https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf
https://www.bjs.gov/content/pub/pdf/vit18.pdf On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <m...@beckman.org> wrote: > Can you cite data? Or provide a rational argument other than “they are”? > > -mel via cell > > On Apr 19, 2021, at 7:01 AM, Tom Beecher <beec...@beecher.cc> wrote: > > > >> These low-income people are not the targets of identity thieves, spear >> fishers, or data ransomers. >> > > This is patently false. Low-income / disabled / minority / non-english > speakers are absolutely targets of scams like those, and in > significant numbers. > > > > On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <m...@beckman.org> wrote: > >> Tom, >> >> Well, yes, not everyone can afford all technology options. That’s life. >> One has to wonder how someone who needs to protect online accounts cannot >> afford a $30 hardware token (which can be shared across several accounts). >> These low-income people are not the targets of identity thieves, spear >> fishers, or data ransomers. Unlike you, I AM arguing against something: SMS >> as a 2FA token. In this case I don’t think we have ignored low-income >> users, for the same reason that home alarm security aren't ignoring >> low-income users who can’t afford their products. It’s certainly no reason >> to hobble security for the rest of us. >> >> -mel >> >> >> On Apr 19, 2021, at 6:07 AM, Tom Beecher <beec...@beecher.cc> wrote: >> >> HW tokens are great, sure. >> >> Except there is a lot of overlap in the Venn diagram between those who >> still use feature phones and those that spending $30 on said hardware token >> is financially obtrusive. ( Not to mention that every hardware token I can >> remember looking at requires an app to set themselves up in the first >> place, and if this is for the people who can't install apps, that's an >> interesting circular dependency. ) >> >> I'm not arguing for or against anything here honestly. I'm just pointing >> out that we ( as in the technical community we ) have a tendency to put >> forward solutions that completely ignore what might be reasonably feasible >> for those of lower income , or parts of the world not as technologically >> developed as we might be in ourselves, and we should try to shrink that gap >> whenever possible, not make it worse. >> >> On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <m...@beckman.org> wrote: >> >>> Then they can buy a hardware token. Using SMS is provably insecure, and >>> for people being spear-phished (a much more common occurrence now that so >>> much net worth data has been breached), a huge risk >>> >>> -mel >>> >>> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beec...@beecher.cc> wrote: >>> >>> >>> >>>> As far as I know, authenticators on cell phone apps don’t require the >>>> Internet. For example, the Google Authenticator mobile app doesn't require >>>> any Internet or cellular connection >>>> >>> >>> Lots of people still use feature phones that are not capable of running >>> applications such as this. >>> >>> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <m...@beckman.org> wrote: >>> >>>> As far as I know, authenticators on cell phone apps don’t require the >>>> Internet. For example, the Google Authenticator mobile app doesn't require >>>> any Internet or cellular connection. The authenticated system generates a >>>> secret key - a unique 16 or 32 character alphanumeric code. This key is >>>> scanned by GA or can be entered manually and as a result, both the >>>> authenticated system and GA know the same secret key, and can compute the >>>> time-based 2nd factor OTP just as hardware tokens do. >>>> >>>> There are two algorithms: HOTP and TOTP. The main difference is in OTP >>>> expiration time: with HOTP, the OTP is valid until it hasn’t been used; >>>> TOTP times out after some specified interval - usually 30 or 60 seconds. >>>> For TOTP, the system time must be synced, otherwise the generated OTPs will >>>> be wrong. But you can get accurate enough clock time without the Internet, >>>> either manually using some radio source such as WWV, or by GPS or cellular >>>> system synchronization. >>>> >>>> -mel >>>> >>>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote: >>>> > >>>> > >>>> > >>>> >> On 4/18/21 05:18, Mel Beckman wrote: >>>> >> >>>> >> No, every SMS 2FA should be prohibited by regulatory certifications. >>>> The telcos had years to secure SMS. They did nothing. The plethora of >>>> well-secured commercial 2FA authentication tokens, many of them free, >>>> should be a mandatory replacement for 2FA in every security governance >>>> regime, such as PCI, financial account access, government web portals, etc. >>>> > >>>> > While I agree that SMS is insecure at the moment, I think there still >>>> needs to be a mechanism that does not rely on the presence of an Internet >>>> connection. One may not be able to have access to the Internet for a number >>>> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a >>>> fallback needs to be available to authenticate. >>>> > >>>> > I know some companies have been pushing for voice authentication for >>>> their services through a phone call, in lieu of SMS or DTMF-based PIN's. >>>> > >>>> > We need something that works at the lowest common denominator as >>>> well, because as available as the Internet is worldwide, it's not yet at a >>>> level that one would consider "basic access". >>>> > >>>> > Mark. >>>> >>> >>