To defend against such attacks, users should avoid SMS-based OTP services and use authenticator apps that do not require push notifications that could be intercepted.
Tell that to every online service that forces you to have SMS based authentication enabled.
> To defend against such attacks, users should avoid SMS-based OTP services and use authenticator apps that do not require push notifications that could be intercepted.
Tell that to every online service that forces you to have SMS based authentication enabled.
NIST has said that SMS should not be used for auth/password resets for ~20 years now. No one seems to give a single fuck.
NIST has said that SMS should not be used for auth/password resets for ~20 years now. No one seems to give a single fuck.
It’s partly stupidity, but the main reason is online services want to identify their users, and they want to prevent users from making thousands of accounts to abuse their services. I understand the latter, but there is a better way than forcing people to use a non secure, faulty auth method.
It’s partly stupidity, but the main reason is online services want to identify their users, and they want to prevent users from making thousands of accounts to abuse their services. I understand the latter, but there is a better way than forcing people to use a non secure, faulty auth method.