https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80
https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
Anecdotal: With the prior consent of the DID holders, I have successfully
ported peoples' numbers using nothing more than a JPG scan of a
Every SMS 2FA should check the current carrier against the carrier when
enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a
few others do this.
--
Tim
On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke wrote:
>
> https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-2
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos
had years to secure SMS. They did nothing. The plethora of well-secured
commercial 2FA authentication tokens, many of them free, should be a mandatory
replacement for 2FA in every security governance regime, such as
paypal used to openly support token 2fa, but have since made it nearly
impossible to use hardware tokens. they try very hard to ram sms down
everyones throats.
-Dan
On Sun, 18 Apr 2021, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos
had ye
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications.
The telcos had years to secure SMS. They did nothing. The plethora of
well-secured commercial 2FA authentication tokens, many of them free,
should be a mandatory replacement for 2FA in
As far as I know, authenticators on cell phone apps don’t require the Internet.
For example, the Google Authenticator mobile app doesn't require any Internet
or cellular connection. The authenticated system generates a secret key - a
unique 16 or 32 character alphanumeric code. This key is scann
On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke wrote:
> Anecdotal: With the prior consent of the DID holders, I have successfully
> ported peoples' numbers using nothing more than a JPG scan of a signature
> that looks like an illegible 150 dpi black and white blob, pasted in an image
> editor on
Bill,
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s
not just me who disagrees with you:
https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
-mel
On Apr 18, 2021, at 6:31 AM, William Herrin wrote:
On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke wr
On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman wrote:
> SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s
> not just me who disagrees with you:
>
> https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
Mel,
That Schneier article is from 2016. The 3/2020 upd
Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for
2FA. There are many ways to attack SMS, not the least of which is social
engineering of the security-unconscious cellular carriers. The bottom line is,
why use an insecure form of communication for 2FA at all? Since
Bill,
You don’t even have to bother with social engineering, as Bruce Schneier points
out in his blog from last month:
https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html
"It turns out that with a little bit of anonymous money — in this case, $16 off
an anonymous prepaid cre
On 4/18/21 15:04, Mel Beckman wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet.
For example, the Google Authenticator mobile app doesn't require any Internet
or cellular connection. The authenticated system generates a secret key - a
unique 16 or 32 cha
On Sun, Apr 18, 2021 at 8:31 AM Mel Beckman wrote:
> You don’t even have to bother with social engineering [...]
> $16 off an anonymous prepaid credit card — and a few lies
Mel,
What do you think social engineering is? It's a couple well placed
lies that convince someone to do the wrong thing.
Fine. And you think 2FA trivially susceptible to social engineering is OK.
“Come on, man”, as Biden would say :)
-mel
> On Apr 18, 2021, at 11:29 AM, William Herrin wrote:
>
> On Sun, Apr 18, 2021 at 8:31 AM Mel Beckman wrote:
>> You don’t even have to bother with social engineering [...]
On top of this most TOTP and HOTP systems have additional security checks
like blocking reuse of codes, rate-limiting of guesses, and in some cases
acceptance of earlier codes (in TOTP) if the clock skews too far that make
them much stronger options which decreases security but is certainly more
of
On Sun, Apr 18, 2021 at 12:03 PM John Adams wrote:
> On top of this most TOTP and HOTP systems have additional security checks
like blocking reuse of codes, rate-limiting of guesses, and in some cases
acceptance of earlier codes (in TOTP) if the clock skews too far that make
them much stronger opt
I’m sorry - I think we miscommunicated here.
I was not advocating for TOTP or HOTP for SMS - in fact I’m completely against
SMS being used for multi factor auth at all.
-j
Sent from my iPhone
> On Apr 18, 2021, at 12:48, William Herrin wrote:
>
>
> On Sun, Apr 18, 2021 at 12:03 PM John A
I wonder how much of this is moot because the amount of actual SS7 is
low and getting lower every day. Aren't most "SMS" messages these days
just SIP MESSAGE transactions, or maybe they use XMPP? As I understand a
lot of the cell carriers are using SIPoLTE directly to your phone.
Mike
On 4/18
One of my main problems with SMS 2FA from a usability standpoint, aside
from SS7 hijacks and security problems, is that it cannot be relied upon
when traveling in many international locations. I have been *so many places*
where there is just about zero chance of my T-Mobile SIM successfully
roaming
On 4/19/21 05:05, Eric Kuhnke wrote:
One of my main problems with SMS 2FA from a usability standpoint,
aside from SS7 hijacks and security problems, is that it cannot be
relied upon when traveling in many international locations. I have
been /so many places/ where there is just about zero ch
On 19/4/21 2:36 pm, Mark Tinka wrote:
> On 4/19/21 05:05, Eric Kuhnke wrote:
[...]
>> In the pre covid19 era when people were actually traveling places,
>> imagine you've had reason to go somewhere weird and need access to a
>> thing (such as your online banking, perhaps?) protected by SMS 2FA,
On 4/19/21 06:50, Julien Goodwin wrote:
This is already probably past the point of being on topic here, but you
tickled my personal favorite one of these.
My airline of choice (Qantas) has mandatory SMS second factor, after
perhaps a mobile carrier requiring it for support one of the most
fa
I would start with cellular carriers and nations that intentionally take
steps to block anything VoIP as a threat to their revenue model. Or because
anything vpn/ipsec/whatever related is a threat to local Internet
censorship laws.
Plenty of places the sort of ipsec tunnel used for vowifi is not u
On 4/19/21 11:17, Eric Kuhnke wrote:
I would start with cellular carriers and nations that intentionally
take steps to block anything VoIP as a threat to their revenue model.
Or because anything vpn/ipsec/whatever related is a threat to local
Internet censorship laws.
Plenty of places the
>
> As far as I know, authenticators on cell phone apps don’t require the
> Internet. For example, the Google Authenticator mobile app doesn't require
> any Internet or cellular connection
>
Lots of people still use feature phones that are not capable of running
applications such as this.
On Sun,
Then they can buy a hardware token. Using SMS is provably insecure, and for
people being spear-phished (a much more common occurrence now that so much net
worth data has been breached), a huge risk
-mel
On Apr 19, 2021, at 5:44 AM, Tom Beecher wrote:
As far as I know, authenticators on cel
On 4/19/21 14:47, Mel Beckman wrote:
Then they can buy a hardware token. Using SMS is provably insecure,
and for people being spear-phished (a much more common occurrence now
that so much net worth data has been breached), a huge risk
Most regular folk (especially those that may not have s
HW tokens are great, sure.
Except there is a lot of overlap in the Venn diagram between those who
still use feature phones and those that spending $30 on said hardware token
is financially obtrusive. ( Not to mention that every hardware token I can
remember looking at requires an app to set themse
On 4/19/21 15:07, Tom Beecher wrote:
I'm not arguing for or against anything here honestly. I'm just
pointing out that we ( as in the technical community we ) have a
tendency to put forward solutions that completely ignore what might be
reasonably feasible for those of lower income , or p
I'd add to that that people probably shouldn't treat phones as a significant increase in security, it's not really the out-of-band device that it used to be/was in the 1990s. Today, it basically equates to a second computer and the probability that the second computer is also compromised isn't over
Tom,
Well, yes, not everyone can afford all technology options. That’s life. One has
to wonder how someone who needs to protect online accounts cannot afford a $30
hardware token (which can be shared across several accounts). These low-income
people are not the targets of identity thieves, spea
> I'd add to that that people probably shouldn't treat phones as a
> significant increase in security, it's not really the out-of-band
> device that it used to be/was in the 1990s. Today, it basically
> equates to a second computer and the probability that the second
> computer is also compromised
>
> These low-income people are not the targets of identity thieves, spear
> fishers, or data ransomers.
>
This is patently false. Low-income / disabled / minority / non-english
speakers are absolutely targets of scams like those, and in
significant numbers.
On Mon, Apr 19, 2021 at 9:33 AM Mel
Can you cite data? Or provide a rational argument other than “they are”?
-mel via cell
On Apr 19, 2021, at 7:01 AM, Tom Beecher wrote:
These low-income people are not the targets of identity thieves, spear fishers,
or data ransomers.
This is patently false. Low-income / disabled / minority
https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf
https://www.bjs.gov/content/pub/pdf/vit18.pdf
On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman wrote:
> Can you cite data? Or provide a rational argument other than “they are
I don’t see any data showing that poor people are targets of Account access
attacks. Can you point out the specific data you think supports your claim?
-mel via cell
On Apr 19, 2021, at 7:33 AM, Tom Beecher wrote:
https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-d
>
> Can you point out the specific data you think supports your claim?
>
I can, but I'm not going to, because that's not what this side discussion
has been based on.
You said :
These low-income people are not the targets of identity thieves, spear
> fishers, or data ransomers.
I just showed yo
On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka wrote:
> It's all about convenience, and how much they can get
> done without speaking to human.
Hi Mark,
Convenience is the most important factor in any security scheme. The
user nearly always has a choice, even if the choice is as
rough-grained as "sw
The goal of U2F is one key fob that works on many services. Implementation is
pretty simple and the hardware is inexpensive.
Sent from my iPhone
> On Apr 19, 2021, at 08:51, William Herrin wrote:
>
> On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka wrote:
>> It's all about convenience, and how mu
It appears that William Herrin said:
>> If a key fob can be sent to them - preferably for free - that would help.
>
>Hint: carrying around a separate hardware fob for each important
>Internet-based service is a non-starter. Users might do it for their
>one or two most important services but yours
On 4/19/21 17:48, William Herrin wrote:
Convenience is the most important factor in any security scheme.
But often not at the top of the implementation priority list.
Hint: carrying around a separate hardware fob for each important
Internet-based service is a non-starter. Users might do
Can I make an old f*** comment on all this?
We didn't design this network to be highly secure.
It's general enough that security can be layered on at various places.
But when you get down to it it was mostly designed to get information
flowing easy, fast, and freely. Not to lock it down or pro
On 4/19/21 15:33, Mel Beckman wrote:
Tom,
Well, yes, not everyone can afford all technology options. That’s
life. One has to wonder how someone who needs to protect online
accounts cannot afford a $30 hardware token (which can be shared
across several accounts). These low-income people ar
On 4/19/21 16:10, Mel Beckman wrote:
Can you cite data? Or provide a rational argument other than “they are”?
https://www.businessinsider.co.za/whatsapp-scam-asking-for-money-after-number-port-2020-1
https://www.sowetanlive.co.za/news/south-africa/2020-01-06-beware-south-africans-are-fallin
On 4/20/21 01:46, b...@theworld.com wrote:
If they want to protect trillions of dollars in assets maybe they need
to toss in a few billion to help, and stop hoping some bad press for
the technical community will shame some geniuses into dreaming up
better security for them mostly for free in
An unfortunate fact is that many companies don't support anything other
than sending a token via email, SMS, or sometimes a voice call. I've seen
several large banks, insurers, etc. who do this. It's maddening when you
sign up for access to something and are restricted to these options.
On Mon, Ap
Shop with your feet if security is weak. I changed banks because of SMS 2FA.
-mel via cell
On Apr 20, 2021, at 9:06 AM, Mike wrote:
An unfortunate fact is that many companies don't support anything other than
sending a token via email, SMS, or sometimes a voice call. I've seen several
large
Something which binds them together are their insurance underwriters
who generally want to set minimum requirements without having to
review home-brewed security schemes. They want buzzwords and acronyms
to put onto checklists.
Others would be courts (e.g., when lawsuits arise) and government an
48 matches
Mail list logo
