Re: Malicious SS7 activity and why SMS should never by used for 2FA
paypal used to openly support token 2fa, but have since made it nearly impossible to use hardware tokens. they try very hard to ram sms down everyones throats. -Dan On Sun, 18 Apr 2021, Mel Beckman wrote: No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc. -mel via cell On Apr 17, 2021, at 6:27 PM, Tim Jackson wrote: ??? Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this. -- Tim On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke mailto:eric.kuh...@gmail.com>> wrote: https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80 https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/ Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
Re: Malicious SS7 activity and why SMS should never by used for 2FA
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc. -mel via cell On Apr 17, 2021, at 6:27 PM, Tim Jackson wrote: Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this. -- Tim On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke mailto:eric.kuh...@gmail.com>> wrote: https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80 https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/ Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
Re: Malicious SS7 activity and why SMS should never by used for 2FA
Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this. -- Tim On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke wrote: > > https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80 > > > https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/ > > > Anecdotal: With the prior consent of the DID holders, I have successfully > ported peoples' numbers using nothing more than a JPG scan of a signature > that looks like an illegible 150 dpi black and white blob, pasted in an > image editor on top of a generic looking 'phone bill'. > > >
Malicious SS7 activity and why SMS should never by used for 2FA
https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80 https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/ Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
Re: BGP Graceful Restart
Hello Graham, I had a chance to analysis this topic GR and GR helper mode( default) for EoR msg and for the LLGR timer afterwards and had e-mail correspondence with the RFC auther. I would say based on your environment topology and the type of BGP fault/error. You keep the default mode unless BFD is configured. Even if you donot have GR configured. There is benefit to help your neigh ( if no BFD) in the restart process based on the type of peering relation. Now, to enable GR itself. You have to know what are you doing and why and where in the network it is actually enabled. Still, you don't enable it where BFD is configured. Brgds, LG From: NANOG on behalf of Graham Johnston Sent: Friday, April 16, 2021 10:11 AM To: nanog@nanog.org Subject: BGP Graceful Restart I do believe that I understand the intended purpose of BGP graceful-restart. With that said, I was watching a video of a talk given by someone respected in the industry the other day on the use of graceful-shutdown and at the beginning of the talk there was a quick disclaimer that his topic had nothing to do with graceful-restart along with some text on the slide that provided me a clear indication that he was not a fan of graceful-restart. Largely, I suspect that his point was that if you otherwise do the right things during maintenance that graceful-restart has the potential of being really problematic if things go wrong, and thus he was discouraging the use of it. Is there consensus as to whether graceful-restart has any place in a service provider network? Thanks, Graham
Re: BGP Graceful Restart
On 4/16/21 16:11, Graham Johnston wrote: I do believe that I understand the intended purpose of BGP graceful-restart. With that said, I was watching a video of a talk given by someone respected in the industry the other day on the use of graceful-shutdown and at the beginning of the talk there was a quick disclaimer that his topic had nothing to do with graceful-restart along with some text on the slide that provided me a clear indication that he was not a fan of graceful-restart. Largely, I suspect that his point was that if you otherwise do the right things during maintenance that graceful-restart has the potential of being really problematic if things go wrong, and thus he was discouraging the use of it. Is there consensus as to whether graceful-restart has any place in a service provider network? When the majority of the hardware we had had a single control plane, we used GR on those (and only inside our AS). But as nearly 100% of all our BGP-speaking hardware now has dual control planes, we just go for the vendor's NSR implementation. We've found that to be a lot more reliable because it is locally significant, predictable, and generally works well as it has matured a great deal in the last decade. Mark.
