Path: ...!news-vm.kithrup.com!news.misty.com!weretis.net!feeder6.news.weretis.net!feeder8.news.weretis.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: "Carlos E.R." <robin_listas@es.invalid>
Newsgroups: comp.mobile.android
Subject: Re: Codes sent by text message
Date: Tue, 12 Mar 2024 22:38:06 +0100
Lines: 148
Message-ID: <uiu6ckxaub.ln2@Telcontar.valinor>
References: <ush35k$2791b$1@dont-email.me> <usid1f$2fqif$1@dont-email.me>
 <su6vbkx86o.ln2@Telcontar.valinor> <usj60d$2odtf$1@dont-email.me>
 <eaovbkx207.ln2@Telcontar.valinor> <uskdq1$30533$1@dont-email.me>
 <ehs1ckx25o.ln2@Telcontar.valinor> <uslrfo$3d85i$1@dont-email.me>
 <slrnuuufkq.2dnu.trepidation@vps.jonz.net> <uso5sl$3t2g9$1@dont-email.me>
 <usogor$2qg7$1@dont-email.me> <uspj7v$9u60$1@dont-email.me>
 <dh16ckxstg.ln2@Telcontar.valinor> <1xkfdi6umcwrp.dlg@v.nguard.lh>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net fEb4Nm0qfDo2LrWaTSCzXgTVl1eeJnoNEO99NlofhVTxt3RY2J
X-Orig-Path: Telcontar.valinor!not-for-mail
Cancel-Lock: sha1:5kE4SwJ36RldYDgkgDNfmiFFqKE= sha256:hnvg20OUt/bUwTGZR/XZ+pdqzNZoB3+u0aQQ4oUiIik=
User-Agent: Mozilla Thunderbird
Content-Language: es-ES, en-CA
In-Reply-To: <1xkfdi6umcwrp.dlg@v.nguard.lh>
Bytes: 8765

On 2024-03-12 21:21, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> On 2024-03-12 13:53, Newyana2 wrote:
>>> "AJL" <noemail@none.org> wrote
>>
>> ...
>>
>>>
>>>      As Carlos put it, people addicted to cellphones
>>> would like to believe that everyone else "does not matter".
>>> They not only want cellphone options, they want cellphone
>>> interaction to be enforced as the only option. They
>>> want to live in Cellphone World.
>>
>> Addicted? No, simply banks are using a device that everybody has,
>> instead of making their clients buy an extra hardware device, not cheap,
>> for needed extra security. You do have other options if you insist.
> 
> Personally I would prefer if the trend were toward using USB security
> sticks instead of SMS and e-mail.  One problem there might be: having to
> use a computer that has no USB ports, or they've been disabled.  Another
> problem is no one is going to attach the USB stick to a cord attached to
> their body: when they leave the computer, the USB stick must go with
> them.  Instead the sticks are left plugged into a USB port, so anyone
> with physical access to the computer can login using the stick just like
> the owner can.  The problem of physical access also applies to phones.

There are safer methods than the mobile phone, but their rationale is 
"you already have a phone, so implementing this is very cheap".

Of course, a percent doesn't have a phone, but those are not their 
objective client, and probably they will provide some other means.


> 
> As for cost, if every computer could use a Yubi security key, the $25
> would be worth the freedom of relying on a phone.  Weren't some
> Europeans charged and fined for pretending to be someone else's phone
> through SIM card swap they foisted on the carrier?

SIM swap attack is a thing, yes. They can thus receive verification 
SMSs, but probably not banking app messages.

> 
> What Is a SIM Swap Attack and How Can You Prevent It?
> https://www.avast.com/c-sim-swap-scam
> 
> When getting an SMS text, there is no verification that the receiving
> phone's IMEI is the one to where the text was intended to drop.  If the
> IMEI were involved, you'd have to re-register with whomever is sending
> 2FA codes via texts to give them yet another piece of valuable info: the
> IMEI of your phone.  When you change or add phones, you have to update
> all your accounts to give them another IMEI.  But SMS doesn't link to
> IMEI, so there SMS is not secured either during transmission nor
> guarantee which phone the SMS targets.
> 
> Maybe if all computers had biometric input (camera for eyes and sensor
> for fingers and mic for voice) then the verification really would be to
> a person, not the expectation of a device or service to which that
> person -- or someone else -- has access.  Phones and laptops have those
> bio devices (well, maybe not all have finger sensors), but only a
> fraction of desktops have even 2 of them.  I don't have a camera on my
> desktop.  I don't do video chats.  I have a mic only when I plug in my
> headset.  I'd have to buy a fingerprint sensor.  Bio verification isn't
> going to happen on desktops until those devices are built in by default
> whether pre-builts or own builts, not appended on.

Most recent laptops have finger print sensors and cameras. But I don't 
have software that uses the former (nor the later, for purposes of ID).


> 
> When sent a 2FA code, how long before you have to use it.  Typically the
> expiration is 5 to 15 minutes.  Pretty long time, but they have to
> account for delay in SMS transport, and time for users to enter the 2FA
> code.  Some phone users are handicapped, so they don't quickly enter
> anything.  Do the 2FA codes automatically and immediately expire upon
> use, or are they still valid for the original time allowed for
> expiration?

They expire on use. Ie, they are single use.


>  I hope that the site enforces automatic expiration on use,
> but I haven't verified this is the case.  Anyway, the long expiration
> time to wait for use of the 2FA code means a larger window of
> opportunity for interception.  SMS and e-mail are not secure
> communication venues.  That's why I'm thinking TOTP would be a better
> choice; however, doesn't seem that every site wanting to use 2FA
> supports TOTP, and it seems you must have the particular TOTP
> authenticator that they expect you to use which, to me, hints the
> communication protocol is not yet standardized to allow use of *any*
> TOTP authenticator.  One site uses Authy, another uses Symantec VIP, and
> another requires something else.

Yeah, but for many purposes SMS is good enough. It doesn't have to be 
failsafe, but only to block a high enough percent of the "attacks".


> 
> Does everyone that gets a new phone, or just a new SIM card, always get
> a new phone number, and keep that one?

Depends.

I have the same mobile phone number since around 1999. Other people 
change(d) it frequently, because they use offerings by various providers.

Mine was first a pay as you go prepaid card, at some point upgraded to 
contract, and at some point migrated to another company (for free).

Then, when I travel to Canada I get a local number that is valid only 
for a month.

>  I use Google Voice which calls
> all my phones, so it doesn't matter which phones I have at the time or
> what are their phone numbers.  All of them (that I've added to my GV
> account) get called using simultaneous ring.  I even have an Obitalk
> added to my GV account, so I get calls on my home phones (VOIP converted
> to POTS in my home wiring).  However, if I had only 1 phone, I'd try to
> port my old phone number to the new phone, if allowed (which costs money
> to do the port).  I wouldn't have to change my old phone number in every
> account where it is recorded, and to where SMS texts would get sent.
> With e-mail alerts (GV sends a copy of a text to my e-mail), it doesn't
> matter which smartphone I use.  If a site is going to use 2FA when you
> try to update your account to reflect your new phone number, you're
> screwed if you don't have the old phone to get the text.  If you have to
> talk to tech support, figure on wasting an hour and half on a call, and
> the info you give them is the same info the hackers use in a SIM swap.
> 
> With the average ownership of smartphones only around 2 years, seems it
> would be a repetitive nuisance to update phone numbers in all accounts
> for all those consumers that just must update.  With a security key,
> wouldn't matter where you got the text, but who wants to keep plugging a
> stick into the phone's USB port, or leave the stick dangling out the
> port?  Even if IMEI were linked to SMS (to the sender, not to the
> carrier who doesn't give a fart about the content and is not involved in
> securing a login), a change of phone means a different IMEI.  You can go
> to TOTP *if* the other party supports using it, but then you have to get
> your tokens to the new phone.  Authy does that with its cloud sync, but
> not other authenticators.  Transferring tokens with other authenticators
> is a bitch, but then often the intent to make users think that more
> effort means more security.

-- 
Cheers, Carlos.