undefined | Better HN

0 pointsadgjlsfhk11y ago0 comments

imo sms 2fa is great since it is sufficient to stop automatic mass account stealing.

0 comments

So is an authenticator app.

Also, SMS isn't, because attackers often get access to the SMS network itself (see e.g. Salt Typhoon) in which case they can do automatic mass account stealing because they can see all the totally unencrypted SMS codes.

The security of SMS really is that bad.

oyashirochama1y ago

Not to mention LTT showed the ability to spoof and steal SMS directly, on specific targets using the international phone system trust, something that is effectively impossible to block due to the inherient trust built into cell companies at the moment.

dataflow1y ago

> attackers often get access to the SMS network itself (see e.g. Salt Typhoon)

"Often"?

andy811y ago

Bit of an understatement, should be "always have access" if state attackers are included in the threat model.

AnthonyMouse1y ago

To be fair, there are also non-state attackers that can mass intercept SMS.

j / k navigate · click thread line to collapse