SS7 network fraud SMS 2FA

Hi,
I read this http://www.databreachtoday.com/bank-account-hackers-used-ss7-to-intercept-security-codes-a-9893 . But a have a question. If a use TTS to use a voice to read the OTP Token for a user instead to send a SMS Token, I will mitigate this attack?

Obs.: TTS (Text to Speech)

So you want to use a voice call to call the user and read the OTP value to the user?
After all you can also probably redirect the voice call and this results in the same problem as with the SMS.
Maybe it does not scale that well but after all the attacker might attack a dedicated bank, since the attacker knows: This bank does not use mTAN/SMS anymore but TTS.

And I think the acceptance by the users and the user experience might not be that good.
Yes, it might be a bit more difficult - hm, not difficult - but a bit more inconvenient to attack, but I have the feeling that the possible slight improvement in security might not justify the effort and inconvenience.

SMS and TTS are both NO POSSESSION factor. The security does not come from the seconf factor as it should with two factor authentication. But it rather comes from the transport way, which badly you as the master of your privaccyIDEA installation do not have under your control.

So honestly I am very happy with this news, because personally I think SMS are totally not fit for authentication. (I used backspace to delete the power words I wanted to use :wink:

1 Like

OK! Thanks!
II must agree that it is not good to use SMS or other telephone means
SMS OTP token is dead! Twilio say with no… :wink: