Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why You Shouldn't Use Texts For Two-Factor Authentication (theverge.com)

Posted by BeauHD on from the heads-up dept.

An anonymous reader quotes a report from The Verge: A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The group targeted a Coinbase account protected by two-factor authentication, which was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn't actually steal anyone's bitcoin, although that would have been an easy step to take. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces. The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"

102 comments

  1. All SMS-based 2FA Systems should use Signal by Anonymous Coward · · Score: 5, Insightful

    End to end encryption easily solves this and other problems related to government spying.

    First of all, these are not cellular network "vulnerabilities." These are "features." And these "tools" are not Proof-of-Concepts for finding weaknesses in the networks. They are "products" that are sold to government for the purpose of spying on YOU and ME.

    1. Re:All SMS-based 2FA Systems should use Signal by AmiMoJo · · Score: 2

      Why even bother trying to transmit the code? Just use time based codes.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:All SMS-based 2FA Systems should use Signal by Anonymous Coward · · Score: 0

      All SMS-based 2FA Systems should use Signal

      https://en.wikipedia.org/wiki/... I'd rather use something based on open standards than a single, barely open-source, piece of unstandardised software.

    3. Re:All SMS-based 2FA Systems should use Signal by Strider- · · Score: 1

      Said someone who doesn't now the history of these protocols. SS7 has been around for a long, long time, longer than the IPv4 we all love to hate. It was developed in the days of yore, before the breakup of Ma Bell, when there were only a handful of telephone companies, and they all had reasonably tight control over their signalling networks (having started to learn their lesson from Captain Crunch, blue boxes, and the other phreakers. It was never intended to be used as it is today.

      Besides, if the national authorities want to follow you, they just use the resources of the phone company, there's no need for them to harness SS7 or anything like that.

      --
      ...si hoc legere nimium eruditionis habes...
    4. Re:All SMS-based 2FA Systems should use Signal by bobbied · · Score: 2

      SS7 ISUP, yes, is very old. Other parts of SS7 are not so old. In fact, SS7 allows you to extend it to do custom things and pass vendor specific data in proprietary formats, and many vendors have done this. Some SS7 extensions fell into common use, others didn't. But SS7 has been changing a lot over the last few decades as voice and data services have evolved and many proprietary extensions have become commonly used.

      Most of this advancement though has pretty much ended at this point. These days the whole industry is sliding into VOIP services and the signaling protocols that supports it. SS7 is still commonly used where the POTS network meets a VOIP carrier but that use is obviously not ideal and SS7 is thus dying out, slowly.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    5. Re:All SMS-based 2FA Systems should use Signal by h4ck7h3p14n37 · · Score: 1

      Agreed. Just use a proper hardware or virtual MFA device.

      Codes sent via SMS don't really count as a second factor (it's another "something you know" like your username and password and not a "something you have") and they can be captured during transmission. NIST has been recommending against them since July of 2016.

    6. Re:All SMS-based 2FA Systems should use Signal by antdude · · Score: 1

      I am waiting for everyone to use Signal!

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  2. bank? by carnivore302 · · Score: 1

    My bank uses text messages to verify transactions. Would that be vulnerable in some way as well?

    --
    Please login to access my lawn
    1. Re:bank? by Anonymous Coward · · Score: 3, Funny

      No. I mean, you might have your account drained of all money, but your bank would be just fine.

    2. Re:bank? by nine-times · · Score: 3, Insightful

      Basically SMS isn't secure, and shouldn't be treated as a method of securely transmitting data.

    3. Re:bank? by geekmux · · Score: 1

      My bank uses text messages to verify transactions. Would that be vulnerable in some way as well?

      FDIC insurance says everything about the give-a-shit level of most banks.

    4. Re:bank? by Anonymous Coward · · Score: 1

      That's not what the FDIC is for. FDIC covers bank failures only. Also the cost of FDIC is very very low because even a bankrupt bank as a net asset value of approximately zero, so the FDIC just has to kick in a little cash to get a buyer.

      You shouldn't really post if you have no idea what you are talking about.

    5. Re:bank? by bws111 · · Score: 2

      What is that even supposed to mean? The FDIC doesn't protect the bank against anything, it protects you in case your bank becomes insolvent. It does not protect you or the bank from fraud, robberies, or anything else.

    6. Re:bank? by Anonymous Coward · · Score: 0

      I don't think anyone ever thought it was secure. I thought the prevailing belief was that, sure text can be intercepted, but as a separate system, the odds of someone being able to connect a specific text to a specific website login were astronomical. Note that I am not saying the odds are astronomical, only that people believed them to be astronomical.

    7. Re:bank? by rholtzjr · · Score: 1

      It probably could. The method you are depicting could also be used by intercepting your SMS message from the reset of your password as well as a transaction confirmation method. Once they reset your password, make a transaction, okay it all while still intercepting your SMS, and viola. All unbeknownst to you, they have drained your account. Are there other safeguards in place to ensure that this does not happen? I do not know at this point, but that is a good question to ask.

      This I hope actually does reinforce most engineers to really pose the question, "Just because I can, does not mean I should" ("I can" != "I should"). It also points out that technology is just a tool and should always be treated as such.

    8. Re:bank? by TheRaven64 · · Score: 3, Informative

      Part of the problem with that logic is that people use SMS as a second factor when the client is the phone. In that case, it's just a second channel. It's hard to compromise both the SMS and the IP channels, unless you've compromised the endpoint, and that's one of the use cases where 2FA is supposed to actually help: if someone has malware on your computer, needing your phone to log in limits the damage that they can do. If someone compromises your phone, then needing your phone to log in gives them complete control.

      --
      I am TheRaven on Soylent News
    9. Re:bank? by lifeisshort · · Score: 2

      How about automated voice calls? Are they any more secure - my bank offers me a choice between text and voice call.

    10. Re:bank? by Anonymous Coward · · Score: 0

      Use a real 2 factor system like Symantec VIP or Google Authenticator.

    11. Re:bank? by Anonymous Coward · · Score: 1

      The problem is partly that people don't actually use 2 factor authentication.

      For example, you can usually click on a link to reset your password. They'll "verify" it's you doing it by sending a code over SMS that you have to enter, but if that code is intercepted it's adequate to override the password rather than required in addition to the password.

      Another example would be somone who saved their password on their phone so the same device once compromised has access to the SMS and the password.

      So, really they've just replaced the stronger factor "something you know" with the weaker one "something you have", rather than actually requiring both in many practical cases.

    12. Re:bank? by Anonymous Coward · · Score: 0

      Probably not. It doesn't state it specifically in the article, but they can probably use the same or similar method to intercept voice calls.

  3. Apps by Anonymous Coward · · Score: 4, Funny

    Only LUDDITES use text messages for two-factor authentication. Modern app appers app authentication apps for authentication through apps.

    Apps!

    1. Re:Apps by GameboyRMH · · Score: 2

      You joke, but it sounds like you're describing 2FA apps :-P

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  4. blah blah hack blah blah by Anonymous Coward · · Score: 0

    blah hacking blah hacked blah yadda blah hackers blah blah hack blah blah yadda blah.

    Thank you theverge. That was most useful.

  5. Lol by Anonymous Coward · · Score: 0

    I'm not sure giving that info to Google is any better than having it stolen by hackers. When it comes to peoples public/private info, google is SAVAGE.
    "Dont be evil" how fucking ironic..

    1. Re:Lol by GuB-42 · · Score: 2

      Google may be savage but Google is legal.
      Google won't empty your bank account without your permission, Google won't ask you for a ransom, Google won't use you computer as a proxy for all kind of illegal activity.
      That's also why it is better to be in debt to a bank than to the mafia, no matter how savage banks are. Sure, debt collectors are annoying and they may take your house but at least your life will be safe and you won't be mailed body parts of family members.

    2. Re:Lol by rholtzjr · · Score: 1
      FTFY

      That's also why it is better to be in debt to a bank than to the mafia, no matter how savage banks are. Sure, debt collectors are annoying and they may take your house but at least your existence will be safe and you won't be mailed body parts of family members.

      Your life is still f_%ked either way. It's just that one MAY be recoverable.

      Curiosity, why do banks collect relative information on all their loan documents? Habit?

    3. Re:Lol by GuB-42 · · Score: 1

      All the information they ask you all have the same purpose : to judge how risky you are in order to determine how much they will lend you and in which conditions (rate, guarantees, ...).
      Having a rich and stable family that can help you is much better than you having a family that that needs help. This will be taken into account, just like your job, your health, your criminal record, ... If they don't ask questions, it may not be a good sign, because they will assume you are high risk by default.

    4. Re:Lol by ebyrob · · Score: 1

      > Curiosity, why do banks collect relative information on all their loan documents? Habit?

      Probably so they can track you don't if you don't pay up. Even many fugitives stay in touch with friends and family at some point.

  6. SMS!=text by rastos1 · · Score: 1

    For a moment I was worried that I'll have to use binary or hex for two-factor authentication rather then plain "texts".

    1. Re:SMS!=text by Anonymous Coward · · Score: 0, Informative

      rather then plain "texts".

      then!=than

    2. Re:SMS!=text by Anonymous Coward · · Score: 0

      There are multiple meanings of the word, added to common language long ago.

      "The term originally referred to messages sent using the Short Message Service (SMS). It has grown beyond alphanumeric text to include multimedia messages (known as MMS) containing digital images, videos, and sound content, as well as ideograms known as emoji (happy faces and other icons)."

      Text messaging

  7. This is two-step, NOT two factor by imp7 · · Score: 2, Interesting

    Why do we keep seeing this being reported incorrectly by security "professionals"? Using SMS has always been two STEP, not two factor. You need to use the correct words describing a system if you are going to rag on that system.

    1. Re:This is two-step, NOT two factor by Anonymous Coward · · Score: 0

      Something you have and something you know? How is that not two factors? Fucking drunkass.

    2. Re:This is two-step, NOT two factor by TheRaven64 · · Score: 4, Insightful

      SMS is intended for two-factor authentication when the phone is a thing that you have and is separate from the thing that you know. The problem that TFA points out is that 'having the phone' and 'being the only one who can receive SMS to that number' are not even slightly the same thing. The other problem is that an increasing amount of stuff is done on the phone, so the phone stops being a separate 'something you have' and is just your terminal, which is as likely to be controlled by the attacker as any other terminal (probably more so, given how many run unpatched operating systems with known vulnerabilities).

      --
      I am TheRaven on Soylent News
    3. Re:This is two-step, NOT two factor by aaarrrgggh · · Score: 1

      You don't "have" the SMS message; it exists in many places, hence the vulnerability.

      It is a second "step" since to receive it you should have already entered a valid password associated with the cell phone number.

    4. Re:This is two-step, NOT two factor by Anonymous Coward · · Score: 0

      Reminds me of when a place rolled two-"factor" authentication. It consisted of your password (that you set), and a 4 digit pin. That you also set, and change with the same frequency as your password. So really all they did is break your password into an alphanumeric portion and a purely numeric portion.

    5. Re:This is two-step, NOT two factor by Zero__Kelvin · · Score: 1

      Probably because you are clueless, and it is indeed two factor auth.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  8. Serious Threat...minor chances by Lucid7 · · Score: 2

    This is just a rehashed article from over a year ago. Same exact examples are referenced. That SS7 site on tor has been reported a few times now as being fraudulent. The bitcoin wallet on there had like 2 transactions into it. This is a serious threat for sure but they are grossly overestimating the effects of this in the wild. It's not exactly 'easy to attack SS7' for the non telecom enthusiast. If it was, people would be selling the service and telecom would've moved on by now.

    1. Re: Serious Threat...minor chances by fubarrr · · Score: 2

      The exactly same attack "false roaming request" has been in the wild since 2003 or 2004. Literally millions of people loose money due to having their phone number hijacked and being used to send SMSes to paid numbers.

      Same trick is being used by Russian spies to regularly steal online accounts of European politicians

    2. Re:Serious Threat...minor chances by snookiex · · Score: 1

      telecom would've moved on by now

      They already did. It's called Diameter

      --
      Open Source Network Inventory for the masses! Kuwaiba
    3. Re: Serious Threat...minor chances by Anonymous Coward · · Score: 0

      Lose != loose

  9. ooga-booga by Anonymous Coward · · Score: 0

    Same is true for fancy RSA 2FA tokens. Intercept texts, reset google/email passwords, revoke and reissue 2FA token in any form factor you want.

    Conflating broke ass secondary communications channels with 2FA, Film at 11.

  10. Re: Hilary lost. by Anonymous Coward · · Score: 0

    Refudiate?

  11. stop using your primary phone by Anonymous Coward · · Score: 2, Interesting

    If you're paranoid or actually at risk of being hacked, buy a burner phone and use that for your 2 step authentication.
    Nobody can social engineer or cell tower hack your number because they don't know it.

    1. Re:stop using your primary phone by Anonymous Coward · · Score: 0

      If you use that burner on more than one site then, should one of the sites be compromised, an attacker may be able to put 1+1 together and know that your accounts on other sites also use that same burner.

  12. Re: Hilary lost. by Aaden42 · · Score: 0, Offtopic

    You need smarter monkeys for that, apparently.

  13. Still better than password only by MightyYar · · Score: 5, Insightful

    So... still better than password-only. That's probably good enough for my purposes.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    1. Re:Still better than password only by Solandri · · Score: 5, Insightful

      No, it's worse than password-only. If your account is only protected by a password, then there's no password recovery. You forget your password and you're locked out of the account, permanently. OTOH that means anyone trying to get into your account has to guess/know your password in order to get in.

      With this SMS intercept exploit, they can get into your account without knowing your password.

      You're thinking of using a SMS in addition to your password in order to login to an account - i.e. 2FA. Yes in that case it's better than password-only (unless it lulls you into picking a poor password because you think you're being protected by the SMS). But that's not what this exploit is about. It's about resetting your password by intercepting a SMS that was supposed to go to your phone. The SMS is used to bypass your password, not to augment it. (In your defense, TFA conflates the two as well, leading to the confusion.)

      In other words, it's stupid using 2FA to login, if your password reset procedure is 1FA. Attackers will simply ignore the stronger security to target the weakest link - the 1FA step.

    2. Re:Still better than password only by rholtzjr · · Score: 1

      IMO, currently the user definable Security Question/Answer is a better choice over SMS. This way you do NOT have a set of predefined questions to establish a pattern off of (e.g. Mother's maiden name, high school attended, street you grew up on, etc..), you know, anything that are public record based. Could your phone number also be considered "public record" considering most everyone asks for it as a point of contact on about EVERY document you have to sign on (which they now have your signature as well)?

      SMS TFA reminds me of the commercial for Life Lock, "Oh, I am not a real security guard, I am a security monitor". And the article points out this by showing that SMS TFA does not provide you with that much security. It is exploitable and not as difficult as some would like you to believe.

    3. Re:Still better than password only by MightyYar · · Score: 1

      Yes, the article (and summary) confused me. On my Google account, to do a password recovery I believe they'd need to compromise my second email account and know a security question to recover my Gmail account. If they do all that, then yeah I'm screwed but frankly that is a lot of work and they could just steal my identity instead :)

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    4. Re:Still better than password only by MightyYar · · Score: 2

      Replying to myself. Apparently Google discontinued the secret question method so honestly I have no idea what happens when you try to recover your account and I'm not in the mood to try it :)

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    5. Re:Still better than password only by apoc.famine · · Score: 2

      But you're not considering security through obscurity. And while we all know that's a bad idea, there is still significant overhead when it comes to knowing enough about my personal details to break into my banking website. In no particular order:
       
      What bank do I use?
      What is my login to that bank?
      What phone number do I use?
      Do I have 2fa using text turned on?
       
      An attacker needs to know all of that in order to leverage this sort of attack. Even getting into my email requires the phone number when accessing it from an unknown device, which would be the fastest way to find my phone number. Malware that gets access to my email would be able to turn it up, but running Linux plus NoScript, I think I'm pretty safe.
       
      Outside of compromising my email account, I'm not sure how someone would piece together enough of this information. I don't tend to post my cell number anywhere, and I don't tend to go to the physical bank very often. My login for my banking website is not a logical first.last or anything like that, so it's not really guessable. And by the time they guessed the password to my stolen phone I'd have disabled it anyway.
       
      Outside of a targeted spear phishing attack, how do you anticipate that an attacker would get all this info?

      --
      Velociraptor = Distiraptor / Timeraptor
  14. 2FA with SMS is not about security by Carewolf · · Score: 4, Insightful

    It is just an excuse to harvest your phonenumber.

    1. Re:2FA with SMS is not about security by swillden · · Score: 2

      It is just an excuse to harvest your phonenumber.

      For what purpose?

      Personally, I think you're nuts. I've been around the security business for the last 20 years, working for and consulting with many organizations that have set up 2FA for their users... and I have never, once, heard anyone suggest that it is useful for phone number harvesting. Moreover, knowing peoples' phone numbers really isn't all that useful. I suppose there may be some rare situation in which it could be used to correlate information from various sources to create a more comprehensive dossier, but I can't think of a single such scenario where there wouldn't be other data elements that could be more easily and reliably used for the correlation. I guess there may be some organization out there who would sell your phone number to telemarketers, etc., but none of the organizations I deal with that use 2FA would do that. Do you have any examples of some that would?

      From a security perspective I've been uncomfortable with SMS-based 2FA for a long time. I still have it enabled on a few accounts either because no other option is offered (none of the banks I use have anything other than SMS), or because I want to have SMS as a backup option, even though it's not the one I use most of the time. This research makes me think that I should stop using it as a backup, and just make sure I'm sufficiently covered in other ways.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:2FA with SMS is not about security by Anonymous Coward · · Score: 0

      It's annoying, I don't have a phone number so I keep getting the prompt to enter it over and over. And when I try to log in at the library or something I get locked out of my account and they want to text me some key. How the heck am I going to get a text with no number ?

  15. I'm tired by Anonymous Coward · · Score: 0

    I'm tired of securing my shit all the time. It changes everyday.

  16. Is there any good form of authentication. by jellomizer · · Score: 2

    There is always a way in. For Apples face ID that states there is a 1 in a million chance of breaking it. That means they are probably over 6,000 people in the world that could get into your phone with their face alone. And being that close relatives and people with similar generics often live closer by, so some of these 6,000 people may be rather close.
    Humans actually make worse assumptions when granting access to security. They can often be conned into thinking you are someone who you are not rather quickly. Being most effective hacks are social hacks where someone actively gives the bad guy access to their computers.
    Using text as part of the two factor authentication isn't as bad as most. Being that most security problems don't come from someone hacking into your account, but getting in the backdoor and getting your info that way. So the two factor with the text is probably good enough for rather secure methods to protect your account for sites that they wouldn't bother targeting just you. Just because if they stole a password table they wouldn't spend the time trying to hack the text response if they have a million more passwords to try.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  17. SMS has more problems than that by Anonymous Coward · · Score: 0

    I have never used SMS or anything whatsoever that relies on my cellphone. Cellphones are not permanent. It would be like relying on a specific IP address. Doesn't matter if you have it right now, there is little to no guarantee you will have access to it in the future. Much less guarantee than the old land-lines.

    I've permanently lost cellphone access simply from dropping my phone in the ocean and having no way to recover the account (it was pre-paid and this was before they would swap your account with a new sim; hell maybe you still can't if you're pre-paid). If I had accounts tied to that number (SMS or otherwise) then they would be DONE. Especially if they used actual 2FA, I would be 100% screwed. Fuck that!

    1. Re: SMS has more problems than that by corychristison · · Score: 1

      Or you can lose it by something more common, such as moving.

      Depending where you live, and/or move to it may not be "possible" (I'm certain its an artificial limitation) to keep your old number. Some carriers even approach users that are out of their "service area" fot extended periods, sometimes even just cutting them off without notice and forcing them to get a "local" number.

      I know this varies largely by what country you live in, but it does happen, and happens quite often in many parts of the world.

  18. SMS wasn't designed to be secure by evolutionary · · Score: 1

    People using SMS for security are hoping that it is difficult to impossible to potentially tie together the data, but of course it's not foolproof. Texts and be easily intercepted and put together if data from the other side can be acquired. It was made for convenience. Simple as that. which is why we have other apps and methods of encrypting sms or equivalent (Whatsapp for example although in theory there are ways to attack that too but is harder, can't remember details). Even GMS seems a bit weak to me and in India, there is apparently no encryption at all. Cell phone technology was designed with a focus on security, but convenience and easy of use. in other words, easy to consume. The price of convenience in my experience has always been security.

    --
    "Imagination is more important than knowledge" - Einstein
  19. Starfleet Regulation 46(a) by hey! · · Score: 1

    "If transmissions were being monitored during battle, no uncoded messages were to be transmitted on an open channel."

    And yet even though they were aware enough to draft a regulation, their mobile communicators didn't come with a secure messaging system either.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    1. Re:Starfleet Regulation 46(a) by kwerle · · Score: 1

      queen to queen's level 3

    2. Re:Starfleet Regulation 46(a) by hey! · · Score: 1

      Ha! I'm playing for a draw.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    3. Re:Starfleet Regulation 46(a) by kwerle · · Score: 1

      Oh - it's a pretty oblique reference. http://www.ericweisstein.com/f...

      That was their clear (compromised) channel challenge key.

    4. Re:Starfleet Regulation 46(a) by hey! · · Score: 1

      Far from oblique, as was my reference to TNG Season 2 Episode 21.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    5. Re: Starfleet Regulation 46(a) by Anonymous Coward · · Score: 0

      Queen to king's level 1

    6. Re:Starfleet Regulation 46(a) by kwerle · · Score: 1

      My mistake! Never became much of a TNG fan...

  20. Just get hardware token for $15 by Anonymous Coward · · Score: 1

    I happen to have a YubiKey from YubiCo but there are probably other vendors. The cheap version is just USB-A. The expensive version has NFC so you can use it with most modern smartphones to authenticate. It works with Google, which is probably what you care most about. Facebook also supports it, although it's not as important. I haven't used it in months; it only matters if you're on a "new" device and leaves you alone otherwise. Incidentally, Facebook will also encrypt your password-recovery requests with your public PGP key. I know at least one person who turned that feature on. (me).

  21. Just Don't Give It Out by that+this+is+not+und · · Score: 1

    Just don't give out your phone number. Google has no reason to know my phone number. I don't have to disable 'two factor authentication by text message' if they don't have my phone number.

    1. Re:Just Don't Give It Out by Anonymous Coward · · Score: 0

      I don't have to disable 'two factor authentication by text message' if they don't have my phone number.

      "We do not recognize this device. Please enter a phone number that we can send a text to in order to validate that you are you."

      You think I'm joking, but I'm not. Ok, I don't know if Google does it, but I have encountered places that do just that. Places that ask you to enter a phone number right then and there to be used to validate that you are you. Which you of course see the problem with that, right? If I am entering a phone number right then and there, you aren't proving that I am the account holder, you're proving that I have a phone that can receive text messages.

    2. Re:Just Don't Give It Out by that+this+is+not+und · · Score: 1

      That's so likely to be a phishing expedition that anybody who actually gives them a phone number is being very foolish.

      No, when presented with an 'issue' like that, unless there is an absolute emergency in progress and you need to use 'their service', the proper thing to do is become 'very concerned for your security' and eat up a TON of their tech support with a human operator making certain that it is 'safe' to use 'this device' with their service. Get on their actual human tech support with a very costly (to them) presence.

      If it's fucking Google, just get a real email account. They're a few dollars a month. Personally, I have chosen Fastmail, there are other good providers as well.

    3. Re: Just Don't Give It Out by Anonymous Coward · · Score: 0

      That is because a phone number is more expensive to dispose of.

      The SMS system is secure enough to verify you are not a bot, but inadequate to prove you are alive.

      But app-based 2FA is worse, since morons will use the same device for 2FA. So lose the device, you've just lost your identity.

      The ideal mechanism requires a biometric to unlock the device, but a physical token from banks (e.g. The NFC chip) as 2FA that can be replaced for access to the Bank.

      Everything else, like your primary email should require tapping your passport, drivers license, or specific service physical token. No NFC on your PC? Too damn bad.

    4. Re:Just Don't Give It Out by rholtzjr · · Score: 1

      I have seen just as bad with security Q/A which they implemented later.

      Steps:

      Reset Password

      Enter Security Question (blank, one was not previously set)

      Enter Security Answer (blank, also previously not set)

      Returns failed reset (as they do not allow a blank security Q/A)

    5. Re:Just Don't Give It Out by Anonymous Coward · · Score: 0

      There was a time that new Google Account signups required a phone number - getting around the requirement was not obvious.

  22. solution? by Anonymous Coward · · Score: 0

    great, you found a problem thats been around since 2008, but has anyone come up with a solution other than removing 2FA?

    do people not realize that security is supposed to be done in layers? Just by adding 2FA you have increased the cost of an attack, therefore making sure that the potential hackers will need to make sure that the reward will be worth more than the cost of the attack. By removing 2FA you have made the cost of the attack cheaper.

    What happened to news for nerds, this sounds like news for normal people, aka fear mongering about technology. "remove 2FA so that its easier for hackers to get into your account" fuck off

    1. Re:solution? by rholtzjr · · Score: 1

      It has been lost to the era of "Ooooo, shiny" mentality.

  23. Harvest it all, figure out what it's good for l8r by Geoffrey.landis · · Score: 1

    It is just an excuse to harvest your phonenumber.

    For what purpose?

    To sell it to Rachel from Cardholder Services, I expect.

    Personally, I think you're nuts. I've been around the security business for the last 20 years, working for and consulting with many organizations that have set up 2FA for their users... and I have never, once, heard anyone suggest that it is useful for phone number harvesting.
    Moreover, knowing peoples' phone numbers really isn't all that useful.

    All information about a consumer is useful information, if you have enough of it. You may not know yet when it will be useful, or what it will be useful for, but if you're a big info corporation harvesting info, you want to harvest all the info you can: it will be useful someday, and once people understand how giving that info to you was a bad bad idea, they will stop giving it to you-- so you want to get it now, before they realize it.

    --
    http://www.geoffreylandis.com
  24. Re:Hilary lost. by bobbied · · Score: 0

    We all lost during the primaries, regardless of who you voted for.... Maybe before that.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  25. Re:Harvest it all, figure out what it's good for l by swillden · · Score: 1

    It is just an excuse to harvest your phonenumber.

    For what purpose?

    To sell it to Rachel from Cardholder Services, I expect.

    What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.

    Personally, I think you're nuts. I've been around the security business for the last 20 years, working for and consulting with many organizations that have set up 2FA for their users... and I have never, once, heard anyone suggest that it is useful for phone number harvesting. Moreover, knowing peoples' phone numbers really isn't all that useful.

    All information about a consumer is useful information, if you have enough of it. You may not know yet when it will be useful, or what it will be useful for, but if you're a big info corporation harvesting info, you want to harvest all the info you can: it will be useful someday, and once people understand how giving that info to you was a bad bad idea, they will stop giving it to you-- so you want to get it now, before they realize it.

    All information about a consumer is also a liability. Lots of organizations haven't figured this out yet, but I think pretty much all of them savvy enough to be implementing 2FA understand it.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  26. Alternatives? by Tablizer · · Score: 1

    For some applications one wants multiple ways to verify identity. Any one of those ways can be hacked, so does that mean multi-"channel"-verification should be done away with altogether, leaving one stuck with weak single-channel verification? What are the alternatives? Humans knocking on doors and taking finger-prints? Even ignoring the cost of personal visits, finger-prints can be hacked also with with rubber facades and bribery. It sounds like the nothing-is-perfect-so-do-nothing argument. The fetal position is the most secure.

    --
    Table-ized A.I.
  27. Practicality by Anonymous Coward · · Score: 0

    Just because it can be done, doesn't mean it has a real world practical use.
    Unless a specific individual is being targeted and followed around, I don't see a practical way that this would be useful.
    Is someone going to harvest all text messages in an area, hoping that someday someone will request a TFA code? The TFA code expires in minutes, would have to be there to act, not just harvesting information, collecting, and acting on it later.

    Also, using a service like google voice to receive the text message (non forwarded) seems like a pretty easy, secure workaround.

    1. Re:Practicality by Anonymous Coward · · Score: 0

      I use a Yubikey NEO with the Yubico authenticator app instead of Google Authenticator. The Yubikey is password protected, and ensures even if my phone is compromised an attacker can't just generate codes. The real reason for having this kind of setup though, is that the hardware key is durable, and can be used on any phone as long as you have the password to unlock it. So transferring to a new device is trivial and the likelihood of it breaking is slim.

      I made the switch after my phone was destroyed by water and it took me just over a week to get back into everything.

    2. Re:Practicality by Anonymous Coward · · Score: 0

      Is a Yubikey NEO for $50 USD is a good deal?

    3. Re:Practicality by ben_kelley · · Score: 1

      rot13 encryption ftw!

    4. Re:Practicality by Anonymous Coward · · Score: 0

      Yeah, you want the NEO for sure if you're planning on using it with your phone and NFC. $50 is what I paid last year. I've never seen the neo for less.

    5. Re:Practicality by Anonymous Coward · · Score: 0

      The thing is: Using texts is a lot better than nothing.

      The other thing: Using texts is practical. I just had my phone die, with all sorts of authenticator apps on it: for Google, for my credit cards, for my bank, etc.. To get those all replaced is an absolute PITA. Whereas anything using texts was automatically moved to my new phone, just by moving the SIM card.

      Security has to be practical, or people won't use it. Texts are very practical. Instead of encouraging people to do something else, why not improve texts? Just as an example, how about if texts were encrypted ("Signal" or some similar protocol)?

      The thing is: Using texts is a lot better than nothing.

      The other thing: Using texts is practical. I just had my phone die, with all sorts of authenticator apps on it: for Google, for my credit cards, for my bank, etc.. To get those all replaced is an absolute PITA. Whereas anything using texts was automatically moved to my new phone, just by moving the SIM card.

      Security has to be practical, or people won't use it. Texts are very practical. Instead of encouraging people to do something else, why not improve texts? Just as an example, how about if texts were encrypted ("Signal" or some similar protocol)?

      The thing is: Using texts is a lot better than nothing.

      The other thing: Using texts is practical. I just had my phone die, with all sorts of authenticator apps on it: for Google, for my credit cards, for my bank, etc.. To get those all replaced is an absolute PITA. Whereas anything using texts was automatically moved to my new phone, just by moving the SIM card.

      Security has to be practical, or people won't use it. Texts are very practical. Instead of encouraging people to do something else, why not improve texts? Just as an example, how about if texts were encrypted ("Signal" or some similar protocol)?

      The thing is: Using texts is a lot better than nothing.

      The other thing: Using texts is practical. I just had my phone die, with all sorts of authenticator apps on it: for Google, for my credit cards, for my bank, etc.. To get those all replaced is an absolute PITA. Whereas anything using texts was automatically moved to my new phone, just by moving the SIM card.

      Security has to be practical, or people won't use it. Texts are very practical. Instead of encouraging people to do something else, why not improve texts? Just as an example, how about if texts were encrypted ("Signal" or some similar protocol)?

      The thing is: Using texts is a lot better than nothing.

      The other thing: Using texts is practical. I just had my phone die, with all sorts of authenticator apps on it: for Google, for my credit cards, for my bank, etc.. To get those all replaced is an absolute PITA. Whereas anything using texts was automatically moved to my new phone, just by moving the SIM card.

      Security has to be practical, or people won't use it. Texts are very practical. Instead of encouraging people to do something else, why not improve texts? Just as an example, how about if texts were encrypted ("Signal" or some similar protocol)?

      Are u looking to hire an hacker/private investigator? I will recommend you contact charlescyberwiz@gmail.com. He helped track my cheating spouse when i suspected he was cheating, all he requested for was a phone number. He can spy on any phone without physical access. If u need to keep track of the things your teens are doing on their phone/computer or track a cheater or scammer dont hesitate to contact him.You get unrestricted and unnoticeable access to your partner/spouse/anybody's social accounts,email etc.He will never disappoint u. Contact him today!

  28. Re:Harvest it all, figure out what it's good for l by Geoffrey.landis · · Score: 1

    It is just an excuse to harvest your phonenumber.

    For what purpose?

    To sell it to Rachel from Cardholder Services, I expect.

    What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.

    I don't know where Rachel from Cardholder Services got my cell phone number, but she certainly got it from somewhere.

    Basically, what you posted in this thread can be summarized "oh, just trust them with the information, they won't misuse it. And anyway, I can't think of how I would misuse it, so obviously some corporation couldn't think of a way either."

    ...All information about a consumer is also a liability. Lots of organizations haven't figured this out yet,

    Right the first time: Lots of organizations haven't figured this out yet.

    but I think pretty much all of them savvy enough to be implementing 2FA understand it.

    The historical record does not back you up on this.

      https://www.comparitech.com/blog/information-security/biggest-data-breaches-in-history/

      http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

      https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.htm

      https://www.techworld.com/security/uks-most-infamous-data-breaches-3604586/

    --
    http://www.geoffreylandis.com
  29. How does Google messenger work? by 140Mandak262Jamuna · · Score: 1
    For some reason my phone does not get the SMS with just a five digit number sender. A regular phone number works, but most of these sms from credit card activity etc comes from a five digit number. My phone does not get them.

    I changed the number to google voice number. I get the alert in email to my gmail account, and also a message to the phone. But not the default SMS application, but to some google+ messenger kind of thing. Frankly I thought they were dead. But they give me the alert.

    Does this also use SMS and is vulnerable to SS7 security vulnerability?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  30. Re: Hilary lost. by Anonymous Coward · · Score: 0

    Thats not the kind of 2FA I was expecting.

    Anyway they claim to be able to intercept it in transit but I bet I would have used the code by thr time they extracted it from their extractor. Not to mention they would have to be ready at any time and know my email address. Meh.. it could happen but it wont stop me from using coinbase which I rarely use anyway.

  31. Sane system would still need a password by ebyrob · · Score: 1

    No kidding, if this stuff was actually two-factor, you'd still need the password even if you could prove access to the phone's data.

    Also, it wasn't a coin wallet they hacked, it was Gmail. Gmail is apparently where the vulnerability is.

    Oh, not to mention it may not be a good idea to farm out the security of your bitcoin (ish) keys to some online third-party. I mean, yeah, we give money to banks instead of putting it under our mattresses, but they're FDIC insured and certified by the government (who can just print more if they steal it or, as we saw a few years back, mismanage it).

  32. PR for another (pseudo) security firm by HongoBelando · · Score: 1

    The video shows just the unlock process plus a (possibly fake) web page with SS7 printed in big letters. Looks much like a PR stunt These guys of Positive Technologies might want to read at least Wikipedia about SS7. Even if old protocol, it still has common things with OSI 7 layers. You can compare SS7as a sort of IP; the layers above like MAP are used in mobiles and there is no xml encoded for humans to read but XER/BER. In all networks I know there is no SS7 but all is SCTP. An attack of grabbing SMS text will only work if you are inside the operator's network, which has certainly vulnerabilities especially with peoples PCs that vpn into the core network. But if you are in that position you will probably be interested in many other aspects than just recovering some bitcoins. BTW I work for a mobile operator; these system trigger alarms when you login and commit a configuration. The you would need to understand a bit of things like AXE or DX200 nodes just to print something. This was just for some free PR by the authors.

  33. Practicality by bradley13 · · Score: 2

    The thing is: Using texts is a lot better than nothing.

    The other thing: Using texts is practical. I just had my phone die, with all sorts of authenticator apps on it: for Google, for my credit cards, for my bank, etc.. To get those all replaced is an absolute PITA. Whereas anything using texts was automatically moved to my new phone, just by moving the SIM card.

    Security has to be practical, or people won't use it. Texts are very practical. Instead of encouraging people to do something else, why not improve texts? Just as an example, how about if texts were encrypted ("Signal" or some similar protocol)?

    --
    Enjoy life! This is not a dress rehearsal.
  34. Re:Harvest it all, figure out what it's good for l by swillden · · Score: 1

    It is just an excuse to harvest your phonenumber.

    For what purpose?

    To sell it to Rachel from Cardholder Services, I expect.

    What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.

    I don't know where Rachel from Cardholder Services got my cell phone number, but she certainly got it from somewhere.

    What makes you think it's from some 2FA? Seriously, what organizations do you give your number to for 2FA? Your bank. Your email provider (e.g. Google). Can you think of one that not suffer more by being discovered to sell those numbers than they would gain?

    The historical record does not back you up on this.

    Red herring. Those links are about data breaches, not sales. The claim here is that organizations offering 2FA ask for your number specifically to misuse it.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  35. Re:Harvest it all, figure out what it's good for l by ebyrob · · Score: 1

    All information about a consumer is also a liability.

    Tell that to Equifax... If what you say is even slightly true they should be out of business 10 times over.

    Dollars to donuts in 2 years it'll be business as usual.

  36. Re:Harvest it all, figure out what it's good for l by swillden · · Score: 1

    All information about a consumer is also a liability.

    Tell that to Equifax.

    Well, in their case information about consumers is their entire business. Which means they should be crazy paranoid about security, because it literally is their entire reason for existence, to securely gather and disseminate -- but only when and where it's proper -- highly-personal information.

    Dollars to donuts in 2 years it'll be business as usual.

    Yeah...

    I'm generally pretty laissez-faire, but this is an area that I think we need regulation. There should be specific, and severe, penalties for data breaches. And even more severe penalties for hiding data breaches. Keeping large amounts of data about individuals needs to be recognized as a dangerous thing to do, something to be done only when absolutely necessary, and only with extreme attention to security.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  37. Re:Harvest it all, figure out what it's good for l by Carewolf · · Score: 1

    It is just an excuse to harvest your phonenumber.

    For what purpose?

    To sell it to Rachel from Cardholder Services, I expect.

    What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.

    I was talking more about "free" services than corporate authentication. There are many of them that would like you to give them your phonenumber, it used to be for password recovery, but now they claim it is for extra security. Steam pesters me all the time, I tried installing the mobile app to see if that was enough, but no, they want my phonenumber, even though it is less secure than my email, I can only imagine it is for selling on.

  38. Just trust them- they're not evil, they say so by Geoffrey.landis · · Score: 2

    Red herring.

    Your entire post is a red herring. You're basically saying "I don't think they'd do anything bad because we can trust giant corporations."

    You haven't put forth any reason to think that, you just do.

    I don't. The entire history of the web tells us that you can't trust corporations with personal information.

    And, I really don't care whether they gave my number to Rachel at Card Services (and everybody else in the world) because of a data breach or because they sold it. That's a distinction without any difference to me.

    --
    http://www.geoffreylandis.com