Im on t-mobile, but still get many. Also, don't feed the botGet on T-Mobile
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
U.S. Carriers Fix SMS Routing Vulnerability That Let Hackers Hijack Texts
- Thread starter MacRumors
- Start date
- Sort by reaction score
It's ridiculous how widespread SMS 2FA is, given how awfully insecure the entire GSM stack is. In some countries anyone can ask for a duplicate of your SIM, with barely any ID checks. We have so many better alternatives to generate OTPs.
They need to stop robocalls, period.Now they need to stop robo calls from false local numbers.
Sadly SMS is such an enforced feature for many companies, but its the easiest to hijack. Even Apple require it in some instances.
… and I wish all tech. support will be only within the boarders. So our personal information stays within the country.
It’s the same deal with email addresses aa login. So many companies won’t let you change that, ever. So you are stuck with an email address you would rather cancel being required for many businesses, or losing your account at ALL those businesses.
The article is talking SMS not iMessage
So when will I get a pop-up on my iPhone saying that my carrier "has updated its settings" ? Because, so far, as far as I can tell, AT&T has notified me of such an updating. It's never been Apple that's "updated my carrier settings"; it's At&T.
Funny, I find Apple's MFA to be less desirable than most other MFA that others. Here is my preference, if I have a choice
1) Dedicated apps with push notifications and ability to respond to the notification directly on the device. Best examples are Microsoft Authenticator, Okta, and (surprisingly) Comcast. Regardless of what device I try to log on, i get a push notification to my phone (or iPad) and can approve the request immediately. No need to type a random number in to my computer. Bonus to Apps which allows me to approve on my watch. Plus "passwordless" login on Microsoft Authenticator is awesome when you have in to Microsoft hundreds of times a day for testing purpose.
2) TOTP based solutions integrated with a password manager. I know this is a little bit of preferences. I have my TOTP codes stored in my 1Password vault. Anytime I sign in using 1P, the code is automatically added to my clipboard so I can just type cmd-V to paste the correct code. (Yes, I understand there is a slight loss of security here, but I will take the a little convenience for a very minimal loss of security)
3) Apple 2FA - It works well. One feature I like is that it prompts you a location where the request is coming from. But, it is too cumbersome if you log in regularly. (Acknowledge the request, read the code, but don't hit enter by mistake, type the code again.) Plus, I wish Apple would allow us to designate which devices can receive notification. Maybe I don't want a notification to pop up on the same device I am trying to log in to. (Or do I really need the same notification on three different devices? Mac, iPad, and iPhone.)
4) TOTP based solutions with seperate app. There is no need to use Google Authenticator, there are better TOTP apps such as Authy and Microsoft Authenticator. Both allow you to back and restore your codes to a new device or share codes across devices.
I agree with everything you said, but I had to call out MS Authenticator too. This app is seriously underrated. I love how they give you a number, then send you a push and you have to pick the matching number. It's so simple and convenient compared to TOTP, where you're manually typing/copy-pasting codes all over the place. And they fully support Apple Watch!
Those are probably slightly more secure than what I do, but they're too cumbersome for me and impossible for less-techy family members. If you're using iCloud Keychain with randomized passwords, it's vaguely like the benefits of #2 and #3. My Apple 2FA is the gateway to all those websites with no 2FA. Or if they have it, I opt out. If they're able to steal my password as it goes from Keychain to site input, they're probably also able to trick the 2FA. Ofc this only works cause I mostly only use Apple devices, otherwise I'd be doing #4 + a password manager.
Problem with each site's 2FA, besides all being different, is often they either:
- have reset mechanisms that defeat the purpose
- only support 2FA by SMS, which more importantly (to me) than being weak, leads to my phone # being misused
- are cumbersome; #1 is nice in ways, but often times I don't want to pull out my phone
- don't have 2FA at all
For super important things like my bank account, none of the above applies. Usually it's #1 like you said + one of the very few strong passwords I can store in my head.
Last edited:
Well there's not much else. TOTP isn't mainstream, and there's email, but many people aren't set up to check that on phones easily. Like TriBruin mentioned, the only good alternative that's widely used is a site-specific 2FA app.
At least it's better than the security questions they relied upon until scarily recently.
Last edited:
I just tried to remove my phone number using this guide: https://support.apple.com/guide/iphone/manage-two-factor-authentication-iphd709a3c46/ios
It would not allow me— said I must have at least one trusted phone number on file with my Apple ID. Which is so stupid. I do not want that requirement.
I swear if my friend sent me an SMS from an email address, I'd think he's a spy, criminal, or something else I don't want to get involved with. Really they're just from spammers who – evidently – no longer even have to pay for a phone number to spam people over SMS.
Last edited:
Nice to know they closed a small loophole only to leave the major loopholes open to continue thriving. Hackers can actively intercept your phone calls and text messages (they also can easily crack the weak encryption on your phone calls and iMessages) and they do not need to port your number and the loophole does not require you click on a link. Unless all of you plan on never downloading any apps to your phone and unless all of you never plan on using cloud services like Dropbox , onenote, Apple Store , and Google store then you are vulnerable to being hacked remotely..The least of your worries is if someone is forwarding your text messages via businesses services. Get real.