organized crime" but all what is needed is a determined hacker with some social skills. And the phone numbers itself are usually not kept like a very valuable secret nobody should know: most don't have a number only for 2FA.

    – Steffen Ullrich
    Sep 21 at 17:10



















10



















"Should I worry?" is not a technical question-- you can worry about anything you want. For Information Security purposes it is more helpful to consider specific threats, balancing their probability and risk against cost and inconvenience.



A different question you could ask is whether SMS 2FA is sufficient mitigation against criminal teams working on mass harvesting of credentials (and, for example, posting them for sale on the dark net). The answer to that is-- yeah, it's pretty good. Even if they were able to obtain a 2FA SMS code, it would not have any resale value since it is only good for a few minutes. So in terms of criminal networks reselling credentials, it is a decent mitigation. That is one kind of threat.



Another kind of threat is a criminal team or malicious user targeting you as an individual and in real time. In that scenario, SMS is completely inadequate, for reasons that I think you already understand. It is much too easy to get that code if they have the necessary resources.



That being said, NIST, FFIEC, PCI, ISO-27001, and other forms of security regulation/compliance/guidance are all moving away from SMS 2FA in favor of other options that are becoming more available as the technology evolves. But the public will take time to catch up. Heck, 90% of gmail users don't use any 2FA, let alone a securID token! That is why SMS two factor authentication isn't perfect, but you should still use it..






share|improve this answer


































    4



















    Although SMS 2FA is not as strong as TOTP base MFA or the use of a hardware security key (e.g. yubikey) it still offers a significant amount of protection against the typical attacker who's just trying to make use of weak or compromised passwords.






    share|improve this answer
































      3




















      The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service.



      [...]



      You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider).



      [...]



      The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent.




      You don't always need SIM swap or MitM. Some simple attacks like phishing are already automated and that applies to 2FA codes too.



      Now this kind of attack would also bypass other kinds of one-time passwords like smartphone authentication apps, and maybe even login prompts. They would be stopped by token-based 2FA like Yubikeys, since the browser would check that the domain is correct.



      Also, I guess it would not be impossible for someone to hack into a phone network and run an untargeted attack while intercepting 2FA SMSs for a while until they get caught.






      share|improve this answer


























        Your Answer








        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "162"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        noCode: true, onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );














        draft saved

        draft discarded
















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218337%2fshould-the-average-user-with-no-special-access-rights-be-worried-about-sms-based%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown


























        5 Answers
        5






        active

        oldest

        votes








        5 Answers
        5






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        48



















        There is no real concept of an "average user with no special access rights". From the perspective of an attacker the main point is if the effort needed for an attack is less then the gain of the attack. Even an "average user" might have crypto wallets or precious twitter accounts. Sometimes the gain of an attack is also not that obvious, like when a seemingly unimportant target is hacked as the initial step in a larger delivery chain attack against a more precious and better protected target.



        For some examples of successful attacks see



        • My SIM swap attack: How I almost lost $71K, and how to prevent it

        • Here's how I survived a SIM swap attack after T-Mobile failed me - twice

        • SIM swap horror story: I've lost decades of data and Google won't lift a finger





        share|improve this answer




















        • 3





          Yes, but what I mean is, why would an attacker bother trying to social engineer a CS rep into swapping a sim out or try and intercept an SMS through a MitM attack by being at the right place, when the average service has millions of other accounts that are probably not 2FA secured?

          – Nzall
          Sep 20 at 14:32






        • 5





          @Nzall: because (to cite myself) "the main point is if the effort needed for an attack is less then the gain of the attack". If the other less protected accounts have nothing interesting to offer then why waste precious time? Sure, if there is another less protected account which is a similar worthy target then one would likely attack this one first.

          – Steffen Ullrich
          Sep 20 at 14:47







        • 2





          Also: medium.com/coinmonks/…

          – Andrew Savinykh
          Sep 21 at 1:33






        • 2





          So what's your answer to the question? All users should worry about this? [I find answers with a clear answer or conclusion to be clearer overall and less ambiguous]

          – NotThatGuy
          Sep 21 at 14:51












        • @NotThatGuy: The attacks are targeted and take some effort to do. This means that you likely will be attacked only if you have something valuable to steal (direct attack) or if you have the trust or connection to somebody who might be a worthy target (attacking you as the first step in attacking others by using trust relationships). You probably better know than me if you are a worthy target then.

          – Steffen Ullrich
          Sep 21 at 19:16















        48



















        There is no real concept of an "average user with no special access rights". From the perspective of an attacker the main point is if the effort needed for an attack is less then the gain of the attack. Even an "average user" might have crypto wallets or precious twitter accounts. Sometimes the gain of an attack is also not that obvious, like when a seemingly unimportant target is hacked as the initial step in a larger delivery chain attack against a more precious and better protected target.



        For some examples of successful attacks see



        • My SIM swap attack: How I almost lost $71K, and how to prevent it

        • Here's how I survived a SIM swap attack after T-Mobile failed me - twice

        • SIM swap horror story: I've lost decades of data and Google won't lift a finger





        share|improve this answer




















        • 3





          Yes, but what I mean is, why would an attacker bother trying to social engineer a CS rep into swapping a sim out or try and intercept an SMS through a MitM attack by being at the right place, when the average service has millions of other accounts that are probably not 2FA secured?

          – Nzall
          Sep 20 at 14:32






        • 5





          @Nzall: because (to cite myself) "the main point is if the effort needed for an attack is less then the gain of the attack". If the other less protected accounts have nothing interesting to offer then why waste precious time? Sure, if there is another less protected account which is a similar worthy target then one would likely attack this one first.

          – Steffen Ullrich
          Sep 20 at 14:47







        • 2





          Also: medium.com/coinmonks/…

          – Andrew Savinykh
          Sep 21 at 1:33






        • 2





          So what's your answer to the question? All users should worry about this? [I find answers with a clear answer or conclusion to be clearer overall and less ambiguous]

          – NotThatGuy
          Sep 21 at 14:51












        • @NotThatGuy: The attacks are targeted and take some effort to do. This means that you likely will be attacked only if you have something valuable to steal (direct attack) or if you have the trust or connection to somebody who might be a worthy target (attacking you as the first step in attacking others by using trust relationships). You probably better know than me if you are a worthy target then.

          – Steffen Ullrich
          Sep 21 at 19:16













        48















        48











        48









        There is no real concept of an "average user with no special access rights". From the perspective of an attacker the main point is if the effort needed for an attack is less then the gain of the attack. Even an "average user" might have crypto wallets or precious twitter accounts. Sometimes the gain of an attack is also not that obvious, like when a seemingly unimportant target is hacked as the initial step in a larger delivery chain attack against a more precious and better protected target.



        For some examples of successful attacks see



        • My SIM swap attack: How I almost lost $71K, and how to prevent it

        • Here's how I survived a SIM swap attack after T-Mobile failed me - twice

        • SIM swap horror story: I've lost decades of data and Google won't lift a finger





        share|improve this answer














        There is no real concept of an "average user with no special access rights". From the perspective of an attacker the main point is if the effort needed for an attack is less then the gain of the attack. Even an "average user" might have crypto wallets or precious twitter accounts. Sometimes the gain of an attack is also not that obvious, like when a seemingly unimportant target is hacked as the initial step in a larger delivery chain attack against a more precious and better protected target.



        For some examples of successful attacks see



        • My SIM swap attack: How I almost lost $71K, and how to prevent it

        • Here's how I survived a SIM swap attack after T-Mobile failed me - twice

        • SIM swap horror story: I've lost decades of data and Google won't lift a finger






        share|improve this answer













        share|improve this answer




        share|improve this answer










        answered Sep 20 at 9:06









        Steffen UllrichSteffen Ullrich

        135k17 gold badges239 silver badges313 bronze badges




        135k17 gold badges239 silver badges313 bronze badges










        • 3





          Yes, but what I mean is, why would an attacker bother trying to social engineer a CS rep into swapping a sim out or try and intercept an SMS through a MitM attack by being at the right place, when the average service has millions of other accounts that are probably not 2FA secured?

          – Nzall
          Sep 20 at 14:32






        • 5





          @Nzall: because (to cite myself) "the main point is if the effort needed for an attack is less then the gain of the attack". If the other less protected accounts have nothing interesting to offer then why waste precious time? Sure, if there is another less protected account which is a similar worthy target then one would likely attack this one first.

          – Steffen Ullrich
          Sep 20 at 14:47







        • 2





          Also: medium.com/coinmonks/…

          – Andrew Savinykh
          Sep 21 at 1:33






        • 2





          So what's your answer to the question? All users should worry about this? [I find answers with a clear answer or conclusion to be clearer overall and less ambiguous]

          – NotThatGuy
          Sep 21 at 14:51












        • @NotThatGuy: The attacks are targeted and take some effort to do. This means that you likely will be attacked only if you have something valuable to steal (direct attack) or if you have the trust or connection to somebody who might be a worthy target (attacking you as the first step in attacking others by using trust relationships). You probably better know than me if you are a worthy target then.

          – Steffen Ullrich
          Sep 21 at 19:16












        • 3





          Yes, but what I mean is, why would an attacker bother trying to social engineer a CS rep into swapping a sim out or try and intercept an SMS through a MitM attack by being at the right place, when the average service has millions of other accounts that are probably not 2FA secured?

          – Nzall
          Sep 20 at 14:32






        • 5





          @Nzall: because (to cite myself) "the main point is if the effort needed for an attack is less then the gain of the attack". If the other less protected accounts have nothing interesting to offer then why waste precious time? Sure, if there is another less protected account which is a similar worthy target then one would likely attack this one first.

          – Steffen Ullrich
          Sep 20 at 14:47







        • 2





          Also: medium.com/coinmonks/…

          – Andrew Savinykh
          Sep 21 at 1:33






        • 2





          So what's your answer to the question? All users should worry about this? [I find answers with a clear answer or conclusion to be clearer overall and less ambiguous]

          – NotThatGuy
          Sep 21 at 14:51












        • @NotThatGuy: The attacks are targeted and take some effort to do. This means that you likely will be attacked only if you have something valuable to steal (direct attack) or if you have the trust or connection to somebody who might be a worthy target (attacking you as the first step in attacking others by using trust relationships). You probably better know than me if you are a worthy target then.

          – Steffen Ullrich
          Sep 21 at 19:16







        3




        3





        Yes, but what I mean is, why would an attacker bother trying to social engineer a CS rep into swapping a sim out or try and intercept an SMS through a MitM attack by being at the right place, when the average service has millions of other accounts that are probably not 2FA secured?

        – Nzall
        Sep 20 at 14:32





        Yes, but what I mean is, why would an attacker bother trying to social engineer a CS rep into swapping a sim out or try and intercept an SMS through a MitM attack by being at the right place, when the average service has millions of other accounts that are probably not 2FA secured?

        – Nzall
        Sep 20 at 14:32




        5




        5





        @Nzall: because (to cite myself) "the main point is if the effort needed for an attack is less then the gain of the attack". If the other less protected accounts have nothing interesting to offer then why waste precious time? Sure, if there is another less protected account which is a similar worthy target then one would likely attack this one first.

        – Steffen Ullrich
        Sep 20 at 14:47






        @Nzall: because (to cite myself) "the main point is if the effort needed for an attack is less then the gain of the attack". If the other less protected accounts have nothing interesting to offer then why waste precious time? Sure, if there is another less protected account which is a similar worthy target then one would likely attack this one first.

        – Steffen Ullrich
        Sep 20 at 14:47





        2




        2





        Also: medium.com/coinmonks/…

        – Andrew Savinykh
        Sep 21 at 1:33





        Also: medium.com/coinmonks/…

        – Andrew Savinykh
        Sep 21 at 1:33




        2




        2





        So what's your answer to the question? All users should worry about this? [I find answers with a clear answer or conclusion to be clearer overall and less ambiguous]

        – NotThatGuy
        Sep 21 at 14:51






        So what's your answer to the question? All users should worry about this? [I find answers with a clear answer or conclusion to be clearer overall and less ambiguous]

        – NotThatGuy
        Sep 21 at 14:51














        @NotThatGuy: The attacks are targeted and take some effort to do. This means that you likely will be attacked only if you have something valuable to steal (direct attack) or if you have the trust or connection to somebody who might be a worthy target (attacking you as the first step in attacking others by using trust relationships). You probably better know than me if you are a worthy target then.

        – Steffen Ullrich
        Sep 21 at 19:16





        @NotThatGuy: The attacks are targeted and take some effort to do. This means that you likely will be attacked only if you have something valuable to steal (direct attack) or if you have the trust or connection to somebody who might be a worthy target (attacking you as the first step in attacking others by using trust relationships). You probably better know than me if you are a worthy target then.

        – Steffen Ullrich
        Sep 21 at 19:16













        15



















        Like many things, there is a tiny bit of truth in there, but overall it is a non-issue in practice and incidents are reported/perceived totally out of perspective.

        Most stuff, including every new system that comes up every few months and that completely obsoletes everything else is usually based on personal financial interests, dogma, belief, and snake oil. So, recently, SMS-TAN was obsoleted. And the world didn't stop.



        How dare I say it's a non-issue? There's some very real security breaches!



        First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such (which is usually the first factor).

        Without providing the first factor, you do not even get to trigger the SMS to be sent. If the legitimate account owner triggered it, then he is currently in the process of logging in, i.e. he has a TLS connection going. The TAN won't work for anything but for the action it was triggered for either, so it's not really useful for much.



        You eavesdrop my SMS? Well go ahead. What are you going to do? Unless you also have a gun so you can force me to step away from the keyboard, or you can spoof my IP address and have subverted TLS so much that you can successfully take over the connection (really, WTF? who do we defend against in this threat model?), there is not much you can do. I mean, there's reasonable things to expect, and unreasonable things. Do I need to defend against the possibility of a 2km large meteor hitting my house? If someone can take over my TLS connection, then I have more serious problems than SMS being interceptable.



        Unless of course it was you who initiated the SMS-TAN in the first place, which means you must already know my password.



        So a reddit sysadmin gave away his admin password or had such a pathetically bad password that it was easy to social-engineer. Or, something else that is outright face-palm scary, whatever. Took a girl he met in the bar the night before to his workplace to impress her, logged in, and walked away? Something the like?

        Wow, clearly the fact that SMS can be intercepted was the problem!



        SMS 2FA is the same as every other 2FA. It is a little extra hurdle that an attacker has to take, once they have the first factor. It's not much, but it's better than nothing. For the casual attacker on a random target, that little extra makes the difference between "doable" and "not doable". For example, you may get to know my Google password by chance, but you do not know my phone number (or where I even live). So, technical difficulties aside, how are you going to intercept my SMS at all?



        Will 2FA stop a targetted attack by a determined attacker? Well no, it probably won't. But what will? I can always tie your girlfriend to a chair and have you watch me cut off fingers until you perform the authentication. Make it five factor authentication if you will, it won't take more than two or three fingers.



        On the basis that SMS-TAN is insecure, my bank replaced TAN via SMS with a totally insecure pair of custom-made apps that will allow a transaction to be initiated, and confirmed, without ever a password or such being entered. Android's biometry API telling it "yeah, OK" is enough. It's been demonstrated that facial recognition is easy to trick.

        So yeah, this is definitively so much better and more secure than having to enter a password over TLS (which is stored in Keepass) and to receive a TAN via SMS, which is worthless to anyone else.



        The simple truth is, sending SMS-TAN costs money, and that stupid little app doesn't...






        share|improve this answer




















        • 3





          Obligatory xkcd.

          – TemporalWolf
          Sep 20 at 22:21






        • 19





          "First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such" <-- this is blatantly false. In practice, basically every single service that allows and encourages SMS "2FA" is actually delivering SMS 1FA: they allow account recovery via just the phone number/SMS, without requiring the password.

          – R..
          Sep 21 at 1:16







        • 1





          @R.: That may be true, but it is irrelevant. Not few services will email you a password reset link, or worse, a plaintext password (which means they have a plaintext password stored). So, yeah, some people just get it wrong. Does that have any implications to proper 2FA? No. This is like the recommendation back in 2018 to no longer encrypt email because some exploits in the mail client could (maybe) allow an attacker to read them. Sure, no encryption at all is a good solution! Why not deliberately leave your door wide open because someone could drive a truck into it to break in.

          – Damon
          Sep 21 at 16:50






        • 1





          @SteffenUllrich: Some truth in it, but what I meant to say is that the first factor is not perfect. Nothing is perfect. A second factor (or third) is not perfect either, but to the average wannabe hacker it's undefeatable. It won't stand against a targetted governmental attack or organized crime, sure. But like I said, you do not even know my phone number, so how are you going to intercept my SMS? Neither do you know my password, so how do you get them sent? That's assuming a no-shit implementation that doesn't just send out SMS like that, or displays "Sending confirmation to 01234567890"_.

          – Damon
          Sep 21 at 16:54






        • 2





          @Damon: Even an "average user with no special access rights" (whatever this is) might be a worthy target of a targeted attack because he has valuable stuff himself or might be a step to get access to valuable stuff (delivery chain attack). And SIM swap is actually not that hard to do as several examples from the past show, i.e. no need for "governmental attack or organized crime" but all what is needed is a determined hacker with some social skills. And the phone numbers itself are usually not kept like a very valuable secret nobody should know: most don't have a number only for 2FA.

          – Steffen Ullrich
          Sep 21 at 17:10
















        15



















        Like many things, there is a tiny bit of truth in there, but overall it is a non-issue in practice and incidents are reported/perceived totally out of perspective.

        Most stuff, including every new system that comes up every few months and that completely obsoletes everything else is usually based on personal financial interests, dogma, belief, and snake oil. So, recently, SMS-TAN was obsoleted. And the world didn't stop.



        How dare I say it's a non-issue? There's some very real security breaches!



        First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such (which is usually the first factor).

        Without providing the first factor, you do not even get to trigger the SMS to be sent. If the legitimate account owner triggered it, then he is currently in the process of logging in, i.e. he has a TLS connection going. The TAN won't work for anything but for the action it was triggered for either, so it's not really useful for much.



        You eavesdrop my SMS? Well go ahead. What are you going to do? Unless you also have a gun so you can force me to step away from the keyboard, or you can spoof my IP address and have subverted TLS so much that you can successfully take over the connection (really, WTF? who do we defend against in this threat model?), there is not much you can do. I mean, there's reasonable things to expect, and unreasonable things. Do I need to defend against the possibility of a 2km large meteor hitting my house? If someone can take over my TLS connection, then I have more serious problems than SMS being interceptable.



        Unless of course it was you who initiated the SMS-TAN in the first place, which means you must already know my password.



        So a reddit sysadmin gave away his admin password or had such a pathetically bad password that it was easy to social-engineer. Or, something else that is outright face-palm scary, whatever. Took a girl he met in the bar the night before to his workplace to impress her, logged in, and walked away? Something the like?

        Wow, clearly the fact that SMS can be intercepted was the problem!



        SMS 2FA is the same as every other 2FA. It is a little extra hurdle that an attacker has to take, once they have the first factor. It's not much, but it's better than nothing. For the casual attacker on a random target, that little extra makes the difference between "doable" and "not doable". For example, you may get to know my Google password by chance, but you do not know my phone number (or where I even live). So, technical difficulties aside, how are you going to intercept my SMS at all?



        Will 2FA stop a targetted attack by a determined attacker? Well no, it probably won't. But what will? I can always tie your girlfriend to a chair and have you watch me cut off fingers until you perform the authentication. Make it five factor authentication if you will, it won't take more than two or three fingers.



        On the basis that SMS-TAN is insecure, my bank replaced TAN via SMS with a totally insecure pair of custom-made apps that will allow a transaction to be initiated, and confirmed, without ever a password or such being entered. Android's biometry API telling it "yeah, OK" is enough. It's been demonstrated that facial recognition is easy to trick.

        So yeah, this is definitively so much better and more secure than having to enter a password over TLS (which is stored in Keepass) and to receive a TAN via SMS, which is worthless to anyone else.



        The simple truth is, sending SMS-TAN costs money, and that stupid little app doesn't...






        share|improve this answer




















        • 3





          Obligatory xkcd.

          – TemporalWolf
          Sep 20 at 22:21






        • 19





          "First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such" <-- this is blatantly false. In practice, basically every single service that allows and encourages SMS "2FA" is actually delivering SMS 1FA: they allow account recovery via just the phone number/SMS, without requiring the password.

          – R..
          Sep 21 at 1:16







        • 1





          @R.: That may be true, but it is irrelevant. Not few services will email you a password reset link, or worse, a plaintext password (which means they have a plaintext password stored). So, yeah, some people just get it wrong. Does that have any implications to proper 2FA? No. This is like the recommendation back in 2018 to no longer encrypt email because some exploits in the mail client could (maybe) allow an attacker to read them. Sure, no encryption at all is a good solution! Why not deliberately leave your door wide open because someone could drive a truck into it to break in.

          – Damon
          Sep 21 at 16:50






        • 1





          @SteffenUllrich: Some truth in it, but what I meant to say is that the first factor is not perfect. Nothing is perfect. A second factor (or third) is not perfect either, but to the average wannabe hacker it's undefeatable. It won't stand against a targetted governmental attack or organized crime, sure. But like I said, you do not even know my phone number, so how are you going to intercept my SMS? Neither do you know my password, so how do you get them sent? That's assuming a no-shit implementation that doesn't just send out SMS like that, or displays "Sending confirmation to 01234567890"_.

          – Damon
          Sep 21 at 16:54






        • 2





          @Damon: Even an "average user with no special access rights" (whatever this is) might be a worthy target of a targeted attack because he has valuable stuff himself or might be a step to get access to valuable stuff (delivery chain attack). And SIM swap is actually not that hard to do as several examples from the past show, i.e. no need for "governmental attack or organized crime" but all what is needed is a determined hacker with some social skills. And the phone numbers itself are usually not kept like a very valuable secret nobody should know: most don't have a number only for 2FA.

          – Steffen Ullrich
          Sep 21 at 17:10














        15















        15











        15









        Like many things, there is a tiny bit of truth in there, but overall it is a non-issue in practice and incidents are reported/perceived totally out of perspective.

        Most stuff, including every new system that comes up every few months and that completely obsoletes everything else is usually based on personal financial interests, dogma, belief, and snake oil. So, recently, SMS-TAN was obsoleted. And the world didn't stop.



        How dare I say it's a non-issue? There's some very real security breaches!



        First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such (which is usually the first factor).

        Without providing the first factor, you do not even get to trigger the SMS to be sent. If the legitimate account owner triggered it, then he is currently in the process of logging in, i.e. he has a TLS connection going. The TAN won't work for anything but for the action it was triggered for either, so it's not really useful for much.



        You eavesdrop my SMS? Well go ahead. What are you going to do? Unless you also have a gun so you can force me to step away from the keyboard, or you can spoof my IP address and have subverted TLS so much that you can successfully take over the connection (really, WTF? who do we defend against in this threat model?), there is not much you can do. I mean, there's reasonable things to expect, and unreasonable things. Do I need to defend against the possibility of a 2km large meteor hitting my house? If someone can take over my TLS connection, then I have more serious problems than SMS being interceptable.



        Unless of course it was you who initiated the SMS-TAN in the first place, which means you must already know my password.



        So a reddit sysadmin gave away his admin password or had such a pathetically bad password that it was easy to social-engineer. Or, something else that is outright face-palm scary, whatever. Took a girl he met in the bar the night before to his workplace to impress her, logged in, and walked away? Something the like?

        Wow, clearly the fact that SMS can be intercepted was the problem!



        SMS 2FA is the same as every other 2FA. It is a little extra hurdle that an attacker has to take, once they have the first factor. It's not much, but it's better than nothing. For the casual attacker on a random target, that little extra makes the difference between "doable" and "not doable". For example, you may get to know my Google password by chance, but you do not know my phone number (or where I even live). So, technical difficulties aside, how are you going to intercept my SMS at all?



        Will 2FA stop a targetted attack by a determined attacker? Well no, it probably won't. But what will? I can always tie your girlfriend to a chair and have you watch me cut off fingers until you perform the authentication. Make it five factor authentication if you will, it won't take more than two or three fingers.



        On the basis that SMS-TAN is insecure, my bank replaced TAN via SMS with a totally insecure pair of custom-made apps that will allow a transaction to be initiated, and confirmed, without ever a password or such being entered. Android's biometry API telling it "yeah, OK" is enough. It's been demonstrated that facial recognition is easy to trick.

        So yeah, this is definitively so much better and more secure than having to enter a password over TLS (which is stored in Keepass) and to receive a TAN via SMS, which is worthless to anyone else.



        The simple truth is, sending SMS-TAN costs money, and that stupid little app doesn't...






        share|improve this answer














        Like many things, there is a tiny bit of truth in there, but overall it is a non-issue in practice and incidents are reported/perceived totally out of perspective.

        Most stuff, including every new system that comes up every few months and that completely obsoletes everything else is usually based on personal financial interests, dogma, belief, and snake oil. So, recently, SMS-TAN was obsoleted. And the world didn't stop.



        How dare I say it's a non-issue? There's some very real security breaches!



        First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such (which is usually the first factor).

        Without providing the first factor, you do not even get to trigger the SMS to be sent. If the legitimate account owner triggered it, then he is currently in the process of logging in, i.e. he has a TLS connection going. The TAN won't work for anything but for the action it was triggered for either, so it's not really useful for much.



        You eavesdrop my SMS? Well go ahead. What are you going to do? Unless you also have a gun so you can force me to step away from the keyboard, or you can spoof my IP address and have subverted TLS so much that you can successfully take over the connection (really, WTF? who do we defend against in this threat model?), there is not much you can do. I mean, there's reasonable things to expect, and unreasonable things. Do I need to defend against the possibility of a 2km large meteor hitting my house? If someone can take over my TLS connection, then I have more serious problems than SMS being interceptable.



        Unless of course it was you who initiated the SMS-TAN in the first place, which means you must already know my password.



        So a reddit sysadmin gave away his admin password or had such a pathetically bad password that it was easy to social-engineer. Or, something else that is outright face-palm scary, whatever. Took a girl he met in the bar the night before to his workplace to impress her, logged in, and walked away? Something the like?

        Wow, clearly the fact that SMS can be intercepted was the problem!



        SMS 2FA is the same as every other 2FA. It is a little extra hurdle that an attacker has to take, once they have the first factor. It's not much, but it's better than nothing. For the casual attacker on a random target, that little extra makes the difference between "doable" and "not doable". For example, you may get to know my Google password by chance, but you do not know my phone number (or where I even live). So, technical difficulties aside, how are you going to intercept my SMS at all?



        Will 2FA stop a targetted attack by a determined attacker? Well no, it probably won't. But what will? I can always tie your girlfriend to a chair and have you watch me cut off fingers until you perform the authentication. Make it five factor authentication if you will, it won't take more than two or three fingers.



        On the basis that SMS-TAN is insecure, my bank replaced TAN via SMS with a totally insecure pair of custom-made apps that will allow a transaction to be initiated, and confirmed, without ever a password or such being entered. Android's biometry API telling it "yeah, OK" is enough. It's been demonstrated that facial recognition is easy to trick.

        So yeah, this is definitively so much better and more secure than having to enter a password over TLS (which is stored in Keepass) and to receive a TAN via SMS, which is worthless to anyone else.



        The simple truth is, sending SMS-TAN costs money, and that stupid little app doesn't...







        share|improve this answer













        share|improve this answer




        share|improve this answer










        answered Sep 20 at 20:57









        DamonDamon

        4,24913 silver badges23 bronze badges




        4,24913 silver badges23 bronze badges










        • 3





          Obligatory xkcd.

          – TemporalWolf
          Sep 20 at 22:21






        • 19





          "First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such" <-- this is blatantly false. In practice, basically every single service that allows and encourages SMS "2FA" is actually delivering SMS 1FA: they allow account recovery via just the phone number/SMS, without requiring the password.

          – R..
          Sep 21 at 1:16







        • 1





          @R.: That may be true, but it is irrelevant. Not few services will email you a password reset link, or worse, a plaintext password (which means they have a plaintext password stored). So, yeah, some people just get it wrong. Does that have any implications to proper 2FA? No. This is like the recommendation back in 2018 to no longer encrypt email because some exploits in the mail client could (maybe) allow an attacker to read them. Sure, no encryption at all is a good solution! Why not deliberately leave your door wide open because someone could drive a truck into it to break in.

          – Damon
          Sep 21 at 16:50






        • 1





          @SteffenUllrich: Some truth in it, but what I meant to say is that the first factor is not perfect. Nothing is perfect. A second factor (or third) is not perfect either, but to the average wannabe hacker it's undefeatable. It won't stand against a targetted governmental attack or organized crime, sure. But like I said, you do not even know my phone number, so how are you going to intercept my SMS? Neither do you know my password, so how do you get them sent? That's assuming a no-shit implementation that doesn't just send out SMS like that, or displays "Sending confirmation to 01234567890"_.

          – Damon
          Sep 21 at 16:54






        • 2





          @Damon: Even an "average user with no special access rights" (whatever this is) might be a worthy target of a targeted attack because he has valuable stuff himself or might be a step to get access to valuable stuff (delivery chain attack). And SIM swap is actually not that hard to do as several examples from the past show, i.e. no need for "governmental attack or organized crime" but all what is needed is a determined hacker with some social skills. And the phone numbers itself are usually not kept like a very valuable secret nobody should know: most don't have a number only for 2FA.

          – Steffen Ullrich
          Sep 21 at 17:10













        • 3





          Obligatory xkcd.

          – TemporalWolf
          Sep 20 at 22:21






        • 19





          "First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such" <-- this is blatantly false. In practice, basically every single service that allows and encourages SMS "2FA" is actually delivering SMS 1FA: they allow account recovery via just the phone number/SMS, without requiring the password.

          – R..
          Sep 21 at 1:16







        • 1





          @R.: That may be true, but it is irrelevant. Not few services will email you a password reset link, or worse, a plaintext password (which means they have a plaintext password stored). So, yeah, some people just get it wrong. Does that have any implications to proper 2FA? No. This is like the recommendation back in 2018 to no longer encrypt email because some exploits in the mail client could (maybe) allow an attacker to read them. Sure, no encryption at all is a good solution! Why not deliberately leave your door wide open because someone could drive a truck into it to break in.

          – Damon
          Sep 21 at 16:50






        • 1





          @SteffenUllrich: Some truth in it, but what I meant to say is that the first factor is not perfect. Nothing is perfect. A second factor (or third) is not perfect either, but to the average wannabe hacker it's undefeatable. It won't stand against a targetted governmental attack or organized crime, sure. But like I said, you do not even know my phone number, so how are you going to intercept my SMS? Neither do you know my password, so how do you get them sent? That's assuming a no-shit implementation that doesn't just send out SMS like that, or displays "Sending confirmation to 01234567890"_.

          – Damon
          Sep 21 at 16:54






        • 2





          @Damon: Even an "average user with no special access rights" (whatever this is) might be a worthy target of a targeted attack because he has valuable stuff himself or might be a step to get access to valuable stuff (delivery chain attack). And SIM swap is actually not that hard to do as several examples from the past show, i.e. no need for "governmental attack or organized crime" but all what is needed is a determined hacker with some social skills. And the phone numbers itself are usually not kept like a very valuable secret nobody should know: most don't have a number only for 2FA.

          – Steffen Ullrich
          Sep 21 at 17:10








        3




        3





        Obligatory xkcd.

        – TemporalWolf
        Sep 20 at 22:21





        Obligatory xkcd.

        – TemporalWolf
        Sep 20 at 22:21




        19




        19





        "First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such" <-- this is blatantly false. In practice, basically every single service that allows and encourages SMS "2FA" is actually delivering SMS 1FA: they allow account recovery via just the phone number/SMS, without requiring the password.

        – R..
        Sep 21 at 1:16






        "First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such" <-- this is blatantly false. In practice, basically every single service that allows and encourages SMS "2FA" is actually delivering SMS 1FA: they allow account recovery via just the phone number/SMS, without requiring the password.

        – R..
        Sep 21 at 1:16





        1




        1





        @R.: That may be true, but it is irrelevant. Not few services will email you a password reset link, or worse, a plaintext password (which means they have a plaintext password stored). So, yeah, some people just get it wrong. Does that have any implications to proper 2FA? No. This is like the recommendation back in 2018 to no longer encrypt email because some exploits in the mail client could (maybe) allow an attacker to read them. Sure, no encryption at all is a good solution! Why not deliberately leave your door wide open because someone could drive a truck into it to break in.

        – Damon
        Sep 21 at 16:50





        @R.: That may be true, but it is irrelevant. Not few services will email you a password reset link, or worse, a plaintext password (which means they have a plaintext password stored). So, yeah, some people just get it wrong. Does that have any implications to proper 2FA? No. This is like the recommendation back in 2018 to no longer encrypt email because some exploits in the mail client could (maybe) allow an attacker to read them. Sure, no encryption at all is a good solution! Why not deliberately leave your door wide open because someone could drive a truck into it to break in.

        – Damon
        Sep 21 at 16:50




        1




        1





        @SteffenUllrich: Some truth in it, but what I meant to say is that the first factor is not perfect. Nothing is perfect. A second factor (or third) is not perfect either, but to the average wannabe hacker it's undefeatable. It won't stand against a targetted governmental attack or organized crime, sure. But like I said, you do not even know my phone number, so how are you going to intercept my SMS? Neither do you know my password, so how do you get them sent? That's assuming a no-shit implementation that doesn't just send out SMS like that, or displays "Sending confirmation to 01234567890"_.

        – Damon
        Sep 21 at 16:54





        @SteffenUllrich: Some truth in it, but what I meant to say is that the first factor is not perfect. Nothing is perfect. A second factor (or third) is not perfect either, but to the average wannabe hacker it's undefeatable. It won't stand against a targetted governmental attack or organized crime, sure. But like I said, you do not even know my phone number, so how are you going to intercept my SMS? Neither do you know my password, so how do you get them sent? That's assuming a no-shit implementation that doesn't just send out SMS like that, or displays "Sending confirmation to 01234567890"_.

        – Damon
        Sep 21 at 16:54




        2




        2





        @Damon: Even an "average user with no special access rights" (whatever this is) might be a worthy target of a targeted attack because he has valuable stuff himself or might be a step to get access to valuable stuff (delivery chain attack). And SIM swap is actually not that hard to do as several examples from the past show, i.e. no need for "governmental attack or organized crime" but all what is needed is a determined hacker with some social skills. And the phone numbers itself are usually not kept like a very valuable secret nobody should know: most don't have a number only for 2FA.

        – Steffen Ullrich
        Sep 21 at 17:10






        @Damon: Even an "average user with no special access rights" (whatever this is) might be a worthy target of a targeted attack because he has valuable stuff himself or might be a step to get access to valuable stuff (delivery chain attack). And SIM swap is actually not that hard to do as several examples from the past show, i.e. no need for "governmental attack or organized crime" but all what is needed is a determined hacker with some social skills. And the phone numbers itself are usually not kept like a very valuable secret nobody should know: most don't have a number only for 2FA.

        – Steffen Ullrich
        Sep 21 at 17:10












        10



















        "Should I worry?" is not a technical question-- you can worry about anything you want. For Information Security purposes it is more helpful to consider specific threats, balancing their probability and risk against cost and inconvenience.



        A different question you could ask is whether SMS 2FA is sufficient mitigation against criminal teams working on mass harvesting of credentials (and, for example, posting them for sale on the dark net). The answer to that is-- yeah, it's pretty good. Even if they were able to obtain a 2FA SMS code, it would not have any resale value since it is only good for a few minutes. So in terms of criminal networks reselling credentials, it is a decent mitigation. That is one kind of threat.



        Another kind of threat is a criminal team or malicious user targeting you as an individual and in real time. In that scenario, SMS is completely inadequate, for reasons that I think you already understand. It is much too easy to get that code if they have the necessary resources.



        That being said, NIST, FFIEC, PCI, ISO-27001, and other forms of security regulation/compliance/guidance are all moving away from SMS 2FA in favor of other options that are becoming more available as the technology evolves. But the public will take time to catch up. Heck, 90% of gmail users don't use any 2FA, let alone a securID token! That is why SMS two factor authentication isn't perfect, but you should still use it..






        share|improve this answer































          10



















          "Should I worry?" is not a technical question-- you can worry about anything you want. For Information Security purposes it is more helpful to consider specific threats, balancing their probability and risk against cost and inconvenience.



          A different question you could ask is whether SMS 2FA is sufficient mitigation against criminal teams working on mass harvesting of credentials (and, for example, posting them for sale on the dark net). The answer to that is-- yeah, it's pretty good. Even if they were able to obtain a 2FA SMS code, it would not have any resale value since it is only good for a few minutes. So in terms of criminal networks reselling credentials, it is a decent mitigation. That is one kind of threat.



          Another kind of threat is a criminal team or malicious user targeting you as an individual and in real time. In that scenario, SMS is completely inadequate, for reasons that I think you already understand. It is much too easy to get that code if they have the necessary resources.



          That being said, NIST, FFIEC, PCI, ISO-27001, and other forms of security regulation/compliance/guidance are all moving away from SMS 2FA in favor of other options that are becoming more available as the technology evolves. But the public will take time to catch up. Heck, 90% of gmail users don't use any 2FA, let alone a securID token! That is why SMS two factor authentication isn't perfect, but you should still use it..






          share|improve this answer





























            10















            10











            10









            "Should I worry?" is not a technical question-- you can worry about anything you want. For Information Security purposes it is more helpful to consider specific threats, balancing their probability and risk against cost and inconvenience.



            A different question you could ask is whether SMS 2FA is sufficient mitigation against criminal teams working on mass harvesting of credentials (and, for example, posting them for sale on the dark net). The answer to that is-- yeah, it's pretty good. Even if they were able to obtain a 2FA SMS code, it would not have any resale value since it is only good for a few minutes. So in terms of criminal networks reselling credentials, it is a decent mitigation. That is one kind of threat.



            Another kind of threat is a criminal team or malicious user targeting you as an individual and in real time. In that scenario, SMS is completely inadequate, for reasons that I think you already understand. It is much too easy to get that code if they have the necessary resources.



            That being said, NIST, FFIEC, PCI, ISO-27001, and other forms of security regulation/compliance/guidance are all moving away from SMS 2FA in favor of other options that are becoming more available as the technology evolves. But the public will take time to catch up. Heck, 90% of gmail users don't use any 2FA, let alone a securID token! That is why SMS two factor authentication isn't perfect, but you should still use it..






            share|improve this answer
















            "Should I worry?" is not a technical question-- you can worry about anything you want. For Information Security purposes it is more helpful to consider specific threats, balancing their probability and risk against cost and inconvenience.



            A different question you could ask is whether SMS 2FA is sufficient mitigation against criminal teams working on mass harvesting of credentials (and, for example, posting them for sale on the dark net). The answer to that is-- yeah, it's pretty good. Even if they were able to obtain a 2FA SMS code, it would not have any resale value since it is only good for a few minutes. So in terms of criminal networks reselling credentials, it is a decent mitigation. That is one kind of threat.



            Another kind of threat is a criminal team or malicious user targeting you as an individual and in real time. In that scenario, SMS is completely inadequate, for reasons that I think you already understand. It is much too easy to get that code if they have the necessary resources.



            That being said, NIST, FFIEC, PCI, ISO-27001, and other forms of security regulation/compliance/guidance are all moving away from SMS 2FA in favor of other options that are becoming more available as the technology evolves. But the public will take time to catch up. Heck, 90% of gmail users don't use any 2FA, let alone a securID token! That is why SMS two factor authentication isn't perfect, but you should still use it..







            share|improve this answer















            share|improve this answer




            share|improve this answer








            edited Sep 21 at 0:23

























            answered Sep 21 at 0:15









            John WuJohn Wu

            7,9601 gold badge20 silver badges33 bronze badges




            7,9601 gold badge20 silver badges33 bronze badges
























                4



















                Although SMS 2FA is not as strong as TOTP base MFA or the use of a hardware security key (e.g. yubikey) it still offers a significant amount of protection against the typical attacker who's just trying to make use of weak or compromised passwords.






                share|improve this answer





























                  4



















                  Although SMS 2FA is not as strong as TOTP base MFA or the use of a hardware security key (e.g. yubikey) it still offers a significant amount of protection against the typical attacker who's just trying to make use of weak or compromised passwords.






                  share|improve this answer



























                    4















                    4











                    4









                    Although SMS 2FA is not as strong as TOTP base MFA or the use of a hardware security key (e.g. yubikey) it still offers a significant amount of protection against the typical attacker who's just trying to make use of weak or compromised passwords.






                    share|improve this answer














                    Although SMS 2FA is not as strong as TOTP base MFA or the use of a hardware security key (e.g. yubikey) it still offers a significant amount of protection against the typical attacker who's just trying to make use of weak or compromised passwords.







                    share|improve this answer













                    share|improve this answer




                    share|improve this answer










                    answered Sep 20 at 8:35









                    mhrmhr

                    2963 silver badges10 bronze badges




                    2963 silver badges10 bronze badges
























                        3




















                        The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service.



                        [...]



                        You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider).



                        [...]



                        The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent.




                        You don't always need SIM swap or MitM. Some simple attacks like phishing are already automated and that applies to 2FA codes too.



                        Now this kind of attack would also bypass other kinds of one-time passwords like smartphone authentication apps, and maybe even login prompts. They would be stopped by token-based 2FA like Yubikeys, since the browser would check that the domain is correct.



                        Also, I guess it would not be impossible for someone to hack into a phone network and run an untargeted attack while intercepting 2FA SMSs for a while until they get caught.






                        share|improve this answer





























                          3




















                          The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service.



                          [...]



                          You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider).



                          [...]



                          The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent.




                          You don't always need SIM swap or MitM. Some simple attacks like phishing are already automated and that applies to 2FA codes too.



                          Now this kind of attack would also bypass other kinds of one-time passwords like smartphone authentication apps, and maybe even login prompts. They would be stopped by token-based 2FA like Yubikeys, since the browser would check that the domain is correct.



                          Also, I guess it would not be impossible for someone to hack into a phone network and run an untargeted attack while intercepting 2FA SMSs for a while until they get caught.






                          share|improve this answer



























                            3















                            3











                            3










                            The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service.



                            [...]



                            You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider).



                            [...]



                            The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent.




                            You don't always need SIM swap or MitM. Some simple attacks like phishing are already automated and that applies to 2FA codes too.



                            Now this kind of attack would also bypass other kinds of one-time passwords like smartphone authentication apps, and maybe even login prompts. They would be stopped by token-based 2FA like Yubikeys, since the browser would check that the domain is correct.



                            Also, I guess it would not be impossible for someone to hack into a phone network and run an untargeted attack while intercepting 2FA SMSs for a while until they get caught.






                            share|improve this answer















                            The problem I see with this statement is that both of these attacks to me feel like they're essentially only really feasible for attacks targeted at a specific user with the goal of breaching a targeted service.



                            [...]



                            You can't do SIM swap attacks in an automated way or even at scale (unless there is a serious issue with a phone provider).



                            [...]



                            The average cybercriminal doesn't have the required resources to MitM intercept SMS messages for people spread across a city, country or continent.




                            You don't always need SIM swap or MitM. Some simple attacks like phishing are already automated and that applies to 2FA codes too.



                            Now this kind of attack would also bypass other kinds of one-time passwords like smartphone authentication apps, and maybe even login prompts. They would be stopped by token-based 2FA like Yubikeys, since the browser would check that the domain is correct.



                            Also, I guess it would not be impossible for someone to hack into a phone network and run an untargeted attack while intercepting 2FA SMSs for a while until they get caught.







                            share|improve this answer













                            share|improve this answer




                            share|improve this answer










                            answered Sep 21 at 13:09









                            ElzoElzo

                            1,7941 gold badge11 silver badges22 bronze badges




                            1,7941 gold badge11 silver badges22 bronze badges































                                draft saved

                                draft discarded















































                                Thanks for contributing an answer to Information Security Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218337%2fshould-the-average-user-with-no-special-access-rights-be-worried-about-sms-based%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown









                                Popular posts from this blog

                                Tamil (spriik) Luke uk diar | Nawigatjuun

                                Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

                                Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?