Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
One-time password
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== SMS === A common technology used for the delivery of OTPs is [[text messaging]]. Because text messaging is a ubiquitous communication channel, being directly available in nearly all mobile handsets and, through text-to-speech conversion, to any mobile or landline telephone, text messaging has a great potential to reach all consumers with a low total cost to implement. OTP over text messaging may be encrypted using an [[A5/1#Security|A5/x]] standard, which several hacking groups report can be successfully [[cryptanalysis|decrypted]] within minutes or seconds.<ref>{{cite journal | first = Elad | last = Barkan | author2 = Eli Biham | author3 = Nathan Keller | title = Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication | year = 2003 | pages = 600–16 | url = http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2003/CS/CS-2003-05.ps.gz | author2-link = Eli Biham | access-date = October 6, 2015 | archive-url = https://web.archive.org/web/20151007073852/http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2003/CS/CS-2003-05.ps.gz | archive-date = October 7, 2015 | url-status = dead }}</ref><ref>{{cite web | url = http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf | title = Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication by Barkan and Biham of Technion (Full Version) | first = Elad | last = Barkan |author2=Eli Biham |author3=Nathan Keller }}</ref><ref>{{cite journal | first = Tim | last = Gueneysu |author2=Timo Kasper |author3=Martin Novotný |author4=Christof Paar |author5=Andy Rupp | title = Cryptanalysis with COPACOBANA | url = http://www.sciengines.com/copacobana/paper/TC_COPACOBANA.pdf | journal = [[IEEE Transactions on Computers]] | year = 2008 | volume = 57 | issue = 11 | pages = 1498–1513 | doi = 10.1109/TC.2008.80 | s2cid = 8754598 }}</ref><ref>{{ cite conference | conference = 26th Chaos Communication Congress (26C3) | last = Nohl | first = Karsten | author2 = Chris Paget | title = GSM: SRSLY? | access-date = December 30, 2009 | date = December 27, 2009 | url = https://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html }}</ref> Additionally, security flaws in the [[Signalling System No. 7|SS7]] routing protocol can and have been used to redirect the associated text messages to attackers; in 2017, several [[Telefónica Germany|O2]] customers in Germany were breached in this manner in order to gain access to their [[mobile banking]] accounts. In July 2016, the U.S. [[NIST]] issued a draft of a special publication with guidance on authentication practices, which discourages the use of SMS as a method of implementing out-of-band two-factor authentication, due to the ability for SMS to be [[Man-in-the-middle attack|intercepted]] at scale.<ref>{{Cite news|url=https://www.zdnet.com/article/nist-blog-clarifies-sms-deprecation-in-wake-of-media-tailspin/|title=NIST blog clarifies SMS deprecation in wake of media tailspin|last=Fontana|first=John|work=ZDNet|access-date=July 14, 2017|language=en}}</ref><ref>{{Cite web|url=http://fortune.com/2016/07/26/nist-sms-two-factor/|title=Time Is Running Out For SMS-Based Login Security Codes|last=Meyer|first=David|website=Fortune|access-date=July 14, 2017}}</ref><ref name="verge-2famess" /> Text messages are also vulnerable to [[SIM swap scam]]s—in which an attacker fraudulently transfers a victim's phone number to their own [[SIM card]], which can then be used to gain access to messages being sent to it.<ref>{{Cite web|url=https://www.theverge.com/2019/8/31/20841448/jack-dorsey-twitter-hacked-account-sim-swapping|title=The frighteningly simple technique that hijacked Jack Dorsey's Twitter account|last=Brandom|first=Russell|date=August 31, 2019|website=The Verge|language=en|access-date=January 30, 2020}}</ref><ref>{{Cite news|url=https://www.theguardian.com/money/2015/sep/26/sim-swap-fraud-mobile-phone-vodafone-customer|title='Sim swap' gives fraudsters access-all-areas via your mobile phone|last=Tims|first=Anna|date=September 26, 2015|work=The Guardian|access-date=January 30, 2020|language=en-GB|issn=0261-3077}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)