2FA using SMS in NZ

Forums › Desktop computing › 2FA using SMS in NZ

jlittle

188 posts

Master Geek

ID Verified

Subscriber

#246671 15-Feb-2019 17:49

Overseas you tube tech channels say that using SMS for 2FA is not very effective; thieves just have to persuade a telco to do a SIM swap on your phone number. However, that's what the ASB gives me for my personal accounts.

(I have access to a business account at the ASB and an RSA code generator is used.)

Has the SIM swap attack been used in NZ? Should I ask the ASB to do better?

timmmay

20579 posts

Uber Geek

Trusted

Lifetime subscriber

#2181070 15-Feb-2019 18:23

Theoretically SMS for 2FA can be broken, and if you're a high value target then you probably want better. Hardware tokens are better. But for most people, with daily transaction limits in place, my opinion is SMS is adequate. Remember it's only to authorise transactions, so they'd need your password to log in, initiate a transaction, and then MFA to authorise it.

SirHumphreyAppleby

2844 posts

Uber Geek

#2181115 15-Feb-2019 21:25

You can request an RSA token for personal banking as well. I have one because SMS isn't always fast and reliable, and I refused to pay $0.20 each time the bank sent me a text when I exceeded whatever arbitrarily low transaction limit they set at the time. They no longer charge for the SMS, but they do still charge for the RSA token ($1 per month)... should be standard IMO.

coffeebaron

6232 posts

Uber Geek

Trusted

Lifetime subscriber

#2181142 15-Feb-2019 23:01

Both Vodafone & Spark have stopped online / over the phone SIM swaps. Not sure about 2degrees.

Rural IT and Broadband support.

Broadband troubleshooting and master filter installs.
Starlink installer - one month free: https://www.starlink.com/?referral=RC-32845-88860-71
Wi-Fi and networking
Cel-Fi supply and installer - boost your mobile phone coverage legally

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

mattwnz

20149 posts

Uber Geek

#2181149 16-Feb-2019 00:56

SirHumphreyAppleby:

You can request an RSA token for personal banking as well. I have one because SMS isn't always fast and reliable, and I refused to pay $0.20 each time the bank sent me a text when I exceeded whatever arbitrarily low transaction limit they set at the time. They no longer charge for the SMS, but they do still charge for the RSA token ($1 per month)... should be standard IMO.

Banks like Rabodirect provide the digipass tokens free, and BNZ use a grid of numbers. But other banks like TSB charge for the token, but have sms as an alternative.

vulcannz

436 posts

Ultimate Geek
Inactive user

#2181179 16-Feb-2019 09:04

jlittle:

Overseas you tube tech channels say that using SMS for 2FA is not very effective; thieves just have to persuade a telco to do a SIM swap on your phone number. However, that's what the ASB gives me for my personal accounts.

(I have access to a business account at the ASB and an RSA code generator is used.)

Has the SIM swap attack been used in NZ? Should I ask the ASB to do better?

A SIM swap would disable your existing SIM. It would require local (NZ) presence which most thieves at that end would not be interested in as their image would likely be captured.

The more serious attacks involve SIM cloning. That involves local presence and a lot of work.

Both are theoretically possible. But are highly unlikely, in fact if you had a physical token it'd probably be easier just to nick that from you than mess around with SIMs. Or just nick your phone.

nathan

5695 posts

Uber Geek
Inactive user

#2181181 16-Feb-2019 09:10

any serious "hacker" is simply going to use the SS7 protocol vulnerabilities.

its no wonder a 1975 set of standards has vulnerabilities, when its still in used 44 years later with cost-prohibitive fixes