- May 14, 2008
Yes, let me clarify; It's MORE prevalent now than it was in the past because more bad actors are now turning their attention to taking advantage of the now known ways of subverting the s7 protocol, but not as much REPORTING on it has been done, probably because no one likes to admit to being compromised, and obviously hackers and Nation States aren't going to own up to it. (and as an aside, if you don't think Nations States haven't been doing this for a long time you're kidding yourself) - but hackers other than governments are now slowly going to be taking advantage of the SMS 2FA, why? Because it's not as secure anymore as the OTR TBOTP apps like Google's authenticator. This is why the security community has already warned against, and has depricated the use of SMS as a robust method of 2FA over time-based apps. As you've said above, is SMS better than nothing? Yes. Is Microsoft doing a disservice by offering SMS over the token based OTP? I believe they are yes.
So you know for sure it is more prevalent although there is no reporting? Come on man. I guess I can continue to use your logic of saying something is, just because I think it is without any proof whatsoever. You know, like your math that you didn't even link that somehow shows complexity is just as important as length of passwords...
Look, I don't even know what your point with all this is anymore. Passwords are outdated and have been for a long time. And the SMS scare isn't even a major factor in this because for someone to be able to intercept and act on your SMS text message to take over your account would have to be a sniper with cat like reflexes to recognize and do something about it. So it really isn't a factor in this. Nor is the SMS redirect that big of an issue all things considering. I have been hearing about it forever and forever people have been saying how big a problem it is, and yet hardly anything is out. I haven't had a single company I work with get hit with an SMS redirect attack or be affected by one.
Also read the article again, Microsoft isn't doing SMS for their 2FA, it is only being used as a one-time thing to setup the 2FA. You can also use OTP with MS as well, they have all kinds of articles on how to do it. You can use any number of solutions or setups. What they are offering is an easy way for first time users to start using a better system than passwords. It is amazing how many people want to hate a company even when that company is trying to improve security.