Skip to Content.
Sympa Menu

assurance - Re: [Assurance] attacks on SMS-based 2FA

Subject: Assurance

List archive

Re: [Assurance] attacks on SMS-based 2FA


Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: Re: [Assurance] attacks on SMS-based 2FA
  • Date: Thu, 24 Jul 2014 14:03:22 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 164.107.81.220) ;

On 7/24/14, 9:57 AM, "Farmer, Jacob"
<>
wrote:

>Tom,
>
>This is certainly in interesting attack and I agree with the premise that
>SMS-based MFA is less secure than other forms of tokens.
>
>However, this attack still requires that the endpoint be compromised, and
>as long as that happens, I don't think that all the MFA in the world will
>help.

Yep. This attack will break anything you throw at it short of end to end
crypto. Once you're in the middle, and if your goal is to specifically
hijack individual transactions and not long term credentials, you're
golden.

The end to end crypto could be on the client itself or on a second factor
device, but anything that's just a OTP or even a message based scheme that
includes crypto but doesn't involve channel binding is going to be
vulnerable. A lot of FUD out there about TLS from a certain vendor I can
think of is horrendously misguided. You need a secure transport, or you
need some very fancy tap dancing, to mitigate this kind of attack.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page