Yet Another Reason not to use SMS Authentication

Brian Krebs just tweeted this Medium post which details a new flaw in SMS-based authentication.

It’s time to stop using SMS for anything. | by Lucky225 | Mar, 2021 | Medium

Aside from the security concerns, it’s been documented in the past that some companies can’t help but reach into the cookie jar and use these phone numbers for advertising purposes.

If you use a service that only offers, or requires the use of SMS auth, consider moving off that platform. At the very least, open a support request and express some dissatisfaction.

1 Like

This has happened with me with my bank. They wouldn’t let me even log in any more unless I set up SMS authentication (never mind that not everyone even has a cell phone.) Then, mere days later, I got an unrelated SMS message from them promoting a new service. I would love to consider moving off their platform, but you know how house mortgages go… not the easiest or freest thing to move.


Unfortunately my work uses SMS 2FA for logging in to certain tools. The only way to get “off that platform” is to quit my job.

I hate SMS 2FA, but few services offer other authentication tools.

1 Like

Fortunately this situation doesn’t place you personally at risk, it’s on your employer to realize these risks as it’s their assets to secure. You can still provide feedback to the appropriate folks though.

1 Like

When I have to use SMS-based two-factor I use my Google Voice number. That number is also protected by two-factor authentication.

Obligatory video of @JasonHowell locking himself out of his Google Account :sweat_smile:

Sorry, Jason.


Unfortunately this doesn’t help very much, these flaws are present in the core of the telecommunications network rather than the client-facing side.


How does RCS effect this?

I doubt RCS makes any difference… it isn’t supported by anyone who would be using 2FA (i.e. invented by Google, used by no one.) And unless the messages are encrypted and signed, it still doesn’t prevent a man in the middle attack. Additionally, a lot of the hacking is using the network itself, or the providers in it. If you SMS/RCS provider decides to deliver your messages to the wrong party, you’d still be hosed.

1 Like

I agree with @PHolder, from what I’ve read of RCS it won’t help, although details are hard to come by as everyone under the sun seems to have their own implementation of this “standard” right now.

Within the telco network this is a fundamental problem of authentication. Since RCS still relies solely on your telephone number to identify you (I believe this is a requirement of the spec), it’s inherently insecure. I understand Google plans to include end-to-end encryption in their implementation, but that’s not part of the official spec so it would only apply to a subset of users.

I’m so torn on this problem. I’m just a casual camper user now that I’ve retired and my bank and several financial services periodically require I verify with SMS 2FA. On my Mac, it’s just so sweet that the SMS number pops up on my screen so I don’t have to grab my phone…just click on the little message box and it goes into the field.

BUT! These are my finances…what else can I do? Complain? Sure…that’ll go nowhere. It’s still better than my first pet’s name!

1 Like

I didn’t realize that e2e was only a Google thing I thought it’s part of the spec.

The spec does say messages should be encrypted in transit, but not end-to-end, meaning your carrier would have a decryption key. I’d bet money that a carrier would sell that key in an instant to make a profit. Or simply accidentally make it available.

No reason not to complain! Take your business elsewhere if possible.

Considering the severity of this flaw and others surrounding SMS, I’m not so sure that a pet’s name would be much worse. When forced to use security questions like that I simply input a random string of characters and keep it somewhere safe.


You’re so smart! SMRT, smart :joy::joy::joy:

I may not like the insecurities of SMS but I do love my bank and financial center and would hate to move my accounts. We’ve been loyal to each other for over thirty years. I will write a letter, though…who knows! :hugs:

Luckily, I log in often enough to both and on the same computer that I am rarely asked to authenticate. You bring a fair point about the silly questions, too. The name of my first pet was over sixty years ago and only close family might possibly remember it. I’ve never posted about it online where someone could scrape the information as well and it’s not like the newspapers posted an obituary for a pet! :joy:

So, is the best way to authenticate is to use an Yubi key or authenticating app? I’m not sure I even trust an app…you never know if it will be sold later?

Authy, which is a TOTP (time based token) app, has got to be far safer than SMS. (Assuming you use it intelligently.) Even still, based on the hacking of Twitter, it’s possible to have the token phished.

An actual hardware token (like Yubikey but NOT using the Yubikey protocol, which could also be phished) implementing FIDO2 should be even more secure. I don’t think the FIDO2 protocol can actually be easily phished or person-in-the-middle attacked.

The problem, as ever, is the hardware tokens are not free, and can be broken, lost or misplaced. Inevitably they therefore feel they need a backup system to work around an unavailable hardware token, and that usually becomes the way you end up getting attacked. (Such as your bank using the stupid “security questions” or SMS.)


The cool thing about a TOTP app is that the TOTP protocol is a standard, you can take your TOTP seeds to any compatible app quite easily. So no need to worry about an app getting sold out from under you.

1 Like

I always use alternative answers to such questions (first pet etc.), not real answers. You just need to remember what response you use to which question.

I use a Yubikey for everything that will use it. I do not put a mobile phone number in any service, if I can avoid it.

My personal bank uses a smart card reader with optical sensor. I have to plug in my card and hold the device to the screen and the screen shows a “moving” barcode - i.e. a set sequence of stripes that correspond to the account number being transferred to, the amount etc. and the device, combined with a secret set up when the device was initialised, and the card produce a one-time code. The code authorises the payment, but the code is locked to the account number it read from the screen and the amount it read from the screen - and those two pieces of information are shown on the screen of the device for confirmation, before the code is displayed.

If somebody tried to hijack the session in the browser, the account number would be different to the one I entered, or the amount would be different and I wouldn’t enter the authorisation code. If they took the code I entered and tried to use it for a different account or amount, it would fail.

My other bank uses “PhotoTAN”, it displays a multi-coloured QR-Code of the transaction information and the app on the smartphone (you can also buy a separate device to do the same thing) has been initialised by the bank with a secret, by reading an initial coloured QR-Code, which is sent by mail. It then combines the secret with the transaction infromation on the screen to generate a one time token to sign the transaction.

These methods have to also be used every time you log onto a new device or after a set period of time on that device (so you can go a month or so without reverifying on the device every time you log on, but at some point, you will need to reverify).


So jealous of European banking :pensive:

1 Like

The Canadian Tax web site has 5 different “secret questions” which you can choose from a list of about 25. They randomly decided that three of mine were no longer good questions, then made me choose three new ones. The questions can be pretty obtuse, but still aren’t very secure. “Where was your father born?” or “The name of your high school sweetheart” or stuff like that.

I store the questions and answers in my password manager (which they don’t make easy to do, because I have to edit the page source to get the question texts.) I always make sure the answers are random garbage but also include something obscene at the front, in hopes an agent would be unwilling to read it off over the phone if somehow tricked into it.


Don’t think it would work with some UK call handlers, I suspect they would be delighted to have a legitimate excuse to utter an obscenity on a customer call - and a subject of much post-call hilarity with colleagues.


Over here, creative swearing is regarded as an art form.