tantek.com

↳ In reply to

a comment on issue 152 of GitHub project “standards-positions”


> TL;DR is that SMS is, in fact, more than a tiny bit better than nothing

I read the post.

It has six occurences of the phrase "recovery phone number" (not "second factor phone number" which would have been better), and yet no mention of all the published counter-evidence to date of SMS account recovery making things *worse* for (especially targeted) users. E.g.

* https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
* https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/
* https://www.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html
* https://twitter.com/justin/status/883171036283285508
* https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
* https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/
* https://twitter.com/hillbrad/status/1004040328150540288
* https://twitter.com/cooncesean/status/1130493867734605824
* ... etc.

Also omitted: the fact that when users turn on SMS 2FA, services in general (e.g. Twitter, Instagram, Paypal, even Apple ID) also enable SMS account recovery, thus making their users *more* vulnerable to targeted attacks.

I have personally known friends (with short / firstname usernames on various services) who have been targeted and had accounts stolen.

I think it’s irresponsible to be recommending (or reducing the barriers to) SMS user-flows that default users into SMS account recovery, and especially irresponsible to be pretending it doesn’t exist as a problem by not mentioning it (in particular SIM swaps) despite even the New York Times documenting it almost two years ago, and NIST deprecating it almost three years ago.

In addition the "% of users affected" or "% of attacks stopped" metrics are not really good measures here. Steering users to adopt SMS account recovery is the equivalent of planting thousands+ of seeds, for which attackers only have to wait until a few of those accounts grow enough value to be ripe for targeted harvesting.

on (ttk.me t50k1) using BBEdit