SoylentNews is people
SoylentNews
An article in TechCrunch describes changes that the National Institute for Standards and Technology (NIST) is considering to its Digital Authentication Guideline:
For now, services can continue with SMS as long as it isn't via a service that virtualizes phone numbers — the risk of exposure and tampering there might be considered too great. NIST isn't telling for now, but more info will come out as the comment period wears on. But before long all use of SMS will be frowned on, as the bolded passage clearly indicates.
Additional comments are available on Bruce Schneier's blog.
This discussion has been archived.
No new comments can be posted.
NIST Recommends Against Using SMS for 2-Factor Authentication
|
Log In/Create an Account
| Top
| 12 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
You will have domestic happiness and faithful friends.
(Score: 3, Insightful) by frojack on Saturday August 06 2016, @02:02AM
Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.
Apparently they were prepared to accept it as long as SMS traveled via SS7 [wikipedia.org], the side channel that cell systems us to tell your handset a call is arriving. Phone companies used to jealously guard this channel, and charge blood for a text message because it used this signaling channel for non-call related messages.
Now that significant numbers of carriers have pushed text messages off of SS7 for those phones that jump to Voip when it is available, that signaling is all on the internet, as just another packet.
What NIST doesn't say is that SS7 itself is subject to IMSI catchers, (Stingrays - see same link as above).
I'm not buying the objection to SMS based on the fact it might travel by Voip. After all, all that would be needed would be encryption on the Voip channel, which is already supported.
Instead I believe that NIST is warning people away from SMS in general, because you never know how it actually travels these days, and being an arm of the government they can't come out and say that SS7 is vulnerable to Stingrays. Kudos to them for finding another way to tell us the same thing.
No, you are mistaken. I've always had this sig.
(Score: 4, Interesting) by Snotnose on Saturday August 06 2016, @04:04AM
Apparently they were prepared to accept it as long as SMS traveled via SS7 [wikipedia.org], the side channel that cell systems us to tell your handset a call is arriving. Phone companies used to jealously guard this channel, and charge blood for a text message because it used this signaling channel for non-call related messages.
I worked for Qualcomm while the IS-95 spec was being hammered out (early 90s). Part of that spec defined SMS (Simple Message Service) messages. In the CDMA protocol, every few ms (20 ms if memory serves) the handset calls the base station and says "hey, got anything for me?" The BS either says yay, in which case a call is setup, or nay, in which case the handset goes to sleep for another few ms.
Turns out, one of the messages in that transaction had to be 255 bytes long, but the information itself left something like 152 unused bytes. So SMS was created to use those unused bytes (yes chillen, that is why Twitter has a 140 byte limit). Nobody expected SMS messages to be used for much. 90% of my communication now is either face to face, or via texting.
We were flabbergasted when phone companies not only charged $0.10 per SMS, but consumers paid it! This is data the phone company had to send anyway, it cost them more to keep track of who sent what and do billing than it did to actually send the damned messages!
Fast forward a year or two, and people are using SMS all over the place. This was totally unexpected.
Now, some 20+ years later, I get unlimited messaging, some data cap I never go anywhere near reaching, and 60 minutes of talk time. I average maybe 10 minutes/month of talk time. Unfortunately, most of those minutes are the couple hours every few months I spend on hold waiting for tech support.
My ducks are not in a row. I don't know where some of them are, and I'm pretty sure one of them is a turkey.
(Score: 2) by Snotnose on Saturday August 06 2016, @04:06AM
I really wish I could edit a post within a minute or two of submitting it. Or get better with the preview button.
My ducks are not in a row. I don't know where some of them are, and I'm pretty sure one of them is a turkey.
(Score: 2, Funny) by tftp on Saturday August 06 2016, @06:09AM
I really wish I could edit a post within a minute or two of submitting it.
You can already, and it is very easy:
> diff -u foo1 foo2
--- foo1 2016-08-05 23:01:54.475719756 -0700
+++ foo2 2016-08-05 23:02:34.796049558 -0700
@@ -1,5 +1,5 @@
Now, some 20+ years later, I get unlimited messaging, some data cap
-I never go anywhere near reaching, and 60 minutes of talk time.
+I never go anywhere near reaching, and 600 minutes of talk time.
I average maybe 10 minutes/month of talk time. Unfortunately,
Anyone who cares can apply the patch - and you may choose to not care about the rest :-)