Australian Government Tells Citizens To Turn Off Two-factor Authentication (arstechnica.com)

← Back to Stories (view on slashdot.org)

Australian Government Tells Citizens To Turn Off Two-factor Authentication (arstechnica.com)

Posted by timothy on Thursday December 24, 2015 @06:02PM from the perfect-security-vs-perfect-convenience dept.

An anonymous reader writes with this news from Ars Technica: The Australian government has repeatedly called for citizens to turn off two-factor authentication (2FA) at its main digital government portal, myGov. The portal's Twitter account has recently been updated several times with cute pictures encouraging holidaymakers to "turn off your myGov security codes" so that "you can spend more time doing the important things."

The portal is the place where Australian citizens can use and manage a number of governmental services, including health insurance, tax payments, and child support. In case of myGov, two-factor authentication is implemented by sending users text messages that contain one-time codes to complement their usual passwords.

146 comments

Min score:

Reason:

Sort:

Begs the question by liqu1d · 2015-12-24 18:07 · Score: 2, Interesting

Was it hacked or has someone been drinking too much fosters?
1. Re: Begs the question by Anonymous Coward · 2015-12-24 18:10 · Score: 2, Interesting
  
  The Australian government is just plain stupid (and undemocratic, too).
2. Re: Begs the question by liqu1d · 2015-12-24 18:10 · Score: 1
  
  Note to self: RTFA. Must be the latter then :).
3. Re:Begs the question by Anonymous Coward · 2015-12-24 18:27 · Score: 2, Interesting
  
  Was it hacked or has someone been drinking too much fosters?
  Nobody here drinks fosters. Stop perpetuating this tired meme.
4. Re: Begs the question by Anonymous Coward · 2015-12-24 19:11 · Score: 0
  
  Blame Men at Work for the stereotypes, not the rest of the world.
5. Re: Begs the question by Anonymous Coward · 2015-12-24 19:26 · Score: 1
  
  Ozzies don't drink Foster's. That stuff is 'roo piss.
6. Re: Begs the question by mbadolato · 2015-12-24 19:53 · Score: 4, Funny
  
  Ozzies don't drink Foster's. That stuff is 'roo piss.
  "Foster's. It's Australian for 'Pabst Blue Ribbon'."
7. Re: Begs the question by Jack+Griffin · 2015-12-24 20:49 · Score: 1
  
  Fosters. It's British/American for 'Australian Beer' (you can't actually buy it in Australia)
8. Re:Begs the question by AHuxley · 2015-12-24 20:52 · Score: 1
  
  As a 5 eye nation every packet in and out falls under "collect it all". US and UK collection is also no problem as Australian encryption is kept tame or as NSA ready US branded "standards" .
  At a gov level all contracts and bids have to be open to US contractors and brands under free trade deals.
  So its the perfect alignment of for profit interests, big gov and encryption but not too much good local encryption that would break 5 eye collect it all.
  The international issue is really the change of sim card to save huge roaming fees that changes the expected domestic phone.
  Why? Australia has very tight control over every sim in use domestically via a 100 point check https://en.wikipedia.org/wiki/... that has a list of photo id, state and federal id, utility bills, bank details that adds up to a mix of id needed to be allowed to get and use a sim.
  ie a domestic phone is trying to be part of a fancy national id card network thats been altered with an international sim card swap.
  
  --
  Domestic spying is now "Benign Information Gathering"
9. Re:Begs the question by jandersen · 2015-12-24 20:57 · Score: 1
  
  It was hacked - there is no such thing as too much Fosters.
10. Re: Begs the question by liqu1d · 2015-12-24 21:21 · Score: 0
  
  I have never seen a +1 troll before :D. I'm doing something right. Merry Christmas/holidays.
11. Re: Begs the question by Anonymous Coward · 2015-12-24 21:42 · Score: 0
  
  Gday! Show us where the pig slashed ya, filthy 'roo.
12. Re: Begs the question by lazybeam · 2015-12-24 22:07 · Score: 1
  
  I've seen it for sale but never actually bought it. Plenty of good beers to choose from instead!
  
  --
  -- no sig for you. come back one year.
13. Re: Begs the question by Anonymous Coward · 2015-12-25 00:09 · Score: 0
  
  Brekkie mate kangaroo.
14. Re: Begs the question by Anonymous Coward · 2015-12-25 00:28 · Score: 0
  
  No, we blame Fosters for their aggressive international marketing campaigns that have no basis in fact.
15. Re: Begs the question by Sable+Drakon · 2015-12-25 00:33 · Score: 1
  
  It's not even American. The stuff bought in NA is brewed and imported from Canada.
  
  --
  The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
16. Re:Begs the question by Anonymous Coward · 2015-12-25 00:38 · Score: 0
  
  It raises the question, not begs the question.
  http://begthequestion.info/
17. Re:Begs the question by Anonymous Coward · 2015-12-25 00:59 · Score: 0
  
  Nobody drinks it here either but in Australia they do. Hell, over there you don't ask for a beer, you ask for a Fosters!
18. Re: Begs the question by Anonymous Coward · 2015-12-25 01:02 · Score: 0
  
  You must be the life of the party.
19. Re:Begs the question by greenfruitsalad · 2015-12-25 02:10 · Score: 1
  
  i had a frien from there. his name was bruce. do you know him?
20. Re:Begs the question by greenfruitsalad · 2015-12-25 02:11 · Score: 1
  
  s/frien/friend
21. Re: Begs the question by Anonymous Coward · 2015-12-25 02:50 · Score: 0
  
  Exactly. Roo piss.
22. Re: Begs the question by morinpatmorin · 2015-12-25 02:58 · Score: 1
  
  OK. Too much Coopers green then...
23. Re: Begs the question by Anonymous Coward · 2015-12-25 03:34 · Score: 0
  
  Ozzies don't drink Foster's. That stuff is 'roo piss.
  All beer is roo piss.
24. Re: Begs the question by Anonymous Coward · 2015-12-25 05:10 · Score: 0
  
  Well, you have to be suspicious of any beer that a country is trying to ship out of the country, right?
25. Re:Begs the question by Cederic · 2015-12-25 07:02 · Score: 0
  
  I'm not going to visit your shitty website because 'begs the question' is a perfectly acceptable, well known and often used idiom in these parts.
  Be pedantic all you like, it's part of the language and you can fuck off if you don't like it.
26. Re:Begs the question by LMariachi · 2015-12-25 08:39 · Score: 1
  
  And you can fuck off if you don’t like people correcting your misusage. You are wrong. Just because a lot of other people are wrong along with you doesn’t make you less wrong, it just makes you less uniquely wrong.
  There are plenty of phrases meaning “brings up the question,” “asks the question,” “leads me to ask,” etc. There are not many for “making an unspoken assumption,” so by appropriating a phrase that means one thing to mean another (for which there are ample alternatives) you are reducing the utility of language, not enriching it.
27. Re:Begs the question by Cederic · 2015-12-25 09:07 · Score: 1
  
  If the general usage means one thing then the dictionary definition and cunts that stick to it can fuck off.
  Welcome to a language that evolves, updates and changes. Something you seem to be incapable of.
28. Re:Begs the question by Cederic · 2015-12-25 09:11 · Score: 0
  
  That's fine, go for it. Get it into common parlance and I'll be terribly impressed.
  I've heard of Jennifer Lawrence, can confirm I haven't had sex with her or passed on any specific conditions. Doesn't mean I wouldn't like the chance.
29. Re:Begs the question by Mashiki · 2015-12-25 09:52 · Score: 1
  
  Well it's just like Canada, where everyone thinks all we do is eat maple syrup and live in igloo's. Don't worry you get used to it after 150 years or so.... the living in igloo's bit, we don't really have cities they're just really amazing holographic projections.
  
  --
  Om, nomnomnom...
30. Re:Begs the question by Anonymous Coward · 2015-12-25 11:26 · Score: 0
  
  Steve Irwin would like to disagree with that statement.
31. Re:Begs the question by Anonymous Coward · 2015-12-25 11:42 · Score: 0
  
  G'day, it's Crocodile Dundee here. I don't think beer, I think Fosters. Others are 'roo piss.
32. Re:Begs the question by Anonymous Coward · 2015-12-25 12:00 · Score: 0
  
  I always thought you were all lumberjacks, spending all day chopping down trees, wearing high heels, suspenders and a bra...
33. Re:Begs the question by LMariachi · 2015-12-25 14:54 · Score: 1
  
  The forces pushing the “evolution” (another word you’re misusing) of language one way or another are all human. I am a human, and I am pushing in the direction I see fit. If your best argument is “but everyone’s sayin it!” then I shouldn’t have to push too hard.
34. Re:Begs the question by Cederic · 2015-12-25 15:18 · Score: 1
  
  Your problem is that you don't have to push me, you have to push several million people that live near me.
  Still, I'm sure you're up to the task. Enjoy.
35. Re: Begs the question by Anonymous Coward · 2015-12-25 17:08 · Score: 0
  
  No. PBR is actually decent for a low end beer. Fosters is the equivalent of Budweiser, Coors, Schmidt for US shitty beers or Guinness for Irish shitty beers.
36. Re: Begs the question by Anonymous Coward · 2015-12-25 17:14 · Score: 0
  
  Right and nobody in the US drinks Budweiser and nobody in Ireland drinks Guinness. A they all suck. Overall low on quality and lack of taste unless you like the taste of shitty water. Which if you look at beers sales is what most of the morons who drink that stuff prefer. Put a quality beer in front of any Fosters, Budweiser, Guinness drinker and they actually hate the real taste of beer. He'll most people don't even drink Guinness at the proper temperature. They want it cold so you don't actually taste the beer. Once its brought to the proper temperature the taste is ok. But you can also taste the water. Unlike a quality stout.
37. Re: Begs the question by PeonPete · 2015-12-25 19:41 · Score: 1
  
  No such thing. Radelaidean reporting in.
38. Re:Begs the question by countach · 2015-12-25 20:09 · Score: 1
  
  Nonsense. The whole identity check thing is theoretical only. Often it's ignored, and if you've got reason to not be checked, you'd just steal the SIM off the shelf, because there is little security over them. The security check is just the government fooling themselves.
39. Re: Begs the question by Anonymous Coward · 2015-12-26 01:53 · Score: 0
  
  Instead of labeling you all Foster's drinkers, let's label you all racists then. I mean, that at least reflects reality, right?
40. Re: Begs the question by Anonymous Coward · 2015-12-26 06:00 · Score: 0
  
  What's wrong with gobbling cocks? Why is that insulting?
41. Re:Begs the question by st0nes · 2015-12-26 18:45 · Score: 1
  
  Igloos.
  
  --
  Tempora mutantur, nos et mutamur in illis
42. Re:Begs the question by rpstrong · 2015-12-27 16:50 · Score: 1
  
  Somewhat sadly, Cederic is correct in his reply: the language does evolve, and the meaning of words and phrases change. 'Begging the question' is a tricky one, because it is difficult to even explain the original meaning. OTOH, using it to define a situation in which one would naturally ask such a question is grammatically correct. The fact that the same phrase refers to a logical fallacy is immaterial - indeed, it is the 'correct' (that is, original) meaning that is arcane.
  The same applies to the use of the term 'assault weapon'. Gun right supporters will claim that it can only refer to selective fire carbine style weapons (the military definition), while the media use it for any 'scary' looking gun, and the lawmakers pretty much fail on getting any meaningful definition at all.
  And so it is that 'begging the question' instead of 'raising the question' is correct - much as it rankles me to admit it.
  [This is coming from a guy who refuses to use the term 'decimate' because its meaning has also changed. We have plenty of terms to mean 'annihilate your enemy'. But how many terms do we have for 'kill every tenth soldier in your own army? Hopefully, 'defenestration' - another personal favorite - will remain untouched.]
43. Re:Begs the question by Talderas · 2015-12-28 01:50 · Score: 1
  
  I... I thought Canadians lived in maple syrup and ate igloos. My mind is blown.
  
  --
  "Lack of speed can be overcome. In the worst case by patience." --Znork
44. Re: Begs the question by jandersen · 2015-12-28 20:14 · Score: 1
  
  You're too kind :-) About the troll part - is it trolling, now-a-days, when somebody makes a (very slightly provocative) joke?
45. Re:Begs the question by Anonymous Coward · 2015-12-29 10:22 · Score: 0
  
  Fosters is swill. I'd probably rather drink my own piss.
You can trust us... by fredgiblet · 2015-12-24 18:13 · Score: 4, Funny

...we're the government!
Uh-oh! and Happy Birthday Jesus! by Anonymous Coward · 2015-12-24 18:21 · Score: 0

Just found out I got some tainted love!
Happy Birthday, Jesus! Don't be a stranger!
the reason why by Gravis+Zero · 2015-12-24 18:26 · Score: 4, Insightful

The reasoning behind myGov's suggestion is understandable: some tourists will swap their Australian SIM cards to local ones while on holiday. Once this is done, they won't be able to receive myGov security codes without reinstalling their Australian SIMs, which is a hassle.
it seems to me this is probably the result of many support calls/emails because people don't realize when they switched their card that they couldn't authenticate. perhaps instead of turning off two factor authentication in a situation when it's needed most, that they should add a "vacation mode" that let's you temporarily pick a new destination for the text messages.

--
Anons need not reply. Questions end with a question mark.
1. Re:the reason why by The+MAZZTer · 2015-12-24 18:29 · Score: 3, Insightful
  
  Or just use the same standard Google and a lot of other people use which doesn't use text messages or even require a phone number or internet access at all.
2. Re:the reason why by argumentsockpuppet · 2015-12-24 18:35 · Score: 1
  
  That's one possible solution.
  Alternatively do what other multi-factor systems do: create backup options. Don't have the phone/app/dongle? Use the printed out one time codes. Send a code to the associated email address or the backup email address. Set up authentication questions (no free text.) Require a backup phone number to be set up at the same time.
3. Re:the reason why by icebike · 2015-12-24 19:28 · Score: 1
  
  Or just use the same standard Google and a lot of other people use which doesn't use text messages or even require a phone number or internet access at all.
  Wait, I missed something here. Exactly what does Google provide that doesn't require a phone or internet access at all?
  
  --
  Sig Battery depleted. Reverting to safe mode.
4. Re:the reason why by gl4ss · 2015-12-24 19:54 · Score: 2
  
  smartcard readers or wtf?
  fyi, google two factor authentication uses sms...
  probably australian governent buys the sms sending with a shitty deal with either expensive or nonfunctional internationl sms's - and just expensive for them for domestic.
  they probably bought it from telstra or some other shit company for ten cents a piece or something and thought they were getting a great deal because they had not checked the market in 15 years...
  
  --
  world was created 5 seconds before this post as it is.
5. Re:the reason why by Ja'Achan · 2015-12-24 20:01 · Score: 2
  
  Time-based one time password. For example, see FreeOTP (sponsored / published by Red Hat, compatible with the Google Authenticator)
6. Re:the reason why by fennec · 2015-12-24 20:05 · Score: 1
  
  Added to the Google Authenticator app, you can also generate authentication codes in advance and keep them as a text file.
7. Re:the reason why by fredgiblet · 2015-12-24 20:07 · Score: 1
  
  Nope. Google 2-Factor can use the authenticator app installed on your phone and independent of the phone number.
8. Re:the reason why by Xenx · 2015-12-24 20:15 · Score: 1
  
  To expand upon it. They offer both as options.
9. Re:the reason why by icebike · 2015-12-24 20:19 · Score: 1
  
  No you can't.
  Authenticator runs on a phone or tablet. Without internet you can't even set it up. Without perfect clock sync the codes generated by authenticator stop working.
  The codes generated by authenticator have a very short shelf life, measured in seconds.
  
  --
  Sig Battery depleted. Reverting to safe mode.
10. Re:the reason why by tlhIngan · 2015-12-24 20:23 · Score: 1
  
  probably australian governent buys the sms sending with a shitty deal with either expensive or nonfunctional internationl sms's - and just expensive for them for domestic.
  they probably bought it from telstra or some other shit company for ten cents a piece or something and thought they were getting a great deal because they had not checked the market in 15 years...
  No, likely it's that the user forgets to update his account with a new phone number.
  I mean, if you're traveling and you're using a local SIM, it may not occur to you to update the phone number on your various 2FA websites. So you go to log in, and they send a code, but it doesn't occur to you that the number is different from what you registered. So you try and try and you don't get the code.
  Now, if you're lucky, you have the right SIM with you, and hopefully you don't mind paying whatever the rate is to receive a text while roaming. (Because you need the code in order to log in and change the number, and likely to change it back so you better still have the SIM when you change it back).
  It doesn't matter how well you do it - if it's dependent on SMS and people swap to local SIMs to avoid roaming charges, you're going to run into issues like this.
11. Re:the reason why by Anonymous Coward · 2015-12-24 20:28 · Score: 0
  
  He's referring to the backup codes, which you generate separately and last until you use them.
12. Re:the reason why by dbIII · 2015-12-24 20:29 · Score: 1
  
  But that would mean employing more staff instead of the sort of cuts that led to something like this making it out into the wild instead of staying as a brain fart expressed by a political advisor that has never had a different job.
  So it's a fuckup to try to make up for the fuckup of not having enough support staff.
13. Re: the reason why by Anonymous Coward · 2015-12-24 20:38 · Score: 0
  
  That'd require they rebuild the whole thing from scratch.
  Mostly because they ignored the standard that was already in place when they cobbled this together.
  And, they had to cobble this together mostly because they thought smartcards (remember those?) would solve all their problems and they could get people on welfare to buy smartcard readers to plug into their PCs.
14. Re: the reason why by icebike · 2015-12-24 20:50 · Score: 1
  
  And what would you use them for without an internet connection?
  
  --
  Sig Battery depleted. Reverting to safe mode.
15. Re:the reason why by Rhyas · 2015-12-24 20:51 · Score: 3, Informative
  
  No you can't.
  Wrong. You absolutely can use pre-generated keys for google's authentication services. They call them backup codes.
  
  Authenticator runs on a phone or tablet. Without internet you can't even set it up.
  Wrong again. You can absolutely setup accounts in Google Authenticator (And most other similar apps) without network access. You can even install the app itself without access in many cases, if you want to side-load from a PC or something.
  
  Without perfect clock sync the codes generated by authenticator stop working.
  Sorta wrong. The clocks don't have to be perfect, they just have to be close. Pretty much every service has the ability to deal with a certain amount of clock skew. Smartphones these days are pretty good at keeping time, even when not connected to the network, so this usually isn't an issue. But this is also dependent on if the service is using TOTP or HOTP. (Time based or Counter based codes)
  
  The codes generated by authenticator have a very short shelf life, measured in seconds.
  Here you got one right, every code has a 60 second lifespan. (:
  But to the point of the original post (GGGP?) that brought up the autheticator... They should at least have HOTP/TOTP as an option for those with smartphones in this case. They probably can't drop SMS altogether because of the users that *don't* have smart phones, but no reason not to support both.
16. Re: the reason why by jrumney · 2015-12-24 20:55 · Score: 1
  
  When you are travelling and lose your phone (or cannot use it for some reason). You can still check your email from an internet cafe using the backup codes which you have a printout of in your wallet, and still have some protection against the keyloggers that are installed on those publically accessible computers.
17. Re:the reason why by Jack+Griffin · 2015-12-24 21:16 · Score: 1
  
  I went overseas and google locked me out because it thought someone else was using my account (because no-one ever travels right?). And because I was travelling, I disable roaming to avoid exorbitant fees and buy a sim in the country I'm in (which a lot of people do) so can't verify my account.
  So Google's method involves locking everyone out who travels. You can keep that.
18. Re:the reason why by AmiMoJo · 2015-12-24 21:32 · Score: 1
  
  Indeed, the Google authenticator app actually implements a standard that anyone is free to use. I use it with Microsoft services. You can use other apps too, if you don't like the Google one.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
19. Re:the reason why by Anonymous Coward · 2015-12-24 22:47 · Score: 0
  
  Or they should ask Singapore how they did it right - or CBA or a host of others.
  The trouble is they went off and did it their way- but now the shit has hit the fan they want to upgrade some servers and hardware.
  As usual real users inputs were disregarded to 'quick consultant recommendations.
  Their digital dreams of no staff are out the window, and call desk exponentially growing , recurrent costs - because the solution failed the sniff test, yet was rubberstamped by idiots. It is noted no explanation forthcoming .
20. Re:the reason why by nospam007 · 2015-12-24 22:59 · Score: 1
  
  "I went overseas and google locked me out because it thought someone else was using my account (because no-one ever travels right?)."
  No need to travel, I get locked out regularly when I check my mail on with my VPN active.
21. Re:the reason why by Ja'Achan · 2015-12-25 00:12 · Score: 2
  
  30 second lifespan, but implementations are encouraged to check the previous and next code as well, giving you a 90 second window. Which is more than enough for most smartphones, unless you travel without ever accessing wifi for months.
22. Re: the reason why by bickerdyke · 2015-12-25 00:20 · Score: 1
  
  I bet you were not using 2 factor authentication. Lock out only happens to users using only password.
  
  --
  bickerdyke
23. Re: the reason why by Anonymous Coward · 2015-12-25 03:09 · Score: 0
  
  Huh? Receiving texts while roaming has always been free for me, in three continents. Where are you?
24. Re:the reason why by Solandri · 2015-12-25 03:25 · Score: 1
  
  I'd recommend Authy instead of Google Authenticator. Authy requires you to enter a 4-digit PIN to use it. Anyone who has access to your phone (if it's lost, stolen, or borrowed without a passcode) can use Authenticator. Authy also allows you to sync it with multiple devices on multiple platforms, not just your phone/tablet.
25. Re:the reason why by mlts · 2015-12-25 04:45 · Score: 1
  
  Google provides a standard (as in open source and standard usable by all comers) TOTP/RFC 6238 app.
  This really should be an option. For example, a user can opt to have their code texted, type in their six digit second authentication, or perhaps have a scratch-off card with one time use codes on it as the last resort. On iOS, maybe make a deal with Apple, so the code can appear using Apple's protocol that works regardless of SIM card used.
  This should not be too difficult... the RFC is open source, easily used in Linux (I have it used for backup authentication for a remote machine, if I don't have my SSH private key on the computer I am using), not to mention a lot of websites (Google, Amazon, name.com, Linode, etc.), and even a number of NAS models support it. It would be nice if the Australian government offered this as an option.
26. Re:the reason why by swillden · 2015-12-25 05:24 · Score: 1
  
  Here you got one right, every code has a 60 second lifespan. (:
  Google also provides OTPs that are not time-limited. They're called backup codes; you get them from the Google account web site, print them out and keep them in a safe place. It's good to keep a few in your wallet when traveling, in case your phone is lost or broken.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
27. Re:the reason why by swillden · 2015-12-25 05:36 · Score: 1
  
  fyi, google two factor authentication uses sms...
  Google two-factor uses any and all of:
  1. Security key (any FIDO U2F-compliant device will work). This is a small device that plugs into a USB port. Some of them also have NFC capability so you can use them on your phone by tapping the key against the back of your phone. If you have multiple Google accounts you can use the same security key for all of them.
  2. Google Authenticator app, or compatible (it's an open standard). The app also supports multiple accounts, and does both time-based and counter-based codes.
  3. SMS.
  4. Voice call.
  5. Backup codes. You get these from the Google account web site, print them out and keep them in a safe place. Great when traveling, in case your phone gets lost or broken. I keep some in my wallet and some in my suitcase.
  I have all of the above set up, including multiple SMS/voice phone numbers. I'm never getting locked out of my account.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
28. Re: the reason why by IBME · 2015-12-25 05:49 · Score: 1
  
  Funny, I just installed OTP Authenticator on my phone. Sounds like the aussies need to get a clue. Euther that or never come back from vacation. https://github.com/0xbb/otp-au...
29. Re: the reason why by icebike · 2015-12-25 09:33 · Score: 1
  
  That would be a stupid thing to do, as the code remains in the machine.
  The codes are meant to be used as passwords for apps.
  
  --
  Sig Battery depleted. Reverting to safe mode.
30. Re: the reason why by jrumney · 2015-12-25 19:09 · Score: 1
  
  They are one time passwords. There is no risk if the code remains in the machine.
Email by AmiMoJo · 2015-12-24 18:32 · Score: 1

So the problem is that people swap their Australian SIMs when they go abroad, and don't get alerts. Okay, well why not just send an email saying "you have an alert, log in to see it out replace your Australian SIM and pay $$$ to get the text message"?
That's what the lottery in the UK does. You get a message saying you have good news, log in to see it. Then you find out you won Â£2.37 and it was barely worth the effort.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
1. Re:Email by TechyImmigrant · 2015-12-24 18:45 · Score: 1
  
  So the problem is that people swap their Australian SIMs when they go abroad, and don't get alerts. Okay, well why not just send an email saying "you have an alert, log in to see it out replace your Australian SIM and pay $$$ to get the text message"?
  That's what the lottery in the UK does. You get a message saying you have good news, log in to see it. Then you find out you won Â£2.37 and it was barely worth the effort.
  The problem is that carriers gouge people who are traveling abroad if they have the temerity to turn on their phone with the home SIM installed.
  I quote from the text message to my phone when I landed in Canada on a flight from Hong Kong, on my way to the US..
  "AT&T Free Msg:
  Welcome abroad! Please note your current international rates are: data $2.05/MB, talk $1.00/min, text $0.50/msg sent; $1.30/photo or video msg sent. Reply YES to learn how to get lower rates. For questions, or to block data, call +1.214.547.2300 (a free call from this phone)."
  Yes over 2 dollars per megabyte. I shit you not.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
2. Re:Email by yes-but-no · 2015-12-24 20:28 · Score: 1
  
  Yes, email can be used as a backup; it's not as robust as SMS because the communication channel is independent; that is to use email you use the internet; but SMS arrives thru' the cell-phone network. So if a hacker has complete access to your computer and internet, in 2FA with SMS, he still can't login into your network. But with email, he can login into your mail (gmail say) and grab the code. Of course this is lot better than locking out the service or using only 1 factor; There should be a way a user can go into his account and turn off the SMS 2FA for a short while [like 5 minutes]. wrt google's phone-app - it is good; but again if your phone is lost or you misplaced it somewhere, it may become a pain to access your online service. Again I don't see if there is any better solution that provides the security strength that 2FA gives.
3. Re:Email by Lorens · 2015-12-24 20:40 · Score: 1
  
  Yes over 2 dollars per megabyte. I shit you not.
  Using Sosh (a sub-brand of French Orange, whose client I have been since 1997, even though the monthly price is substantially higher than that of competitor Free), I got two different SMSs when arriving in the US. The voice price was substantially different between the two, but the data price was over USD 13 per megabyte. My fellow travelers use Free, the newest big French mobile phone company. They got an SMS saying that all their voice and data were counted like at home: unlimited with no surcharge, restricted bandwidth after 50 MB in 4G and 3GB in 3G, max 35 days/year/destination/person. For less that 2 MB using the Sosh price, I could have bought a month with Free just to visit the US. I'm wondering why my carrier still has clients.
4. Re:Email by mlts · 2015-12-25 04:53 · Score: 1
  
  The main thing 2FA protects against is keyboard loggers and a compromised machine. Even if the password is emailed, it still is a lot more difficult for an attacker to get in. Mainly because hacking someone's E-mail and constantly looking at it is more difficult than just passively retrieving a stream of a user's keyboard output from a keylogger.
  Of course, the ideal is an application on a separate connection that isn't connected in any way to the computer, but even an emailed password is better than nothing.
5. Re:Email by yes-but-no · 2015-12-25 05:18 · Score: 1
  
  [Edit: I meant to say '..he still can't login into your account (not network)']
  
  Not sure why logging into email account is any harder; once we accept a keyboard logger, he basically sees everything you do on the computer (basically he is looking over your shoulder all the time). And it's very reasonable to expect the hacker had seen and obtained your email login/password [as it's reasonable people use their email account often]. Yes, sure, two independent channels of communication is good - or hard-token like hardware which can generate an OTP.
myGov is a nightmare. by sg_oneill · 2015-12-24 18:32 · Score: 5, Interesting

myGov has to be one of the worst executions of a good idea I've come across. Basicallly its a single sign on portal to other government services that appears to be designed by a committee of very user unfriendly elderly people. You dont get to have a username, you get a user number. The system insists on a *very* strict password, and if you get it wrong three times, your account is locked for the day, even if your on a welfare payment that requires you to log in that day by law. It also asks you to answer various questions ("What is your mothers maiden name" type things, and its anal about input to the point of paranoia. Capitals wrong? One day account lock!). I get that they are worried about security , but how about letting us have a user name we can remember, and setting that auth question to case insensitive!

--
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
1. Re:myGov is a nightmare. by dbIII · 2015-12-24 20:36 · Score: 2
  
  welfare ... I have an idea how to terminate the horrendous practice of a welfare state
  Wow - keywords really set you off don't they? How do you know one way or another that a "welfare state" applies? You don't seem to understand that Australia is currently run by people with politics either similar or identical to your own.
  Hilarious.
2. Re:myGov is a nightmare. by Anonymous Coward · 2015-12-24 20:49 · Score: 0
  
  ... worst executions of a good idea ...
  
  It's difficult to say anything good about the my.Gov site but I use a password manager which eliminates most of the problems you mentioned. One should have nonsense answers set for the security questions and I haven't had any trouble with upper/lower case. My problem is my.Gov logging me off after 40 minutes and not telling me. Now, when there's an error message, it's the first thing I check.
  
  ... that requires you to log in ...
  
  Since the my.Gov site will be 'under development' for a long time, I think the DHS (In Australia it means Human Services, although with the current government attempting to apply "guilty until proven innocent" punishment via welfare, that may change.) web-site is still available.
3. Re:myGov is a nightmare. by Anonymous Coward · 2015-12-24 21:25 · Score: 0
  
  The dutch version called digid.nl has two ways of logging in:
  - With just your password.
  - With your password and with a SMS send to you. (I don't think SMS are particular secure, because criminals already have intercepted those to get into people's bank accounts)
  Anyway, let me repeat this, you can choose which way to log in, at the time you want to login. So it is not a setting on your account; you can simply choose not to use two factor authentication at any time. It is completely weird.
4. Re:myGov is a nightmare. by Anonymous Coward · 2015-12-24 21:38 · Score: 0
  
  ... horrendous practice of a welfare state.
  
  Despite the abusive tone of this sentence, I'll assume you're referring to the security-minded suspension of well-intentioned subscribers, not the subscribers seeking a welfare payment.
  
  ... loop counting into millions ...
  As the summary says, it allows access to services "including health insurance, tax payments, and child support". So a suspension can mean little Suzie or the government doesn't get their cheque on time either. On the other hand, if the person can't perform their log-in correctly, a short time-out may force them to collect their thoughts and check their password.
5. Re:myGov is a nightmare. by Jack+Griffin · 2015-12-24 21:46 · Score: 1
  
  Basicallly its a single sign on portal to other government services that appears to be designed by a committee of very user unfriendly elderly people.
  The problem with public service is that process takes priority over outcomes, and it has to be that way since it is public money at stake.
  You never get greatness with this model, but you hopefully never get Enron style failures either (ie bankrupt government). So you have to take the good with the bad.
6. Re:myGov is a nightmare. by Opportunist · 2015-12-24 22:18 · Score: 1
  
  Oh, so you have a job for him? That's wonderful!
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re:myGov is a nightmare. by Anonymous Coward · 2015-12-24 22:18 · Score: 0
  
  What did you expect, really?
8. Re:myGov is a nightmare. by TheNinjaCoder · 2015-12-24 22:20 · Score: 1
  
  That's ridiculous. So anyone with a small amount of knowledge could write a script to lock out thousands of users by attempting to login but deliberately using the wrong password.
9. Re:myGov is a nightmare. by Anonymous Coward · 2015-12-24 22:37 · Score: 0
  
  Wait a minute. Requiring desperately poor people in far off parts of the northern territory to, by law, sign in to a website to get their support payment? In towns and stations where there is no computer, there is no internet access, there are no cell towers for hundreds of km, and by people who have never been exposed to computers. Huh?
  Oh wait, I get it. Evil fucking sociopathic cunts set this thing up and it is working as planned.
10. Re: myGov is a nightmare. by Anonymous Coward · 2015-12-24 23:10 · Score: 0
  
  Well, Australia had a conservative pro business capitalism cheerleader style government. What do you expect? To those types, if government isn't broken they'll break it on purpose just to make a point.
11. Re:myGov is a nightmare. by Anonymous Coward · 2015-12-25 01:54 · Score: 0
  
  I wish it was only locked out for the day. Mine locked me out earlier this week and it still wont let me even request a new password. Get the security question answered and then still says locked.
  It's so much effort to go around and then go back to the actual website you were originally on to continue.
12. Re:myGov is a nightmare. by cas2000 · 2015-12-25 02:12 · Score: 1
  
  I have an idea how to terminate the horrendous practice of a welfare state.
  fuck off you nazi cunt and take your privatised corporate-owned state with you.
13. Re:myGov is a nightmare. by Anonymous Coward · 2015-12-25 07:52 · Score: 0
  
  fuck off you nazi cunt and take your privatised corporate-owned state with you.
  Privatized corporate-owned state? Which one? America? UK? France? Sweden? Nigeria? Somalia? Brazil? ...
14. Re:myGov is a nightmare. by Anonymous Coward · 2015-12-25 12:14 · Score: 0
  
  It's probably just Murdoch posting, he and his crumbling media empire are the right wing propaganda here and are always attacking our "welfare state". In reality our system is one of the most (if not the most) targetted welfare system in the world. Having worked for DHS 99% of calls are people embarrassed to be receiving money because of Murdoch and Liberal party propaganda.
15. Re:myGov is a nightmare. by cas2000 · 2015-12-25 15:41 · Score: 1
  
  America to start with out of the "Western" countries, the US was conquered decades ago. others as their program advances - the TPP, for example, was a huge win for corporate overlordship.
16. Re:myGov is a nightmare. by countach · 2015-12-25 20:15 · Score: 1
  
  Very cynical to say it has to be that way. I think it is that way because they appoint ladder climbing bureaucrats to run these things rather than domain experts, and thus they always get rubbish results. But I don't think it has to be this way.
17. Re:myGov is a nightmare. by Anonymous Coward · 2015-12-26 13:30 · Score: 0
  
  Sure. Guess what? The same thing applies to every website with brute force protection. It's not seen as something that needs to be fixed because in the real world it has never been serious problem and the security benefits greatly outweigh the nuisance of unlocking accounts. It's just a prank, not a security breach.
18. Re:myGov is a nightmare. by Jack+Griffin · 2015-12-26 22:16 · Score: 1
  
  I've done work for govt depts and even the smart people are limited on what they can do because of accountability. And the bigger the project, the more accountable you have to be. The other problem is that domain experts don't want to work in an environment like that. If you're the best, you're not going to last long stuck knee deep in bureaucracy
  Govt can't work like Apple or Google.
New Phone Number by Anonymous Coward · 2015-12-24 19:07 · Score: 5, Insightful

If you get a new phone number they have to completely delete your account and you have to link everything again from scratch. Takes a couple of months. Well designed portal...
1. Re:New Phone Number by countach · 2015-12-25 20:16 · Score: 1
  
  Yup. The rules that govern myGov are rubbish, and if you make a mistake, it is unrecoverable, and you have to start again.
But it says by Anonymous Coward · 2015-12-24 20:33 · Score: 1

... called for citizens to turn off two-factor authentication ...

Every-time I log-in, I get a nag screen demanding I turn two-factor authentication on; every time. This is precisely the reason I won't: no phone, no access.
you are the answer by raymorris · 2015-12-24 21:09 · Score: 1

> For less that 2 MB using the Sosh price, I could have bought a month with Free just to visit the US. I'm wondering why my carrier still has clients.
You ARE the client who still keeps them. Why tf are you still with them?
PATCH#101: You have to trust us... by Anonymous Coward · 2015-12-24 21:25 · Score: 1

we're the government!
I would love to. by thegarbz · 2015-12-24 21:28 · Score: 3, Informative

But in order to turn it off I need to log in. I can't log in because I'm living abroad without my Australian number. I can't change the system to use my new number because I can't log in.
I hope implement a sensible workaround before tax time.
1. Re:I would love to. by Anonymous Coward · 2015-12-25 07:48 · Score: 0
  
  You are supposed to turn it off BEFORE you move away.
2. Re:I would love to. by thegarbz · 2015-12-25 09:50 · Score: 1
  
  You're supposed to do a lot of things. Changing a 2 factor authenticator on a portal that I use at most once a year (which at the moment equates to once in it's life so far) doesn't rank really high on the things to remember list.
  Unless you're on welfare the Australian government is actually quite hands off and I need to interact with them at most at tax time... and some people use tax agents to sort that out for them.
Australian Gov tells citizens to turn off 2FA by nickweller · 2015-12-24 21:56 · Score: 1

"The Australian government has repeatedly called for citizens to turn off two-factor authentication (2FA)" .. so as they can more easily spy on you.
1. Re:Australian Gov tells citizens to turn off 2FA by Opportunist · 2015-12-24 22:21 · Score: 3, Insightful
  
  That doesn't even begin to make sense.
  How would that enable the Aussie feds to spy on you any better? We're talking about a government page for crying out loud, if they want to spy on you, they already own one end of the communication.
  Look, I'm usually not the one defending governments when it comes to sniffing in things they have no business in, but this is ridiculous.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:Australian Gov tells citizens to turn off 2FA by thegarbz · 2015-12-25 09:53 · Score: 1
  
  I would go one step further. Spy ON WHAT?
  The portal is an access for citizens TO the government, not the other way around. Not only do they already own one end of the communication they actually already own all the content too.
Pathetic idiots. by Anonymous Coward · 2015-12-24 22:03 · Score: 0

Tell me again, why they are in the government?
I can't get it to stop trying to make me use 2FA by Anonymous Coward · 2015-12-24 22:08 · Score: 2, Interesting

I'm an Australian with a MyGov account, and I refuse to give them my phone number. Every time I log in it asks for one, and tells me how much more secure I would be if I used 2FA. You can decline each time, but there's no way to tell the system "no, not now, not ever, don't ask me again". I even sent feedback to the webmaster asking how I could tell it that I DO NOT HAVE A MOBILE PHONE so it will stop asking me, and got no response.
And now they're urging people to turn it off!
Bizarre.
(I always knew that the reason they wanted a phone number had nothing to do with protecting my security.)
Fosters was prominent in The World's End movie by Anonymous Coward · 2015-12-24 22:19 · Score: 0

Simon Pegg's crapterpiece. Foster on tap at each and every dive. And he's Australian. Should be. After that movie he is a criminal most assuredly deserving a one-way ticket down-under.
1. Re: Fosters was prominent in The World's End movie by cyber-vandal · 2015-12-25 00:32 · Score: 3, Informative
  
  Simon Pegg is English.
2. Re: Fosters was prominent in The World's End movie by Anonymous Coward · 2015-12-26 05:56 · Score: 0
  
  Fosters actually is on tap in many English pubs. Of course, product placement also helps. Got to finance the movie somehow.
3. Re:Fosters was prominent in The World's End movie by Anonymous Coward · 2015-12-26 06:06 · Score: 0
  
  That was a great movie, as long as you knew from the start it was going to be a comedy
The site needs an editor by Anonymous Coward · 2015-12-24 22:44 · Score: 0

The article is difficult to understand. The quote "so you can do more important things" makes no sense whatsoever and confuses readers. Someome please moderate this article down.
1. Re:The site needs an editor by Anonymous Coward · 2015-12-25 02:14 · Score: 0
  
  Are you a moron? That's what he government tweeted. The article was reporting it.
WGAF by cas2000 · 2015-12-25 02:18 · Score: 1

2-factor auth by mobile phone (or tablet) is fucking cretinous. mobile phones aren't in the least bit secure, they're even worse than Microsoft Windows - and that includes both Android and Apple.
Anyone who trusts their phone for anything where security is important - like banking, or as a credit card substitute or other payment system, or even just to login to a web site - is a fucking moron.
they are inherently compromised by spyware and malware - even if you're extremely careful about the apps you install (99.99% of which are crap that exist solely to spy on you in one way or another), the OS itself spies on you on behalf of their REAL owners, Apple and Google.
1. Re:WGAF by Nemyst · 2015-12-25 04:30 · Score: 1
  
  It seems you have absolutely no understanding of 2 factor authentication then. The entire point of 2FA is that neither the phone nor the password are sufficient on their own to login. Compromising the phone gives you fuck all, a string of numbers that do not give you any information about the account. Getting the password means you still can't login without also compromising the phone that matches with that account.
  
  Is it perfect? No. Web security is inherently imperfect. Is it better than not having 2FA? Absolutely. You have to be a complete cretin to not turn on 2FA if you have a phone and the service supports it.
2. Re:WGAF by cas2000 · 2015-12-25 15:35 · Score: 1
  
  it's you who doesn't understand - if the 2nd factor (e.g. the thing you have rather than the thing you know) is inherently compromised and insecure then it's worse than useless.
  and no, you have to be a fucking moron to trust something inherently untrustworthy like a mobile phone for 2FA.
  this is doubly true if you are stupid enough to also use a browser on your phone to perform the login - actual compromise is more difficult without that, but locking someone out of their account is trivial with phone-based 2FA, all an attacker has to do is intercept and change or delete the code SMS.
3. Re:WGAF by countach · 2015-12-25 20:21 · Score: 1
  
  Well, if the 2nd factor is on a different device then you just significantly raised the stakes of anyone wanting to compromise you.
Or, you could ... by PPH · 2015-12-25 03:11 · Score: 1

... just not check in with your government websites while on holiday.

--
Have gnu, will travel.
Why is the security they designed SIM dependent? by gbcox · 2015-12-25 05:24 · Score: 1

From the article: "The reasoning behind myGov's suggestion is understandable: some tourists will swap their Australian SIM cards to local ones while on holiday. Once this is done, they won't be able to receive myGov security codes without reinstalling their Australian SIMs, which is a hassle." Why aren't they using a Yubikey or an authenticator app, such as Google Authenticator, Authy or one of the many others that are available? If the argument is that "SIM dependent" authentication is more secure that is definitely undermined by the fact they are telling people it's inconvenient to use, so turn it off. They need to fix this to be usable in real world situations, not some theoretical construct.
Re:Why is the security they designed SIM dependent by Anonymous Coward · 2015-12-25 11:02 · Score: 0

It's not sim dependant, it's phone number dependant.
If you can't get the sms, you can't get the security code.
what the ever loving fcuk by Anonymous Coward · 2015-12-25 16:21 · Score: 0

We drink VB and don't ever do what myGov says we should do, in fact who the fcuk uses myGov anyway, it's been haxored many times.
Re:I can't get it to stop trying to make me use 2F by countach · 2015-12-25 20:20 · Score: 1

You don't have a phone, but you have an Internet connection and are geek enough to access slash dot? Lol.
Re:I can't get it to stop trying to make me use 2F by Anonymous Coward · 2015-12-26 13:41 · Score: 0

You think slashdot is for geeks? Slashdot articles are clearly targeted at conspiracy theorists, student politicians, culture warriors and wannabe executives these days. You know... redpill types. There is very little of interest to engineers following FOSS anymore.
Re:Why is the security they designed SIM dependent by Anonymous Coward · 2015-12-26 13:44 · Score: 0

Deploying yubikey to 24 million people? That's not even half-smart.
What confidence ... by RockDoctor · 2015-12-26 15:50 · Score: 1

.. .AU people must have in their government.
Or maybe it means that the .AU government know that their security is fatally flawed, and this message comes from the thieves.

--
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"