by v12 » Mon Jul 26, 2021 2:25 pm
2FA using anything related to a mobile number is completely broken, for anybody. It does not provide additional protection against somebody with malicious intends.
Why: The easy sim-swap and effectively "open" mobile phone communications.
What to do: Get separate 2FA devices and/or things like pregenerated OTP.
2FA using a mobile phone is broken for everything related to government and/or commercial trust/security.
Why: Mobile phones do have the options to receive "hidden/silent" sims, with configuration instructions. The interface for that with the rest of the phone is leaky, with the consequence, anybody with access to the phone uplink connection, is able to sent those instructions. Read about Pegasus.
What to do: Don't use mobile phones for anything serious.
2FA using anything related to a mobile number is completely broken, for anybody. It does not provide additional protection against somebody with malicious intends.
Why: The easy sim-swap and effectively "open" mobile phone communications.
What to do: Get separate 2FA devices and/or things like pregenerated OTP.
2FA using a mobile phone is broken for everything related to government and/or commercial trust/security.
Why: Mobile phones do have the options to receive "hidden/silent" sims, with configuration instructions. The interface for that with the rest of the phone is leaky, with the consequence, anybody with access to the phone uplink connection, is able to sent those instructions. Read about Pegasus.
What to do: Don't use mobile phones for anything serious.