Two factor authentication (2fa), most commonly through SMS, has been sold as a solution to security on websites. I was never a fan due to not wanting to give my cell number to marketers … and let’s face it, they’re all marketers.
The following exposes just how weak SMS 2fa is, and it really is.
ETA: added SMS in multiple locations for clarification … thanks @kilimar. kilimar
I’ve glanced through the original article on Vice yesterday and was dreading reading it cause it’s too long and didn’t seem to contain the actual technical details. Thankfully Krebs’ article is shorter, to the point, and describes the actual problem.
This basically means the only thing standing between anyone and the equivalent of a SIM swap is a forged LOA,” Nixon said. “And the ‘fix’ put in seems to be temporary in nature.”