> > Can you point out the specific data you think supports your claim? >
I can, but I'm not going to, because that's not what this side discussion has been based on. You said : These low-income people are not the targets of identity thieves, spear > fishers, or data ransomers. I just showed you data that shows they are, but now are trying to move the goalposts with new quantifiers. I think this discussion has run its course for me. Take care. On Mon, Apr 19, 2021 at 10:45 AM Mel Beckman <m...@beckman.org> wrote: > I don’t see any data showing that poor people are *targets* of Account > access attacks. Can you point out the specific data you think supports your > claim? > > -mel via cell > > On Apr 19, 2021, at 7:33 AM, Tom Beecher <beec...@beecher.cc> wrote: > > > > https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf > > https://www.bjs.gov/content/pub/pdf/vit18.pdf > > > > > On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <m...@beckman.org> wrote: > >> Can you cite data? Or provide a rational argument other than “they are”? >> >> -mel via cell >> >> On Apr 19, 2021, at 7:01 AM, Tom Beecher <beec...@beecher.cc> wrote: >> >> >> >>> These low-income people are not the targets of identity thieves, spear >>> fishers, or data ransomers. >>> >> >> This is patently false. Low-income / disabled / minority / non-english >> speakers are absolutely targets of scams like those, and in >> significant numbers. >> >> >> >> On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <m...@beckman.org> wrote: >> >>> Tom, >>> >>> Well, yes, not everyone can afford all technology options. That’s life. >>> One has to wonder how someone who needs to protect online accounts cannot >>> afford a $30 hardware token (which can be shared across several accounts). >>> These low-income people are not the targets of identity thieves, spear >>> fishers, or data ransomers. Unlike you, I AM arguing against something: SMS >>> as a 2FA token. In this case I don’t think we have ignored low-income >>> users, for the same reason that home alarm security aren't ignoring >>> low-income users who can’t afford their products. It’s certainly no reason >>> to hobble security for the rest of us. >>> >>> -mel >>> >>> >>> On Apr 19, 2021, at 6:07 AM, Tom Beecher <beec...@beecher.cc> wrote: >>> >>> HW tokens are great, sure. >>> >>> Except there is a lot of overlap in the Venn diagram between those who >>> still use feature phones and those that spending $30 on said hardware token >>> is financially obtrusive. ( Not to mention that every hardware token I can >>> remember looking at requires an app to set themselves up in the first >>> place, and if this is for the people who can't install apps, that's an >>> interesting circular dependency. ) >>> >>> I'm not arguing for or against anything here honestly. I'm just pointing >>> out that we ( as in the technical community we ) have a tendency to put >>> forward solutions that completely ignore what might be reasonably feasible >>> for those of lower income , or parts of the world not as technologically >>> developed as we might be in ourselves, and we should try to shrink that gap >>> whenever possible, not make it worse. >>> >>> On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <m...@beckman.org> wrote: >>> >>>> Then they can buy a hardware token. Using SMS is provably insecure, and >>>> for people being spear-phished (a much more common occurrence now that so >>>> much net worth data has been breached), a huge risk >>>> >>>> -mel >>>> >>>> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beec...@beecher.cc> wrote: >>>> >>>> >>>> >>>>> As far as I know, authenticators on cell phone apps don’t require the >>>>> Internet. For example, the Google Authenticator mobile app doesn't require >>>>> any Internet or cellular connection >>>>> >>>> >>>> Lots of people still use feature phones that are not capable of running >>>> applications such as this. >>>> >>>> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <m...@beckman.org> wrote: >>>> >>>>> As far as I know, authenticators on cell phone apps don’t require the >>>>> Internet. For example, the Google Authenticator mobile app doesn't require >>>>> any Internet or cellular connection. The authenticated system generates a >>>>> secret key - a unique 16 or 32 character alphanumeric code. This key is >>>>> scanned by GA or can be entered manually and as a result, both the >>>>> authenticated system and GA know the same secret key, and can compute the >>>>> time-based 2nd factor OTP just as hardware tokens do. >>>>> >>>>> There are two algorithms: HOTP and TOTP. The main difference is in OTP >>>>> expiration time: with HOTP, the OTP is valid until it hasn’t been used; >>>>> TOTP times out after some specified interval - usually 30 or 60 seconds. >>>>> For TOTP, the system time must be synced, otherwise the generated OTPs >>>>> will >>>>> be wrong. But you can get accurate enough clock time without the Internet, >>>>> either manually using some radio source such as WWV, or by GPS or cellular >>>>> system synchronization. >>>>> >>>>> -mel >>>>> >>>>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote: >>>>> > >>>>> > >>>>> > >>>>> >> On 4/18/21 05:18, Mel Beckman wrote: >>>>> >> >>>>> >> No, every SMS 2FA should be prohibited by regulatory >>>>> certifications. The telcos had years to secure SMS. They did nothing. The >>>>> plethora of well-secured commercial 2FA authentication tokens, many of >>>>> them >>>>> free, should be a mandatory replacement for 2FA in every security >>>>> governance regime, such as PCI, financial account access, government web >>>>> portals, etc. >>>>> > >>>>> > While I agree that SMS is insecure at the moment, I think there >>>>> still needs to be a mechanism that does not rely on the presence of an >>>>> Internet connection. One may not be able to have access to the Internet >>>>> for >>>>> a number of reasons (traveling, coverage, outage, device, money, e.t.c.), >>>>> and a fallback needs to be available to authenticate. >>>>> > >>>>> > I know some companies have been pushing for voice authentication for >>>>> their services through a phone call, in lieu of SMS or DTMF-based PIN's. >>>>> > >>>>> > We need something that works at the lowest common denominator as >>>>> well, because as available as the Internet is worldwide, it's not yet at a >>>>> level that one would consider "basic access". >>>>> > >>>>> > Mark. >>>>> >>>> >>>