0

I’ve seen many HN comments bashing on SMS being insecure. But WhatsApp and signal both use it as their primary authentication method so it can’t be that bad?

Why is it bad? What attacks are it susceptible to?

david_adler
  • 121
  • 4
  • You mean for 2FA? Have you looked this up? https://www.google.com/search?q=Is+SMS+a+secure+authentication+method%3F – schroeder Jun 25 '22 at 09:02

1 Answers1

2

... SMS being insecure. But WhatsApp and signal both use it as their primary authentication method so it can’t be that bad?

Being secure or insecure is not a binary thing. The question is instead if it is sufficiently secure for the specific purpose. Also it is important to find the right balance between security and usability - more security typically makes it harder to use.

The WhatsApp account is bound to a phone number, so in the initial setup or when setting up a new device it needs to be verified that the user has actually access to the claimed phone number. It's kind of impossible to do this without contacting the user by the phone number, since all what WhatsApp has as information about the user is the phone number.

When later using WhatsApp the authentication is no longer done using the phone number, but using secrets stored on the enrolled device. Apart from that WhatsApp is actually offering a way to protect against account takeover using SIM swapping or SMS hijacking attacks - just enable two step verification.

Is SMS a secure authentication method? ... Why is it bad? What attacks are it susceptible to?

When using SMS for authentication the main attacks are SMS hijacking (intercepting single SMS) and SIM swapping (taking over the phone number). If the SMS is the single authentication element then this can obviously be a problem, but if it is used in addition to another element then it just adds more security and does not lower the security.

Both SMS hijacking and SIM swapping are not trivial attacks, i.e. they mean substantial costs for the attacker - either in terms of money, time, access to specific infrastructure ... . So they cannot be done for nearly nothing in mass like other attacks but are reserved for more valuable targets where the costs are worth the gain.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434