Just when you thought SMS 2FA made you safer than Trojan

Two factor authentication (2fa), most commonly through SMS, has been sold as a solution to security on websites. I was never a fan due to not wanting to give my cell number to marketers … and let’s face it, they’re all marketers.

The following exposes just how weak SMS 2fa is, and it really is.

ETA: added SMS in multiple locations for clarification … thanks @kilimar. kilimar


This is an automatically-generated Wiki post for this new topic. Any member can edit this post and use it as a summary of the topic’s highlights.

I’ve glanced through the original article on Vice yesterday and was dreading reading it cause it’s too long and didn’t seem to contain the actual technical details. Thankfully Krebs’ article is shorter, to the point, and describes the actual problem.


This basically means the only thing standing between anyone and the equivalent of a SIM swap is a forged LOA,” Nixon said. “And the ‘fix’ put in seems to be temporary in nature.”

1 Like

In the title, I would replace 2FA with SMS. 2FA is too broad and 2FA isn’t the problem. Or rather add SMS in front of 2FA.

Thanks for heads up, I didn’t realize they found another way to intercept SMS. Another reason to try and kill SMS 2FA.


I’ve got a yubi key, but I think there are maybe 3 sites I use somewhat regularly that take advantage of it. None of them are financial institutions.


You’re absolutely right, and I’ve adjusted the title and post to reflect the SMS issue

1 Like