You are assuming that the SMS is like a password and the phone number is like a ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		InAnEmergency on Oct 23, 2014 \| parent \| context \| favorite \| on: Twitter Digits You are assuming that the SMS is like a password and the phone number is like a user name, and that's all an attacker would need to log into the app. However, it doesn't have to be designed that way. There could be another value tying the phone number and SMS to the specific app login attempt, in which case intercepting just the SMS is not sufficient.

InAnEmergency on Oct 23, 2014 [–]

Have to amend my statement...if the attacker can intercept the SMS in real time, then it is an effective attack:

1. Attacker knows victim's phone number and attempts login

2. Attacker intercepts SMS as it is sent to victim

3. Attacker completes their login process with the SMS code

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact