Why Dishfire doesn’t make SMS two-factor authentication useless

Kevin Marks, on the “Dishfire” system which apparently hoovers up millions of SMS messages:

I don’t think this is correct. As I understand it, and in all instances I’ve used, the codes delivered by SMS for two-factor authentication are time and use limited: that means after a few minutes, they’re useless, or if you use them once, they can’t be used again.

This means that, in order to be useful to someone, they would need to be monitored in real time and used before you used them – which would, of course, alert you to the fact they’ve been used, as they would fail when you tried it yourself.

Panic over, people.