Google's cellphone 2FA isn't for security, it's to get your mobile number to add to their pile of data.
I remember when they said I could have a vanity address for Google Plus... if I texted them a code.
So I texted them from one of those net-to-SMS gateways, and Google has considered that my mobile number for a number of years now. If I delete it, it comes back.
Haven't they already got your number from the address book of one of your friends? All it takes is one person with your contact details in their gmail/Android.
The list of companies involved in the FIDO alliance who either won't push U2F, offer it or even if they do offer a backdoor through SMS is astounding.
It's basically gross professional negligence at this point, especially if you had a hand in writing the spec.
Getting sick and fed up of this stuff. These are issues we've known about for basically a decade+ at this point.
Paypal, Facebook et al take note, would you please.
Don't you know what the immediate reply would be?
"Oh great, ANOTHER thing to lose...or get STOLEN."
My bank has an app which identifies me if I scan a QR code on the computer screen, plus a password.
Of course, my bank in North America still has no 2FA whatsoever. And the password cannot contain special characters.
... And the password cannot contain special characters.
There's a good reason for that. You may one day need to access your account from a PC that has a different keyboard layout that does not contain one of the special characters you decided to use. Sure you can enter the ASCII codes via AltGr - if you know what they are. Then there's the fact that some characters have different ASCII codes in different character sets - so even if you find the character on the keyboard, the foreign OS may translate it to a different ASCII code than your home PC uses and your password will not work.
Having special characters in a password does not increase it's security any more than adding an additional character or two would.
Unless you're NOT ALLOWED to add an extra character due to length limits...
If you can't extend the length, your only option is to widen the gamut.
SS7 dates from the time when external telco networks could only be external telcos
IOW it's peer-to-peer where the peer is remote exchange or remote telco.
Today we now know that basically anyone could be on the other end of that connection, wired or wireless.
The implication of this is the attack surface for this is not your telco. It's every telco you're telco is connected to.
IE The world.
Re: SS7 dates from the time when external telco networks could only be external telcos
true, you are connected to IPX, even when not roaming.
btw have some fun and google for connected burglar alarm disarming with SMS....
Not to mention all the interconnection providers, aggregators, virtual network operators etc.
"And the password cannot contain special characters."
Consider yourself lucky. My local council has a website on whose security I cannot comment because it seems to be operated by the C-word company. It requires one of those passwords which must contain at least one letter, number and special character. There is no option, however, for 2FA.
Someone is not getting, not just recent security memos, but those from several years ago.
NIST & FCC
The FCC recommendation issued for SS7 are only recommendations and have no binding effect AND the NIST security draft recommendations had first not use SMS any longer for sensitive things (e.g. pw) but that sentence vanished and was no longer in the final version....
there is no free lunch, in particular if you want good security.
Re: NIST & FCC
But at the same time, you can't make security too hard or people will blow off your hoop-jumping and find ways around you. You have to make it EASY AND SECURE at the same time or you won't be effective.
I guess the problem lies in roaming. When You go abroad, any operator may allow You to use their network. And they apparently do not need to look at the SIM cards ICC number and encryption.
It has only to do with roaming in the sense that your home operator has an STP (signaling transfer point) that can receive MAP messages from anybody.
The SMS forwarding in SS7 runs roughly like that: the attacker claims to be another operator and says that you are currently in his network (update location). When then the SMS comes with the pw, it is delivered to the SMSC of the partner (which the attacker conveniently set to his own server).
If no special care is taken e.g. SMS home routing, partner whitelist, roaming restriction check etc, then well, the SMS gets delivered, but not to you......So even if you have a subscription which is not allowed to roam, the STP at the edge would not necessarily know that and block this kind of request.....
BTW roughly same approach also works for 4G/diameter
"...or, even better, find a service that offers second-factor authentication from an app, key fob or other gizmo."
Except every single bank around here has been moving in the _opposite_ direction lately. Initially they used to hand out tokens to generate passcodes if you wanted internet banking - these days they all just text you a code. A local auth app would be nice, but only if I get to choose mine - because each of those banks already has its own "banking app" too, and forcing me to use one of those would be enough for me to give up online banking altogether...
Sounds like a bridge too far to me. You won't trust any app the bank provides, and the banks can't trust any app you choose, and any third party could be a Mallory posing as Trent so can't be trusted, either.
Which means if you don't have a physical branch to go to, you're in trouble.