Google To Replace SMS Codes With Mobile Prompts in 2-Step-Verification Procedure

Starting next week Google will overhaul its two-step verification (2SV) procedure and replace one-time codes sent via SMS with prompts shown on the user's smartphone. From a report: This change in the Google 2SV scheme comes after an increase in SS7 telephony protocol attacks that have allowed hackers to take over people's mobile phone numbers to receive one-time codes via SMS and break into user accounts. The rollout process for this feature is scheduled to start next week when Google will invite users to try mobile prompts instead of receiving a one-time code via SMS. Users need an Internet-connected smartphone to use this feature. Every time users will try to log in, Google will show a prompt on their phone asking the account owner to approve the login request. There's no one-time code that users have to fill in, and users can authorize a login request with the tap of a button.

Terrible editors

I know stories are posted farther apart at night, but it's embarrassing to have stories three hours apart on a weekday afternoon. These editors suck. There used to be a lot of pornographic fiction involving Slashdot editors. I'd like to see what you guys can come up with to explain why the editors weren't posting stories.

Re:Terrible editors

[__aaclcg7560]

Some of my coworkers go out for a three-martini lunch on Fridays. A few might even return to work after lunch is over.

Re:Terrible editors

I knew a guy in 1995 who passed a kidney stone. He said he had gotten it from drinking too much soda pop. He never told me his real name, but he worked with video games, and he introduced me to NetBSD. That guy had a presence, and you always knew when he was in the room. Nice guy, pleasant body odor. I must have met creimer.

Re:Terrible editors

[ls671]

hehe it's now been 5 hours since this FA was posted and still no new FA posted. What did you do you to miss Mash A.C.?

This looks like a frame-up. Nice try.

Re: Terrible editors

Thanks for the reply. Yes, the stories are queued up, sometimes hours in advance. SoylentNews runs a similar but forked version of the code that also powers this site, and SN actually shows you the titles of stories that have been queued up to post. On this site, normally the stories are queued up to post 40 minutes apart during the day (10 AM EDT, 10:40 AM, 11:20 AM, 12 PM, and so on...). Sometimes the spacing is slightly different with stories 45 minutes apart or something like that, but a lot of days they are right on time. It's almost always very periodic, and they even tend to post at the same time most nights, with stories going up around 11:30 PM and 3 AM EDT.. This is quite irregular to have no stories posted in several hours.

I believe stories get queued up the previous day to run through about 9 AM EDT, then the editors queue up a bunch more stuff in the morning to run during the day. EditorDavid takes over Saturday morning and posts everything through Monday morning, though I'm certain the Monday morning posts are queued up the previous night. On weekdays, posting seems to be split between BeauHD and msmash. However, it looks like BeauHD's last post would have been queued up last night and only msmash has been queueing up stories today.

I don't have any idea why this is going on, but I assume that for some reason, BeauHD isn't posting, and msmash isn't posting more in his absence. All joking aside about pornographic fiction involving editors, I don't have a theory about where BeauHD is. I sincerely hope that nothing is seriously wrong. But this is, indeed, irregular.

Re:Terrible editors

[__aaclcg7560]

...although, this is not possible for support people, they need to answer calls and take tickets when their name is in the queue.

I don't work in help desk.

Re:Terrible editors

[__aaclcg7560]

...but it isn't allowed for support people, they need to answer calls and take tickets when their name is in the queue.

I don't work in help desk.

My iPhone is somewhere else...

[__aaclcg7560]

I usually don't keep have my iPhone with me when I'm working in my home office. Whenever I log into a website that requires me to look at my iPhone, I have to stop everything while I got fetch my iPhone from the kitchen table. A security token would be more convenient.

Re:My iPhone is somewhere else...

[xxxJonBoyxxx]

>> I have to stop everything while I got fetch my iPhone from the kitchen table

That will teach you to put your personal tracking device down, citizen.

Re:My iPhone is somewhere else...

[Calydor]

I have my cellphone literally only in case of emergency - car breaks down or something like that. As a result it's often left to drain the battery even in standby, and I won't notice for days. So not only do I need to remember where I put it, I also need to charge it enough to turn it on and GET that login message!

Re:My iPhone is somewhere else...

[jason2971]

Then you aren't the target user. I doubt you even use 2FA, if you don't keep track of your phone. So this won't affect you.

Re:My iPhone is somewhere else...

[Misagon]

That exact use case - as an emergency phone in the car or summer cottage etc. - is why people still have "dumbphones" that can't run apps.
Batteries in those can last for six months or more, where as a "modern" smartphone won't even last for a couple days when turned "off".

Re:My iPhone is somewhere else...

[grimr]

"I have my cellphone literally only in case of emergency" "So not only do I need to remember where I put it, I also need to charge it enough to turn it on"

Not sure but I think there may be a couple of flaws in your emergency plan.

Re:My iPhone is somewhere else...

[__aaclcg7560]

The battery in a normal phone self discharges the same as the battery in a dumbphone. The lion cells don't know what kind of device they're in.

A smartphone never really sleep when its not being used. If you have a lot of apps that do background refresh, the battery life between charges is significantly shorter than a dumb phone. I've heard that the Facebook app is a notorious battery drainer.

Re:My iPhone is somewhere else...

[Obfuscant]

A smartphone never really sleep when its not being used.

"Not being used" is not the same as "off". If you have apps that are busy updating the phone while it is off, then it's an unusual phone.

Re: My iPhone is somewhere else...

[Zero__Kelvin]

Way to be smug while simultaneously broadcasting your cluelessness. When a smartphone is "off" it still has constant power drain because it still has hardware that is powered. How do you think the phone knows what magic button combinations you are pressing to decide if it should boot into normal mode or the bootloader, e.g. ? Try powering your phone down and pressing the power button very briefly rather than holding it longer. See that cute little battery graphic with the color filling indicating percentage charge? That's because your phone never powers down completely unless you remove the battery.

Re:My iPhone is somewhere else...

[Misagon]

There isn't any smartphone that can be really turned "off". It is always some level of standby. Many smartphones still draw more in its most battery-preserving standby mode than a typical "dumbphone"

Re:My iPhone is somewhere else...

[thegarbz]

I can just imagine how upset you'd be if you got a phone call.

Re:My iPhone is somewhere else...

[__aaclcg7560]

I can just imagine how upset you'd be if you got a phone call.

I get 20+ phone calls and emails per day from recruiters, so I keep my ringer turned off all the time. The fastest way to get a hold of me is email or IM.

Re:My iPhone is somewhere else...

[Calydor]

I never claimed to be well prepared!

Thing is it can often be a full week between getting in the car, so if the phone was only at half charge last time it's DEFINITELY dead now.

Re: My iPhone is somewhere else...

[silverkniveshotmail.]

Way to be smug while simultaneously broadcasting your cluelessness. When a dumbphone is "off" it still has constant power drain because it still has hardware that is powered. How do you think the phone knows what magic button will power it on? Try powering your phone down and pressing the power button very briefly rather than holding it longer. See that cute little battery graphic with the color filling indicating percentage charge? That's because your phone never powers down completely unless you remove the battery.

Re:My iPhone is somewhere else...

[__aaclcg7560]

Do you have the number of a former pizza place?

Nope. I do have 800+ connections to my LinkedIn profile from recruiters, many of whom already have a copy of my resume in their database.

Re: My iPhone is somewhere else...

[Zero__Kelvin]

When a dumbphone is off, power is not applied to the CPU, RAM, etc. When a smartphone is "off" power is still applied. This is necessary because starting up an 8 bit microcontroller with static RAM is much less time consuming than starting up a multicore 64 bit CPU with dynamic RAM, etc. I would need to connect an ammeter in line with the battery to give actual current drain numbers. Alternatively, some manufacturers may have this information in their product specs. In any case "significantly more" would be a reasonable if vague answer.

Re: My iPhone is somewhere else...

[tricorn]

The only circuit that has any power when the phone is in the power-off state is the actual power control module. Perhaps there are other phones that have more than the one main power/lock button active, but on all the devices I've used the ONLY active button is power - and all that does is apply a very small current through a physical switch that turns on the main power controller if it stays active for long enough. The only other thing that will activate the power control module is if you apply voltage to the charging port.

Everything else you mention, checking if it's a short or long press, looking to see if any other buttons are pressed, happens AFTER it turns on main power to the CPU and starts the initial low level boot (although the force-reset circuit might be on the same button connection, it won't be active until the power's been turned on first).

If I plug in my phone, the CPU boots to a low level battery charging program which is probably monitoring the process and can put up a cute display showing the charge level. In that case, since it has external power, the CPU does stay powered on. If I unplug it without booting the main system up (which is just a normal button input to the battery program), it simply powers back down.

The drain on a power control circuit is extremely low, probably less than internal leakage current.

I have several devices that I've left fully charged and off for months, when I turn them on they're still indicating full charge (although they're certainly down a small amount, of course), discharge normally, recharge normally. And yes, I know that leaving a battery in the full charge state isn't ideal.

My iPad will only lose a few percent a day if I leave it in standby, I can go several weeks between charges if I''m not using it. My Android phone has settings to prevent "background" network use, enabling that will also significantly reduce power usage when it's locked (and that's before enabilng the "extreme power saving" modes).

Re:My iPhone is somewhere else...

[aaarrrgggh]

Get an Apple Watch...

Re:My iPhone is somewhere else...

[__aaclcg7560]

Get an Apple Watch...

I haven't worn a watch in 30 years. I'm not going to shatter an Apple Watch at $300 a pop.

Re:My iPhone is somewhere else...

[__aaclcg7560]

The "fetch" you're whining about is literally TWO STEPS across your shitty apartment.

My home office is a separate space inside my 475-sqft studio apartment. Two bookshelves make for a fourth wall and two walls are painted green. Here's an old blog post from my snail mail days of writing.

https://blog.cdreimer.com/2009/03/06/dedicated-office-space/

Re: My iPhone is somewhere else...

[Baloroth]

Yeah, this is bullshit. You know how I know? I tested it. I turned off my phone, then turned it back on again and timed how long it took: 42.80 seconds. Then I turned it off, removed the battery, and then reinserted it and turned it back on again. Took 42.66 seconds. That's within the margin of error of the human reaction speed (which is ~100-200ms). So, no, the phone CPU doesn't stay powered on while off, the system really does reinitialize itself from the fully-off state when I turn off my phone. Maybe other phones don't, but I'm going to need to see some sources before I believe it.

Re:My iPhone is somewhere else...

[__aaclcg7560]

I'm sure if you tie two together they'd fit around your monstrous wrist.

That's the other problem.Apple Watch bands maxed out at 180mm (7 inches) for wrist circumference. My wrist circumference is 250mm (10 inches).

Re: My iPhone is somewhere else...

[Gavagai80]

I recently had my old smartphone turned off for months after I got a new one, and was surprised to find the battery still had power when I finally turned it on. Could be that's only because it's a low-end android, but clearly at least some smartphones do last a long time turned off.

Re:My iPhone is somewhere else...

[thegarbz]

A modern smart phone has no problem lasting up to 2 weeks while ON and on low power mode. As for being off, my old S6 which has been lying in my draw unused for a year still has 70% charge.

Please don't spread ignorance. This site is new for nerds.

Re:My iPhone is somewhere else...

[jez9999]

Batteries in those can last for six months or more

6 months?? Don't US phone lines have power running down them? In the UK I have landline phones that take no batteries, and just operate once plugged into the phone line.

Re: My iPhone is somewhere else...

[Zero__Kelvin]

That is not correct. There is a wealth of empirical evidence to disprove your hypotheses, and you can prove it to yourself as well. Charge a battery to 100% and remove it for a couple days and note the charge when plugged back in (still 100%), then leave the battery in and power it "off" for the evening, and note that the charge is significantly less than 100%.

Re: My iPhone is somewhere else...

[Zero__Kelvin]

You left out the make and model of your phone. Not every smartphone is the same. I also have some phones that behave as you describe. They are "lesser" phones. I am guessing yours is as well.

Re: My iPhone is somewhere else...

[Zero__Kelvin]

Or I could charge my phone to 100%, shut it "off", turn it on in the morning, and note that significant difference.

Re:My iPhone is somewhere else...

[CSMoran]

The lion cells don't know what kind of device they're in.

They're called cages, not cells.

Re: My iPhone is somewhere else...

[Zero__Kelvin]

OK. You just don't seem to be grasping the fact that we have two different phones, designed by different companies. I assure you there is nothing wrong with my phone.

Re: My iPhone is somewhere else...

[Zero__Kelvin]

I have multiple phones from different manufacturers and there is a wide variance to be sure. Off you go now ...

Re:My iPhone is somewhere else...

[__aaclcg7560]

i am guessing you have never used a dumb phone

I didn't get my first smartphone until 2011. Prior to that I used dumb phones and pagers for 15 years. Before that I even used payphones, sometimes in an actual phone booth. I'm old enough to remember rotatory phones that my parents rented from Ma Bell.

Re:My iPhone is somewhere else...

[aaarrrgggh]

Then keep the phone close; it isn't rocket science! While it might not work especially well, put the watch on the inside of your wrist if you are that abusive. Or, go for the ceramic one that is pretty frigging robust.

This already exists. What has changed?

[J.+T.+MacLeod]

Google has been doing phone app prompts for 2FA for a while.

Is anything actually different with this system? Or is this just a campaign to encourage SMS code users to switch?

Re:This already exists. What has changed?

[mhkohne]

Yea, this is 'we need to stop doing the SMS thing, you need to switch over' as opposed to 'hey would you like to try a different thing'.

Re:This already exists. What has changed?

[AHuxley]

Advertising. The accounts and usage patterns are worth more if they are really 100% human.

Re:This already exists. What has changed?

[thegarbz]

Except 2FA is optional. This is just saying when enabled it won't work on SMS anymore. So much for your rant on everything being the result of capitalism.

Re:This already exists. What has changed?

[PCM2]

Google has been doing phone app prompts for 2FA for a while.

If you're talking about the Google Authenticator app, then yes, this is different. I started using it on my Galaxy S7 this week.

The way it works is, you hit your username and login, and instead of a screen that asks you to type in the code you received, it basically just says "Wake up your phone." When you do, you immediately see a screen saying, "Is this you trying to login? Yes/No." You hit the Yes button and the site instantly logs you in. It's pretty slick, actually.

Re:This already exists. What has changed?

[somenickname]

Except 2FA is optional. This is just saying when enabled it won't work on SMS anymore. So much for your rant on everything being the result of capitalism.

It is *for now*, sure. Who's to say that at some point it won't be required and the only platform that is supported is Android.

Re:This already exists. What has changed?

[J.+T.+MacLeod]

To clarify, I wasn't referring to the Google Authenticator app, but to an experience as you describe.

Re:This already exists. What has changed?

It's pretty slick, actually.

And completely useless.

The original "one time code" implementation was broken to begin with.* This just replaces the code with a button.

Worse, due to the button being on the phone now there is the possibility for Google to know the phone's location that wasn't there before.** That's a new information leak that wasn't there before. One that I'm sure Google (and their advertisers) will love to have. (Hey! He shops online while at work / school!)

*Originally one time codes we're generated offline. That enabled a mode of security due to the code not being detectable (or intercept-able) by third parties. The use of SMS text messages allowed for the code to be intercepted by anyone with the right equipment. In the modern context, the target phone could be infected to prevent fraudulent SMS messages from being seen by the user. Nevermind that due to the online nature of the modern phone, they can be remotely monitored as well. Basically, a modern phone is as useful for proving your identity as a computer at your local public library. But because phones are always on someone, and paid for by the user, everyone settled for a non-security measure, that was more hassle for no actual benefit.

**One time codes had to be entered on the device making the request not the phone receiving the code. That still doesn't solve the lack of security problem above, but it DID make knowing the location of the phone impossible for Google to find out by the SMS alone. Now, Google can find out by the new button, as pressing the button sends an "OK" or "Nope" response to Google from the phone. In addition it also gives Google whatever crap they ask the default browser to send back to them in the response, so it's not just the public IP of the phone, but potentially anything that Google asks for. (User-agent, list of installed extensions, browsing history, cookie data, IMEI / Serial Number, etc.) So rather than fixing the lack of security, Google has decided to make it worse.

The best part is: No one will care.

Re:This already exists. What has changed?

[thegarbz]

Antitrust regulators and basically anyone with a functioning brain who requires that Google isn't about to cut off 1/3rd of mobile users from its services.

Re:This already exists. What has changed?

[EkriirkE]

Your second scenario is how it's been for me for quite some time now... I'm also not sure what the purpose of this "news" is

Re:This already exists. What has changed?

[chihowa]

Worse, due to the button being on the phone now there is the possibility for Google to know the phone's location that wasn't there before.** That's a new information leak that wasn't there before.

You don't use Google services without fully buying into the idea that privacy is a quaint anachronism or that Google is a benevolent big brother. Nobody who is already living happily in Google-land will care at all about just another information leak.

Re:Won't affect me

[jason2971]

There are alternate 2FA methods that can be used if you lose your phone-- an authenticator app (which may have been lost with your phone as well), a backup email address or (as a last resort) fall back to SMS verification.

But I don't have a smartphone

[OzPeter]

So what am I? Chopped liver?

Re:But I don't have a smartphone

[jason2971]

As the article mentions, you can decline the invitation to switch to mobile prompts and continue to use SMS codes.

Re:But I don't have a smartphone

[Misagon]

But what will you do when you are doing tech support for your mom who had managed to tap "accept" by mistake?

I have been in exactly that situation when helping my mom when she unintentionally got 2FA on Microsoft's Outlook.com.

Re:But I don't have a smartphone

[jason2971]

There will certainly be fallback methods-- authenticator apps (which your mom won't understand either), a backup email address to send codes to or fall back to SMS codes as a last resort.

Re:But I don't have a smartphone

[silverkniveshotmail.]

You will do your best to help her, you might do a couple google searches before you come to a solution. Nothing new here.

Re:But I don't have a smartphone

[Misagon]

You could hope that the fallback mechanism would be designed by competent engineers and easy to understand.
My mom was certainly very confused about the whole thing. She did not even understand why she could not log in, so she relied on my completely.
Even following the instructions, it took around a month before it was restored. My mom could live a month without access to her primary email account, but could you?

Re:But I don't have a smartphone

[Yaztromo]

So what am I? Chopped liver?

I don't own a cell phone at all. Apparently I am chopped liver, as apparently it is impossible for (nearly) anyone to come up with a 2FA mechanism that doesn't involve a cell phone!

Yaz

Will it work...

[Thad+Boyd]

...if I don't have Gapps installed?

And if one uses Thunderbird?

[fahrbot-bot]

If one uses Thunderbird and POP/IMAP will they get prompted every time the client downloads mail or just when done from a "new" system?

Re:And if one uses Thunderbird?

[Obfuscant]

I truly love it when Google sends me an email to my gmail account telling me that it didn't allow my device to log in to get my gmail because it was coming in from an unknown IP address. This truly is Dilbert levels of customer support.

Re:And if one uses Thunderbird?

[swillden]

I truly love it when Google sends me an email to my gmail account telling me that it didn't allow my device to log in to get my gmail because it was coming in from an unknown IP address. This truly is Dilbert levels of customer support.

Nonsense.

Those emails are important. Not when it actually was your device that was prevented from logging in, but when it wasn't. In that case, the email informs you that someone is trying to get into your account, and that they have your password. Which means you should change your password, right the hell now. Unless of course, you recognize the login attempt because you were the one that made it.

If you want to stop getting those emails, turn on 2FA.

Re:And if one uses Thunderbird?

[swillden]

If one uses Thunderbird and POP/IMAP will they get prompted every time the client downloads mail or just when done from a "new" system?

If you're using 2FA and want to use POP/IMAP or other protocols that don't know how to deal with 2FA, you have to set up an application-specific password. This is a high-entropy password that Google generates for you, and which should only be used on one machine and one application. You have it generated, copy/paste it into Thunderbird, tell Thunderbird to save the password, then you never see it again. The Google POP/IMAP servers do some additional checking to try to verify that the password only comes from the right app and the right machine.

Re:And if one uses Thunderbird?

[swillden]

I don't care if my already compromised account is compromised. Id turn passwords off in the first place on my email.

Your email account is typically the most important online account you have. Not because your emails are sensitive, but because it's the password reset verification mechanism for all of your other online accounts. Like your online bank account.

Re:And if one uses Thunderbird?

[swillden]

Set up 2FA. It provides an additional level of authentication that Google will take as proof that you're really you and won't apply the IP-based protection.

Re:And if one uses Thunderbird?

[Obfuscant]

Nonsense. Those emails are important.

Given that the only person who is hindered from reading it is me, I don't think so. The chances of me seeing it depend on me accessing my gmail in the very short bit of time between the one failed login attempt and the second successful one when the hacker deletes it.

He's actively accessing my account. I'm not. Who is going to get to that email first, do you think?

Now, you might think that gmail will continue to block logins from that location, but they don't. I routinely see the "we blocked a login" emails while I'm still in the place they blocked them from, just not the first time I try to retrieve my email. I try once and see nothing new, I try a couple of hours later and I am told. And it's the old Dilbert joke about customer service: someone who has a problem with their email is told to send an email to customer support to get help. Ha ha.

Re:But what if

A bigger question is how does this work with people who don't own a smartphone.

Yeah, and what about people without google accounts?

Again: Glad I don't have a smartphone..

[Rick+Schumann]

..and that the phone I do have (cheap-ass $50 plastic LG dumbphone, LOL) is turned off most of the time. Turn it on a couple times a day just to see if there are any messages for me. Physically shorted the GPS antenna on the main board to ground, so no GPS tracking when it's on anyway, just what tower it's connected to.

I'd never bothered to learn how worldwide PSTN actually worked until I read this article and looked up SS7. Scary, that all that has been done for decades in the clear.

Re:Again: Glad I don't have a smartphone..

[ledow]

Cell-tower triangulation. Who pays the bill for the phone. "They" probably aren't at all hindered by your smart-arsery.

But, to be honest, it's nice that you think you're that important that literally anybody would bother to track you.

Re:Again: Glad I don't have a smartphone..

[Rick+Schumann]

I'd rather be me and take what steps I can take to preserve and protect what I can of my personal privacy and security, than be someone like you, who I'm assuming from the piss-and-vinegar butthurt tone of your comment has completely given up, given in, and gone the way of the yellow-bellied, lilly-livered coward, and just goes along with all the monitoring, tracking, surveilling, and rampant, unabated data collection on you, and likely your family, too. Sad, because you're probably a decent person otherwise.

Re: Again: Glad I don't have a smartphone..

[Rick+Schumann]

LOL why is it that so many jackasses on the Internets inject wild assumptions with no basis in fact or reality into conversations? LOL sure I'll search things on Google -- but I don't have any Google accounts, you couldn't PAY me to have any Google accounts. But I use an add-on to my browser that cleans the Google links, so while they certainly can log searches themselves, they can't log any search results I click on. When I'm at home any links I click on go through Tor, so not only can't Google log them, but my ISP can't log them, either. I don't use my real name online anywhere. I don't use ANY 'social media'. There are other security and privacy measures I take that I won't get into. My digital footprint is as non-existant as I can make it. That make you angry or something, that someone else is willing to make the effort, when maybe you can't be bothered yet feel violated constantly? Is that why you're being so condescending?

Also what if you haven't agreed to Chrome's EULA?

[Ungrounded+Lightning]

But what if ... You don't use android or have anything related to Google on your phone?

Also: How is this displayed and the reply collected? Does it require the Chrome (or another) browser?

I haven't accepted the Chrome EULA on my Android phone (because it includes the Adobe Flash EULA, which in turn includes a lifetime non-compete, non-reverse-engineer provision).

So does that mean I can't auth with Google?

Re:But what if

[AHuxley]

Wait for the next step. Having to register to search in books, for video content or the web...

Re:I hate Google's "protection"

Google "strongly recommends" that I add another phone to my account. How many phones do they think a person has?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Still.. Only 2 stories in 6 hours?

[intellitech]

That is beyond incompetence.

If SS7 is being hijacked...

[bferrell]

And routing for sms to the handset is hijacked, how is routing for the voice path not also hijacked?

Something isn't kosher here.

Re:If SS7 is being hijacked...

[platinummyr]

I doubt they're using routing for voice or SMS. I suspect they're having the device "phone home" where it is, so that it can ask it the question. Not idea how you'd secure that connection tho.

Re:If SS7 is being hijacked...

[bferrell]

In order to locate the handset via ss7 some form of routing is used to a.) send the "message" to the cell site currently connecting the handset.

"special app" or no, ss7 IS used to locate the handset, allow it to connect to a cell site and determine if traffic is allowed to flow to and from it. Again, if SS7 is hijacked, how are those processes NOT compromised?

This is not unlike saying the plane has been hijacked to cuba, but the crew is still enroute to new york.

Re:If SS7 is being hijacked...

[bferrell]

The article says SS7 is being used to intercept sms messages sent to the handset i.e. redirecting them to an alternate endpoint. If that can happen, how can the voice call not also be redirected to an alternate endpont via ss7. That IS what SS7 was made for... To direct (route) traffic (voice calls, sms message and even connect tcp/ip channels between internet gateways and handsets) to and from specific points in the network.

To state it bluntly, I call bullshit to the stated premise. If sms is being intercepted via SS7 all the others are vulnerable too.

Re:If SS7 is being hijacked...

[Lancer]

You're ignoring the fact that the app on your phone is (presumably, since it would be nuts to do it any other way) responding to Google's servers with a cryptographically signed response; even if somebody were to route the authentication request to a different end point, they would not be able to answer with an appropriately signed response. And then Google would know that it wasn't you. The benefit of this sort of system is that it could be implemented over completely insecure networks (which is good, because SS7).

Re:If SS7 is being hijacked...

[bferrell]

I agree, an app with a crypto handshake, defeats this. Rereading the article, while not explicitly stated it does look like they're using integrated 2FA or 2FA app. Those don't even have to communicate except at initial setup time.

I read it to mean voice prompts, which just plain struck me as dumb.
I'll go sit in the corner now.

Did you check the Firehose?

[Ungrounded+Lightning]

I know stories are posted farther apart at night, but it's embarrassing to have stories three hours apart on a weekday afternoon. These editors suck.

Did you check the Firehose?

Maybe there wasn't anything else WORTHY of being posted.

When that happens I'd rather they DON'T post crummy junk articles just to make a quota.

And I bet, if they DID post such junk, we'd hear even more complaining about the quality of the editorial staff.

Once upon I time I was one of the sysops on an early conferencing system. You would not BELIEVE the amount of what we'd now call cyber-bullying that was directed at the sysops by people who wanted the site run THEIR way.

Re: Did you check the Firehose?

Normally they do post to try to hit a quota. As I just posted elsewhere in this thread, posts on weekdays are almost always 40 minutes apart and it's very periodic and regular. Often times, the stories show up at the same time each day. And when they deviate, the posts still show up at times that are divisible by five, such as 1:45 or 3:10. The weekends are a little more irregular, but it's probably because EditorDavid is posting instead of BeauHD and msmash. Even on weekends, they're usually spaced just about an hour apart. In all seriousness, I think the last post by BeauHD was queued up last night to show up on the front page this morning. Everything after that has come from msmash and it looks like BeauHD hasn't posted anything today. It looks like msmash has posted about the same number of stories he does every weekday, but with no posts from BeauHD. I have no clue where BeauHD is, but all joking aside about the editors, I hope nothing is seriously wrong. It is, however, highly irregular from the way posts appear just about every other weekday on this site.

Re: Did you check the Firehose?

[Ungrounded+Lightning]

Maybe he's sick.

My wife's sick. I'm sick. Our pets are sick. (Different things for the pets, but still...)

One reason gantt charts don't work as well as people think they should is that they never allocate time for plague.

Re:Won't affect me

[unixisc]

Which Android versions will this affect? I have v5 - Lollipop - on both my Android devices. Will it happen there, or will one have to upgrade to 6 or 7 to get this?

Re:I hate Google's "protection"

[tepples]

Google thinks a person has a circle of friends in meatspace, at least one of whom owns another cellular phone.

Re: Had This For A While

[bobmajdakjr]

i hope its not as shitty as apples. for some reason they thought making it a modal popup was the best idea ever so you cant even interact with the damn phone to type in the code it just popped up.