SMS

https://imgs.xkcd.com/comics/messaging_systems.png

 SMS , t(e)xt messaging, or t(e)xting is a way of sending short messages over cell phones which is unfortunately often used and recommended by silos as a second factor and password resets, despite being highly insecure and a known enabler of account hijackings.

Enables 2FA bypass
When SMS is added as a second factor to an account, it typically also enables account reset via SMS, ironically replacing one single-factor (email/pw) with another, enabling 2FA bypass on the account.


 * 2017-07-06 @justin: "Someone socially engineered AT&T to get a new SIM for my phone, signed into my Paypal (using 2FA) and withdrew a bunch of money." (was actually done by SMS password reset / account recovery on PayPal, see posts in tweet thread)


 * 2017-08-21 NYT: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency "Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest."


 * 2018-07-17 Motherboard: The SIM Hijackers "Meet the hackers who flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victims' weakness? Phone numbers. […] … logged into her email and noticed someone was resetting the passwords on many of her accounts. […] By hijacking Rachel’s phone number, the hackers were able to seize not only Rachel’s Instagram, but her Amazon, Ebay, Paypal, Netflix, and Hulu accounts too. None of the security measures Rachel took to secure some of those accounts, including two-factor authentication, mattered once the hackers took control of her phone number. […] “With someone's phone number,” a hacker who does SIM swapping told me, “you can get into every account they own within minutes and they can't do anything about it.”" Emphasis added.

Insecure Account Recovery
Since SMS text messages are sent in the clear, even legitimate use of SMS to reset an account sends the necessary codes in the clear (which can be intercepted), and thus is an insecure method for account recovery.

Insecure Second Auth Factor
Even if a service does not allow account reset/recovery via SMS, it’s still insecure as a second factor.
 * 2018-08-01 Reddit official announcement: We had a security incident. Here's what you need to know.
 * "Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA."

Silo Examples
(need screenshots from the nag-ware screens from Apple (iOS 9+ nags you on first start, iOS 10+ nags you continuously in Settings app), Google, Facebook etc encouraging/defaulting you to add your cell phone number for auth / recovery reasons).

Also need screenshots from any services that when you add SMS as a second factor, they default to adding SMS as an account recovery method (1-factor), which actually makes your account *LESS SECURE* than if you would have never attempted to turn on 2FA in the first place.

Amazon
Amazon is a review, rating, and comment silo in addition to being a predominant e-commerce site.

Amazon.com, upon signing in with email and password, prompts you to enter a mobile number for “account security”

Apple ID
Apple ID is a silo identity service that is now (all but?) required to use any iOS or MacOS device.

On MacOS, you are prompted by the "Settings" app to associate a phone number that can receive SMS with your Apple ID to "verify your identity":



Instagram
Instagram only allows SMS based MFA and then enables SMS recovery as well thus making your account MORE vulnerable (e.g. to SIM-jacking as documented) than if you had never turned on their MFA.


 * 2018-07-17 Motherboard: The SIM Hijackers "Certain services, including Instagram, require that users provide a phone number when setting up two-factor, a stipulation with the unintended effect of giving hackers another method of getting into an account. That’s because if hackers take over a target’s number, they can skirt two-factor and seize their Instagram account without even knowing the account’s password."

Twitter
Twitter actually prompts you to add a phone number to your account (if you don't already have one on it) with SMS password reset *as a feature*! They are literally prompting you to make your account *less* secure, while claiming the opposite. WTF.



Text of prompt reads (emphasis added): "Safeguard your account Add your phone number now to help ensure that you can log in to Twitter, even if you lose your password"

What the prompt really means: "Make your account vulnerable Add your phone number now to help ensure that anyone pretending to be you to your phone company can log in to Twitter, even without your password'''"

Benefits
When used for it's intended purpose - for notifications that doesn't require security -, SMS can be used as an alternative to push notifications in case there is no data connectivity due to it's extremely compact nature. Services like PagerDuty utilize SMS alerting for monitoring.