Skip to Content.
Sympa Menu

assurance - RE: [Assurance] attacks on SMS-based 2FA

Subject: Assurance

List archive

RE: [Assurance] attacks on SMS-based 2FA


Chronological Thread 
  • From: "Caskey, Paul" <>
  • To: "" <>
  • Subject: RE: [Assurance] attacks on SMS-based 2FA
  • Date: Thu, 24 Jul 2014 14:02:22 +0000
  • Accept-language: en-US
  • Authentication-results: ironport160a.utsystem.edu; dkim=neutral (message not signed) header.i=none

I thought that techniques such as threshold cryptography would not ever have
such problems, assuming the bad guy is not able to steal my key material from
Duo/Toopher/etc. (while also stealing it from my mobile device).



> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Tom
> Scavo
> Sent: Thursday, July 24, 2014 8:49 AM
> To:
>
> Subject: Re: [Assurance] attacks on SMS-based 2FA
>
> On Thu, Jul 24, 2014 at 9:11 AM, Von Welch
> <>
> wrote:
> >> telephony < soft tokens < hard tokens
> >
> > Why are "soft tokens" - which I interpret as mobile app based approaches -
> stronger than SMS?
>
> As I said, that requires further justification (which is where we're headed
> with this conversation, I suppose). My gut reaction is that the telcos are
> completely untrustworthy and moreover there's no obvious way to apply
> crypto and other security measures to their infrastructure and protocols.
>
> > Is the inter-application separation stronger such that it is harder for a
> trojan to scrape SMS messages than data from another App?
>
> I don't totally understand that question but clearly the Bad Guy has
> subverted SMS first so evidently that is the weakest link. At least with
> mobile
> apps, the telco is cleanly removed from the security equation (as evidenced
> by the fact that an iPod touch functions well as a device with soft token).
>
> > How much harder and how long before we expect that to fail?
>
> I don't know. Maybe others would care to hazard a guess?
>
> Tom
>
> > On Jul 24, 2014, at 8:23 AM, Tom Scavo
> > <>
> > wrote:
> >
> >> You may have heard this news about attacks on SMS-based 2FA at banks
> >> around the world:
> >>
> >> https://twitter.com/trscavo/status/492079055647559681
> >>
> >> It's becoming clear that 2FA methods based on telephony, while better
> >> than no 2FA at all, are less effective than other methods. The
> >> relative strength of authentication probably goes something like this:
> >>
> >> telephony < soft tokens < hard tokens
> >>
> >> but that would require further justification.
> >>
> >> Tom
> >



Archive powered by MHonArc 2.6.16.

Top of Page