Totp or 2FA are not secure anyone who really has there mind set can easily exploit the ss7 vulnerability and forward the sms and call from your sim to themselves without you even knowing. For more details watch this video
Totp or 2FA are not secure anyone who really has there mind set can easily exploit the ss7 vulnerability and forward the sms and call from your sim to themselves without you even knowing. For more details watch this video
This is just another video in support of discarding all SMS OTPs. I hope our Indian banks and indian websites stop using SMS OTPs for every single little thing.
is there any device that can be used to add 2fa code generation process like bank employees use? after watching this video i dont know safe any telecom system is really
You can only use whichever 2fa is supported by the service you're signing in to. Eg Google supports hardware keys, totp, prompts on signed in mobile devices, etc. But banks support nothing but otp. Bunch of idiots.
Correction, kotak does now support approving sign in using their mobile app. But still not as good as other methods.
This is just another video in support of discarding all SMS OTPs. I hope our Indian banks and indian websites stop using SMS OTPs for every single little thing.
If i remember correctly then ss7 vulnerability is only applicable when companies are using 2g, 3g networks and not when using 4g or 5g as they don't ss7.
Jio is 4g or 5g only.
If i remember correctly then ss7 vulnerability is only applicable when companies are using 2g, 3g networks and not when using 4g or 5g as they don't ss7.
Jio is 4g or 5g only.
Towards the end, he also explains the risk is that tele operators use SS7 for routing amongst themselves, so it's still being used if you're using 4G/5G and calling a different network.
Kinda like BGP vs OSPF/EIGRP. Not a great comparison, but gets the point across.
While the OTP is compromised, that is the second F in 2FA. You still need to intercept that specific browser or app session where you logged in with your password and about to enter the OTP. Or that payment session of the bank OTP authentication page.
How do they achieve that remotely ?
Of course safer would be to move from SMS OTP to something like a RSA soft token.