159 comments

[ 2.4 ms ] story [ 252 ms ] thread
Just wait until he learns that all you need to intercept an email is a forged LOA!
I really do wonder why this issue is not given more light.

You can potentially BGP hijack a domain (via DNS) and e-mail (via SMTP) as a private individual so easily. Image a nation-state. These protocols only have bandaids like DNSSEC and RPKI stopping you from doing it, which both have painfully small adoption and don't realistically stop a determined attacker.

This could happen at anytime by an individual with the motivation, and it only needs to be successful for a few minutes to gain access to a huge amount of private data.

This has to be a huge national security risk, right? Why do we not take it seriously?

Where i live you can use an email as a proof of anything at court
so can a fax, but bureaucratic shortsightedness is not a good proof of anything.
How do you do these attacks exactly??
> You can potentially BGP hijack a domain (via DNS) and e-mail (via SMTP) as a private individual so easily.

No you can't.

Well various attacks exist against ip routing, dns, email forging etc,in practice they are really hard to pull off as an individual who isn't in a privileged network position (with possible exception of email forging. That one is a bit easier depending on stuff)

> You can potentially BGP hijack a domain (via DNS)

I think you might be confusing stuff here. Unless you bgp hijack the nameserver, but if you have that ability, why not go after the site directly?

(comment deleted)
> No you can't.

Yes you can

> they are really hard to pull off as an individual who isn't in a privileged network position

“privileged network position”, as in someone with a couple of thousand dollars to spend.

If you've worked in the industry, you know you can get a BGP uplink these days with bare minimum IRR source validation with only a signature on a contract (not even payment is required to turn up generally).

Using this, you can advertise any IP prefix you want. Since a lot of providers advertise /23+ as well, if you hijack the /24, you will always be the BGP best path and will be able to accomplish a full internet-wide hijack.

Of course, the task requires a few weeks of planning and execution, but that doesn't stop it from being possible.

If you are a nation-state, you already have all of the above, and nobody to hold you accountable for using it.

> Of course, the task requires a few weeks of planning and execution, but that doesn't stop it from being possible.

Few weeks? With most providers you can get this done within 24h from the initial email to sales@

Getting the colocation, hardware, BGP uplink, and the creativity involved in not using your identity at all & minimizing (or eliminating) expenses. Possible, but it'll take a few weeks.
You don’t need any of those things, you can just rent a dedicated server (perhaps even a VPS) and send over a LoA and have the host route the IPs to your box.

I’ve never had to deal with colo or think about hardware to have my IPs announce.

Generally the reason an attacker would do those things is because their hijacks will last much longer due to lack of an abuse department and victims having to contact upstreams.

Shorter ASPath, planning which Tier 1/2 is the best to hijack from, and lack of LOA requirement or RPKI.

If an attacker wants to do this - they don't want to "just" cause damage. This is a limited opportunity. They want to do it right, and that takes planning.

I do agree that your idea is possible, but I don't think it captures the full severity of the issue.

> You can potentially BGP hijack a domain (via DNS)

domains and BGP don't really interact, can you explain what you mean?

I guess he meant the ip address
I imagine what they're getting at is, you do a BGP hijack so that you get all the DNS queries about domain.example. So when a resolver asks about something.domain.example it gets told to ask servers authoritative for domain.example and it is given the IP addresses for some of those servers, but a BGP hijack could (if successful) allow you to answer for those IP addresses instead.

At this point you can give any answers you like for such queries.

If the domain has DNSSEC, you either have to choose answers you've seen that may be misleading (e.g. old but still not expired answers) or some resolvers might notice your answers are bogus.

Many domains today don't have DNSSEC, so, you could give any answer and it will be indistinguishable from an answer by the legitimate authoritative DNS servers. Nobody would know any different.

Now that you can cause traffic to go wherever you want, you can easily satisfy most of the Ten Blessed Methods and get yourself certificates in the Web PKI ("SSL Certificates") or whatever else you needed to achieve.

In the distant future sometimes it may be possible that a recursive is able to assure itself that the answer is genuine via DPRIVE [DNS over HTTPS, or TLS, or QUIC or whatever else is invented] instead but in practice most of the routes by which we could get genuine answers ultimately rely on DNSSEC (DPRIVE is still doing something useful for you - privacy benefits, particularly oblivious transfer could mean you get trustworthy answers with a promise that your honest broker doesn't know what you asked, and the authoritative servers know what was asked but not who asked it)

> These protocols only have bandaids like DNSSEC and RPKI stopping you from doing it

The lion share of mailers don't check even them.

Just wait till the people freaking out about BGP find out what you can accomplish with a fake court order!
Sorry about the ignorance, but what's a LOA?
A Letter of Authority (LOA) is a legal document that allows customers to authorize someone to act on their behalf within agreed limits.
Is there any cases LOA is abused to intercept emails?
How would this work in cases of say protonmail?
How does that work?
BGP hijacking, you can send a fake LOA to almost any ISP and have them announce whatever IPs you’d like.
But at least for e-mail you can sign messages that are supposed to have serious consequences. I've never seen a signed SMS.
Only weird nerds actually sign their emails (beyond DKIM), people conducting meaningful transactions do not.
OK, but at least all the tools are there.
The tools are there for SMS too.
Can you show me?
TextSecure up until 2015. I suppose you could use age too, UX would be pretty similar as with gpg.
So, let's suppose you have a really excellent forged letter of authorization saying you are authorized to read my mail. Totally convincing, anyone who sees it will have no doubt it's real.

What do you suppose you can do to give that effect?

In the US SMS case LOAs work because it's in the interests of the people who can make it happen to make it happen. The LOA is just to cover their backsides, "Why did you redirect this Michigan man's SMS messages and thereby enable his life savings to be stolen?" "Oh we had this Letter of Authorization, so we honestly believed it's what he wanted". They don't believe that, but their lawyers are confident that it's enough excuse that, at least until after somebody powerful is inconvenienced, it will hold up.

But nobody benefits from helping you give effect to your (convincing but bogus) LOA for my email. My ISP doesn't want anything to do with this work, if you're lucky they'll tell you that it's none of their business - more likely it just goes in the round file and you never hear back from them.

There is no central clearing house for email that you can give a few bucks to for my emails so long as you have an LOA to keep them on the right side of the law. Instead for email everybody involved is getting paid by me, not by you, so they've got no reason to help you at all.

> What do you suppose you can do to give that effect?

To any ISP as I ask them to announce your MX IP addresses.

> There is no central clearing house for email that you can give a few bucks to for my emails so long as you have an LOA to keep them on the right side of the law.

There is, it’s called BGP.

You don't need LOAs. You need a contract and an API with a upstream provider where you can attack numbers real-time.
can we stop pretending electronic communication involving of-the-shelf components is secure?

i guess the pandemic has left us with little choice but meeting in person is still the only way to have a private conversation and i guess this won't change in the near future given the state of society.

Nothing is secure, but some things are more secure than others. I'd argue it's still worth comparing and making conscious security tradeoffs.
Companies pretend SMS keeps you secure so they can get your phone number for promotions and tracking purposes.

Facebook was caught red-handed doing exactly this. Look up articles about it. Google used to require a phone number for 2FA for a long time, too, but it's optional now.

Nobody ever pretended SMS is secure, but it's also the only thing that actually arrives on a phone in many rural areas of the world.
Then you probably don’t have a suitable internet connection and 2FA is not a concern to you, right?

Also, did you know (tm) that other 2FA mechanisms such as OATH or Fido/fido2 don’t involve stuff arriving anywhere, other than the actual 2fa code? You generate it locally and then type it when promoted by the remote application.

If you need 2FA, you have a computer with a suitable internet connection. If you can’t use non-SMS 2FA it’s likely you also actually have no use for it.

(comment deleted)
this!

sms is also on the same security level with email, fax or a signed letter but way more convenient

it's actually less secure then email. Or even a signed letter depending on what security you are looking for..

And some 2FA are actually less demanding wrt. information delivery then SMS.

Speak for yourself. I find it incredibly inconvenient compared to email.
> sms is also on the same security level with email

No, it's really not. Email can be cryptographically signed, SMS can not.

SMS is far less secure than a code via email.

Also often less accessible, in the circumstances where those SMS challenges show up most often (traveling, for instance).

If we all agree it's not secure then why do we keep using it?

I rather have a unique password then rely on SMS anything especially if that account allows you to reset your password by SMS.

If you need a challenge code it's because you're connecting to something, so it's a given that internet connectivity is present. Which means you could also receive an email, far more secure than SMS. Or the site could just use TOTP.
(comment deleted)
I've seen a few threads like this in the last few days. From where I'm standing, it seems to be a US-only issue.

Can anyone please confirm that in a country that does not allow porting numbers without a code being sent to said number, and does not allow interceptions of the type described in the article, that using SMS for MFA is, in fact, secure?

No, I'm pretty sure eg SS7 attacks work for most (all?) countries.

This particular issue might be US-specific, but the fundamental security problems of SMS are not US-exclusive

This is not a SS7 attack. SS7 attacks doesn't work in practice. Eg A lot of carriers in US are CDMA. GSMA Carriers like AT&T has great firewalls in place to block SS7 attacks.

Further, You can detect SS7 attacks. Major Banks already has measures in place...

SS7 attacks work in practice.

Any network in existence that has roaming enabled is vulnerable to fake roaming requests, and they cannot be "firewalled."

Seeing you implying that CDMA is somehow more resistant than GSM means you know very little how cell networks work. The telephony layer for both is SS7.

The Banks already has anti fraud detection systems in place to detect Roaming attacks. They can see whether number is Roaming enabled or not.

The Telecoms do prevent it with Firewalls.

As for CDMA, Please see,

https://www.wyden.senate.gov/imo/media/doc/Verizon%20SS7%20L...

Banks cannot see if a number is in roaming or not, unless the phone company explicitly tells them through some means.

I so far never heard of anything like this.

How come you forget about HLR?

Banks can see. There are lot of APIs on the web that provides this capability.

One example,

https://www.messagebird.com/lookup/

That looks more interesting. Never heard of such APIs being sold for more than a single operator.

How many operators in the world sell them this access?

(comment deleted)
Isn't it? SMS relies on SS7 to exchange messages. It may not be a direct attack on the network itself, but because of outside dependencies and a history of telcos trusting themselves to get it right (or simply not caring when it's wrong), this attack successfully results in messages getting routed elsewhere on the network.
This attack is based on a Routing network not SS7.

CDMA carriers don't use SS7 for SMS unless you're on Roaming.

> Can anyone please confirm that [...] using SMS for MFA is, in fact, secure?

Nope.

Nobody's going to be able to give you this reassurance, or least they shouldn't, because it isn't true.

It may not even be better than nothing. For example you get email that says your bank has detected large withdrawals from your account and to fill out a web form if you want them to block these withdrawals. The site linked from the email looks reassuringly authentic, and you get a SMS as you expected during the login process. Genuine right? Nope, you've just been phished and you've helped your attackers by giving your real SMS code to their phishing site.

Maybe if there hadn't been the seemingly genuine SMS message you'd have slowed down and realised that the bank's name isn't spelled "Furst Springfield Bonk" or that it wasn't previously hosted on a $1 per month bulk hosting site under a directory named "/wordpress/cgi-bin/cgi-bin/cgi-bin". Maybe not. Either way the SMS didn't help you.

Also, in most countries with any sort of number portability a minimum wage employee at a phone store is authorised to override this (after all they just checked your photo ID right? Or at least they clicked a box labelled "Check photo ID") and issue sims with your number activated to... well, they're authorised to give them to you, but they can give them to the hot guy who paid for shots for them and all their friends last night. It's only a part-time job, worst case if the boss finds out they get fired. So don't tell the boss.

There are plenty of problems. You should not be relying on SMS for multi-factor authentication in 2021. If you still are, make your way calmly towards the exits, find a solution that actually works.

> and you get a SMS as you expected during the login process

They could also ask you to enter the code from your hardware token, and accept whatever code you type. Phishing is a different story, not really related to SMS.

> Also, in most countries with any sort of number portability a minimum wage employee at a phone store is authorised to override this

I don't know about other countries, but here in Israel when you port to a different network a code gets sent to the number you're porting, which you need to provide to the new network.

Where there might be an issue is if you claim to have lost your SIM card. This happened to my wife recently - they did give her a new one in the store, but I instantly got an email telling me about it, so it's not so easy to do that undetected.

> They could also ask you to enter the code from your hardware token, and accept whatever code you type. Phishing is a different story, not really related to SMS.

To the extent there's a "code from my hardware token" it's some blob of data processed by the web browser and there's no way for a normal user to get it let alone enter it into a phishing site for whatever good that would do.

If you're going to bother overhauling your authentication strategy you need to actually counter real threats like phishing. WebAuthn does that. Deploy WebAuthn.

Its not an US issue.

You never own your phone number, yet services enforce it as single point of failure into your security concept.

There really is nothing sane about this at all.

SMS is not secure. Neither is email. Neither is a voice call. Cracked password = easy, free. Getting SMS or voice rerouted? costs money, extra step. A strong, unique password + even SMS 2FA is a relatively safe access control. Ultimately, we're all living with the legacy of a lot of tech that got mass adoption before it was mature (I started my career writing medical device software. I shudder to think how little thought went into security when we were all just trying to get things to work in the 80s).
> SMS is not secure. Neither is email.

That's too much of a simplification. At an absolute level, true.

But security is relative and needs to be measured with the threat models you care about.

Intercepting an email from your bank (let's say) to your email server (whoever provides it) is in practice exceedingly difficult, requires the attacker is in control of a transit point between them.

Intercepting SMS, as described in the article, is trivial and can be done by just about anyone who cares to go for it.

Mr Krebs, Please do your due diligence. The attack vector only works for Landlines, VOIP, Toll-free.

Upstream agreements already block Mobile carriers.

Further, SMS from Short Codes are blocked by default. You can only receive SMS from long-numbers. Eg Wicker ..

The attack also works with Canadian carriers.
It works for at least one mobile carrier, as demonstrated in the article Krebs references [1]. One carrier is enough.

The ability to hijack text messages through an online service was also shown in an article Krebs' source mentioned [2].

Perhaps you're right that upstream agreements with mobile carriers should already be blocked, but in practice it's been proven not to be.

There was a change to NetNumber's systems on 11 March to combat this, but there's no guarantee that their competitors don't have similar flaws or that the measures taken were good enough to stop the attack in practice.

Even still, if the problem might be fixed in the entire US, that doesn't mean anything for the rest of the world.

[1]: https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-1...

[2]: https://lucky225.medium.com/its-time-to-stop-using-sms-for-a...

All your references are pointing to Lucky225 who is trying to market his anti-fraud product.

NetNumber has no competitors. It's a routing database.

The Vice article is a paid piece. This attack doesn't work with any of US Mobile carriers.

> The attack vector only works for Landlines, VOIP, Toll-free.

I'm confused, didn't the article say "A few minutes after they entered my T-Mobile number into Sakari, Lucky225 started receiving text messages that were meant for me"? T-Mobile is a normal cellular carrier here isn't it? What part of it required a VOIP line?

P.S. You can edit your old comments instead of leaving 4 different ones in the same thread.

EDIT: Looking at this 5-day-old user's history, I think it's safe to say we shouldn't take the comments at face value:

https://news.ycombinator.com/item?id=26455000

https://news.ycombinator.com/item?id=26472770

https://news.ycombinator.com/item?id=26464287

He's saying Lucky225 lied to market his service https://okeymonitor.com/ in the article.
Lucky225 lied about... what exactly? The Vice reporter literally says "Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me."
Lied that it was T-Mobile

I'm hoping he lied and T-Mobile SMS can't just be redirected.

Uhm, it's the Vice reporter who's saying "my T-Mobile number"... are you saying he has no idea who his carrier is and Lucky225 told him his carrier was T-Mobile?!?!?!
Well then he didn't lie I guess if it was the journalist getting hijacked live in T-Mobile
Well that's what the article says. It seems like you have no idea what the allegation is about, and the allegation itself seems to fly pretty blatantly in the face of the article too.
The allegation is mobile carriers can't be redirected. Only landline and voip.

Update: So his allegation is there is no reporter supposedly and it's a paid article.

Which directly contradicts the article saying it was T-Mobile...
Well that's what he's claiming https://news.ycombinator.com/item?id=26488898 paid article

I want to know who is right wealthyyy or Lucky225

Well that's why I'm pushing back against it. I very much want to know too. So far, given wealthyyy is a 5-day-old account making so many serious accusations of dishonesty [1] [2] against a Vice reporter without a shred of evidence, it should be obvious who has more credibility right now.

[1] https://news.ycombinator.com/item?id=26474437

[2] https://news.ycombinator.com/item?id=26474424

I don't give ....

Well what. It's obvious who you are. You are Lucky...

Account age is biased way to trust an individual. I could have bought an old HN account from someone but I didn't.

Look, Any Vice reporter can be bribed. You're missing the point.
You accuse people of dishonesty so easily and don't feel any need to show a single shred of evidence supporting your position?
Mr Flow, Please try a TMobile number on ZipWhip. You will see it fails. You will now claim that I am lying and that NetNumber has fixed this. So there is nothing I can do to help you.

I have known about this attack since 2012, but I did not publicly talk about how insecure SMS is for promoting an anti-fraud product.

Note, this is just the tip of the iceberg. There are other attack vectors that only I know!

(comment deleted)
You are personally attacking me for no reason. What does my other comments has to do with this comment?

I don't care whether you believe me or not. This is a fake news at it's best.

Regarding my comments,

[1] That lady is self marketing guru. It's confirmed everywhere even Reddit.

[2] Modern C++ is simpler than TypeScript, Go, Rust. Modern C++ become more like Python.

https://preshing.com/20141202/cpp-has-become-more-pythonic/

https://web.archive.org/web/20131015192353/http://cpp-next.c...

[3] The comment about Christ is a Joke. Can't I make Jokes on HN?

>Upstream agreements already block Mobile carriers. Further, SMS from Short Codes are blocked by default. You can only receive SMS from long-numbers. Eg Wicker .

I've built a very similar product to ZipWhip. These restrictions are likely enforced by ZipWhip, there is nothing structural at the NetNumber or other level that technically prevents you from taking over SMS message routing or receiving messages from short codes on mobile numbers. Submit the SPID change to NetNumber and you're off and running!

The secujrity

It is worth noting that the mobile carriers will periodically "reset" these changes to fix the routing (T-Mobile is one of the more aggressive ones here) and that continued violations by MVNOs like Sakari would eventually result in a loss of access for them.

In Sakari's case, they were doing no due diligence or much to prevent the fraud. My own company's workflow for landlines placed a telephone call to the customer's number to give them a code to use in the registration process (remember, the attack noted in the article doesn't port the number, it just reroutes SMS). For toll-free numbers, we required legal documentation to prove that you owned the number. We also didn't allow any mobile numbers to be registered at any time.

Having username+password+sms is strictly safer than having username+password.

To require the attacker to know your phone number and do costly and/or time consuming things to get access to it means moving from "script kiddie re-using username+password from leaked user databases" to "targeted attacks".

Sure, it's not Safe(tm), but it's a big step up from just username+password.

Not quite. It's only safer if your single priority in the world is protecting that one account. But you need to account for the larger blast radius too: it also turns your SMS, phone line, and other things that revolve around them into actual attack targets, when they weren't previously. The increased potential for collateral damage can very well not be worth it.
Also, it gains increased security at the cost increased chance of lockout. Water damage to your phone may now be enough to prevent you from signing in.
It's notoriously difficult to regain access to many types of accounts, but that's in part because of how little we verify ourselves in the first place.
Water damage would also prevent access to MFA apps like Google Authenticator. And many/most people (world-wide) are accessing the web through their mobile device anyways - so damaged phone = no web access.

That leaves us with physical keys, which the average consumer probably doesn't want to carry around all the time (easy enough to keep on keychain, but most people don't carry keys around their own home).

Google Auth can be backed up (via a QR code), and it works fine on two devices simultaneously.

Most places that offer 2FA auth apps also offer backup codes, which can be stored in any password manager, or offline in a little black book.

I use 1Password for my mfa; I can access my one time passcodes from any device I’m signed in on, and my passwords and secondary authentication are conveniently managed together. If issues like water damage or losing your device are concerns for you, their service might be worth checking out.

Disclaimer: I’m very far from a cybersecurity expert.

Two problems I see with this approach...

1. Consumers are terrible at security. Asking them to subscribe to a password management/MFA tool is likely to fail. If this were baked into iOS/Android, this would be better.

2. Many banks don't support this MFA scheme. A quick poke around 2fa.directory shows a massive number that don't support MFA at all, and another huge bunch that do SMS/email but not software/hardware. This puts consumers in the position of juggling multiple MFA schemes to access various sites.

I don't disagree with you in principle. But until there's a more standard approach to MFA, people will continue to use SMS because it's easy and broadly available as an MFA scheme.

On top of that 1Password is quite pricey, albeit fully featured. I probably wouldn't use it if not for my family's plan.
> Water damage would also prevent access to MFA apps like Google Authenticator.

No, since you can back up the seed in a secure location.

Which you access through the same broken phone (for most internet users).
It is? I thought the problem with SMS is you click "forgot password" and they send you a code via SMS to reset your password. Therefore username+password is safer than username+password+sms because username+password+sms = username (no password)
i agree that username+sms is not good, but what are the other password reset vectors more secure than sms?
Almost anything (with exception of "3 easily googleable questions about you") is safer than sms. For example, emailing password reset link to my gmail account that is protected with real 2fa.
Yes, and besides being more secure it is also more available: I'm much more likely to be able to receive email when resetting a password than I am to have cell reception and have the correct SIM card in my phone. (Examples for access to email but not SMS include: International travel, airplane Wi-Fi, bad cell signal.)

I feel like much of what's wrong with SMS 2FA comes down to a misguided idea of "everyone has exactly one phone number", which is simply not true for a lot of people.

I think you mean:

username+password+sms = username+sms (no password)

But I agree, and would take it a step further:

username+password+sms = username+sms || username+password

And in the worst scenarios:

username+password+sms = sms || username+password

And the same goes for email instead of SMS as well, in most scenarios.

username + unique password would be better than all the other options listed.

Adding SMS seems to add new points of attack that either hurt the user or just delays the hurting.

Nah. If I know your phone number, I hack you voicemail box in no time and then I can just access your Paypal account and you can do nothing against it. Just because you added a phone number to that account.
Yeah. That would be a targeted attack and not something a script kiddie can do.
It's not safer if SMS can be used as a recovery method.
Yes, this. Is SMS used as a login/OTP (additional to your password - e.g. to make a bank transaction), or can be used as a 'trojan'/backdoor to compromise your account?
And even if SMS starts off being just a second factor, it often gets changed to be used for account resets too, so it becomes a single vulnerable factor.
> Having username+password+sms is strictly safer than having username+password.

As someone else pointed out: that's not true if the SMS authentication can be used to recover the password. But let's for the sake of discussion rule those cases out.

Then yes, SMS verification does perhaps add a tiny bit of "security" to the process for the reason you describe. But that tiny bit of security has to be weighed against the enormous extra burden placed on the users performing the (far more plentiful) legitimate logins. Than burden may well be worth it if a lot of extra security is gained. I think it's definitely not for the "security" provided by SMS.

When you consider SMS 2FA is often used to fix the poor or reused password problem we see it's not helping much at all but only delaying the problem.
That’s bullshit, nobody is going to bother with attacks like this to steal your uber or doordash account. SMS 2fa kills credential stuffing attacks for all but the highest value targets.
You do know uber and doordash accounts are hacked all the time because of password reuse? There is a huge black market for hacked accounts from doordash and the like.
That’s my point. These accounts are worth a couple of dollars, nobody would spend $50 on a hacked uber or doordash account.

These accounts are only worth anything as long as they’re cheaper and easier to use than stolen credit cards.

The original VICE article said it was $16 and they can take as many accounts as they want. It seems worth it to me.
Yeah, because that $16 plan is totally going to last for long after people start abusing this at scale.
> Having username+password+sms is strictly safer than having username+password.

No, it is unfortunately actually much worse.

If the account only has name+password and you use a properly good password, nobody will ever guess it (within the lifetime of the universe and all that).

But if the account also has a phone number and the attacker can trigger an SMS challenge to reset the password, now your wonderfully complex password is meaningless. The attackers just intercepts the SMS and done, they own the account.

It is equivalent to the problem of allowing "security questions" with trivially discoverable answers. A site may enforce 20+ character passwords (great!) but then forces user to enter the name of their best friend in high school (trivially findable in e.g. facebook for most people) and lets any attacker bypass the password with just the so-called security questions, rendering the strong password meaningless.

Can we stop pretending that the faux concern for the security of our accounts by tech giants was anything other than an excuse to harvest our phone numbers?

Twitter for example let's you sign up without a number but it then suddenly detects "suspicious activity" and demands your number. Many other sites enforce it or heavily nag you in the name of security.

Exactly! Same with Google, FB. Disk space is almost free, let who ever sign up.
As a devil's advocate, how about the notion that requiring mobile numbers mitigates, if only a little, automated spam?
The problem with that is, if you are going to automate spam, you can afford a burner. Or heck, just pay the $16 or so and hijack someone else's number.
Spammers don't just use one account to spam.
There are free services where you can see a number to get that 'activation code'. Plenty of such services out there.. (a quick search in DDG and this is the top result)

https://mytempsms.com/receive-sms-online/country.html

When twitter suspended my account after creation I tried to use these type of services. Unfortunately every number I tried resulted in an error.
I don't think that's true. For one, the sign up of the accounts itself is often automated and in the hundreds, because bot accounts are squashed all the time. You'd spend thousands on burners.

Spam is mostly prevalent because it's cheap and easy to throw millions of requests at the wall and see what sticks. If it did cost really any money at all it wouldn't be remotely worth it.

In my country you can easily buy a few thousand SIM cards for a cent or two each. I've seen them in classified ads, they're not even hiding.
Same in mine, spammers buy blocks of numbers (for example all numbers from XXXXX100 to XXXXX999) and use them to avoid being blocked by people who block individual phone numbers (with the default phone app). Fortunately I found Yet Another Call Blocker on F-Droid and I can block by pattern with it (XXXXX*) but most less technical people won't be doing that.
Do you not have to pay a network provider in order to use it to make calls and send messages? How does this work?
You don't even need that, at least in America. Phone spoofing is terrifyingly easy.
Personally I don't really mind receiving too much info (asid from DoDS attach of course). Bayesian running locally is pretty good at filtering out spam any way. Stop pretend to corporate nannying us.
It's called "bait and switch".

Similar dick-ish behaviour on Steam. I didn't have a 'profile to comment' on the comment section of a game (Saboteur 2 - Avenging Angel)(I cannot remember the room that gives you the 'god mode')

I went on to create a 'profile to comment'. When I proceeded to write the actual comment I was informed that 'I am not allowed to comment on this game' (I had already logged in with my Steam account. Those *** just wanted the extra info only to tell me what they knew (that I would not be allowed to comment anyway). I deleted said 'profile to comment' but now those *** will keep that info forever.

This is not related to SMS (I thought we established that even with someone with $50k -or less- to burn can read the SMS messages of their neighbours)(https://www.intercept.ws/catalog/interceptors/)

Same with collecting birth dates. It’s just a convenient way to target ads.

I’ve been trying to get Google to stop giving out my birthday for years when I had to enter it for wallet or something. I get birthdays on my calendar from people I emailed once and never knew, or wanted to know their birthday.

Similarly, my contacts have gotten peoples phone numbers changed based on changes made in various subsystems that overwrote the number that I manually entered.

I standardized on giving 1/1/1970 [1] as the date of birth except where I feel my actual birthdate is required.

With online ancestry sites (birth place, mother's maiden name, first name of paternal grandfather), Facebook and Classmates.com (high school mascot, pet's name) and so on it feels like anything "real" could be compromised. Or give somebody enough ammunition to pretend to be me.

I use fake answers but it means carefully logging the answers so I don't forget them.

1. https://unix.stackexchange.com/questions/26205/why-does-unix...

Recommended. Always use different fake answers to everything, be sure to log them in wherever you keep your passwords managed though.

Funny how my best friend from high school is named yiKooPh2 (not a real value of course).

I like 2/29 as some systems are dumb enough to only bug me once every four years instead of once a year.
Does using Google Voice for SMS resolve all security concerns?
No, since many services intentionally don't allow using a VoIP number for SMS 2FA, for example Venmo. It's infuriating.
But it sure is great when you can use Google Voice for this.
I once had to send a fax that included a letter-head to authorize a domain transfer. Because fraudsters can't reproduce letter-head, I guess?
It isn't even a reproduction problem. Who was bothering to verify that the letterhead was genuine?

Letterheads for identity assurance were very much part of the security theatre of their day.

In the case of domain transfers it might have really not been about security at all. Given the other dark patterns associated with that business I'd not be surprised if the requirement existed purely as a soft lock-in measure, to create friction to make transferring out more of a hassle.

(comment deleted)
It's rather strange that in 2021, a prominent security research like Brian Krebs doesn't have a mobile-friendly website.
How about we recognize that SMS should be secure and make it so?

If the FCC would require mobile providers to add crypto features to SMS that prevent spoofing, would it not be possible to do so?

Can we stop submitting Krebs articles and just submit the source instead? Such as this: https://lucky225.medium.com/its-time-to-stop-using-sms-for-a...
The article you just linked is an advertisement for something called Okey Monitor and is not the original source for this event.

The actual source is a Vice article, the author of which contracted a hacker to actually run an op on them as part of the investigation. However, submitting that directly would have simply attracted a bunch of really great political commentary instead of a discussion on SMS.

I have a very solid understanding of how SMS works under the covers, and the Krebs article is actually much better than the original, since it adds more of the specific details of how changing SMS routing is different than number portability as well as some of the behind the scenes players.
Interesting. I knew about SIM swaps, but this "off-net text enablement" is new to me. I did know about text-enabled VoiP numbers, but assumed you had to own the DID first. Coupled with the notes about reseller programs with blanket authorizations, it does sound like SMS is truly useless for 2FA.
Having 2fa with SMS is still better than no 2fa at all.

Sure, TOPT would be far better, but reading this article I'm more concerned with how easy it is to get access to someone's SMS/VoiceMail than anything else.

Many service providers allow account recovery via sms, effectively making it the only factor needed. This is the big concern in my experience.
It is much worse, if attacker can use the SMS to bypass the password entirely and own the account.
Security is relative, NOT absolute.

Involving SMS in the authentication process raises the bar significantly for script kiddie attacks using password databases. It also forces a larger and more detailed forensic trail for any attack.

This attack is enabled by VoIP, which is also responsible for callerID spoofing which has led to the tormenting of millions of people daily with phone spam. The gains from VoIP have absolutely not been worth the loss of trust in what was a reliable communication network. I continue to be unimpressed with "deregulation and free markets", in practice it usually means sharks feasting on confused consumers.