> The problem is SMS account recovery, which is a really bad idea.
The problem is that a lot of services tie the two together. Often one implies the other. Even if it doesn't, though, it's also easier to social engineer -- "look! I have access to the 2fa phone number! I just can't access my password manager!"
In times like these, I am glad to live in a stone age country like German, where it is near-impossible to get a new SIM without going to the store in person and presenting a government-issued ID.
Sorry but you are wrong. Today was news on heise that clearing bank accounts by replacements and transfering the money to some popular new banks like fidor and n26 resulted in a temporary ban of a small bank to transfer any money to these banks.
It‘s happening here too ;)
Or a country like Sweden where you have to authenticate customer service through 2 FA using an application connected to your bank account, where you input a password or fingerprint.
And then the change only happens after you confirm a text message sent to your phone asking you to approve the request.
I would say that for the average user sms 2FA is secure enough.
P.S. I might have a different perspective as where i am from, there really aren't important services (banks etc.) that are using sms 2FA. Mobile operators doesn't ship SIM cards over mail, you can get a new SIM only in person providing ID (or PIN/PUK in case of prepaid cards). Probably my country is just too small market for these kind of attacks so i feel secure enough when using sms 2FA.
Depends on what it’s protecting, for example banks using it isn’t, as it’s a common enough attack vector it’s appeared on consumer programs on TV fairly often and they had to introduce a law to allow people to be refunded in cases of sim swap.
It seems like this only happens to people who have poor opsec about their email addresses, phone numbers, and are publicly related to the cryptocurrency movement. I mean, I'm sure it happens to other people, but that's the only case I've ever heard about.
I would personally be wary about publicly listing the email I use with my bank, or my phone number, and I've done what I can to scrub the internet of these values. If you have to be publicly reachable through a medium other than Facebook or Twitter, have a separate email and phone number through which you conduct your serious personal business. But most people do not need this kind of public reachability, or else have it through work. For those types of people, it would behoove them to keep their profile small.
A writer for ZDnet might be a public figure, but to call him "very public" seems like a stretch. There are probably millions of people as public or more than him.
