Deutsch English Français Italiano |
<uiu6ckxaub.ln2@Telcontar.valinor> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!news-vm.kithrup.com!news.misty.com!weretis.net!feeder6.news.weretis.net!feeder8.news.weretis.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: "Carlos E.R." <robin_listas@es.invalid> Newsgroups: comp.mobile.android Subject: Re: Codes sent by text message Date: Tue, 12 Mar 2024 22:38:06 +0100 Lines: 148 Message-ID: <uiu6ckxaub.ln2@Telcontar.valinor> References: <ush35k$2791b$1@dont-email.me> <usid1f$2fqif$1@dont-email.me> <su6vbkx86o.ln2@Telcontar.valinor> <usj60d$2odtf$1@dont-email.me> <eaovbkx207.ln2@Telcontar.valinor> <uskdq1$30533$1@dont-email.me> <ehs1ckx25o.ln2@Telcontar.valinor> <uslrfo$3d85i$1@dont-email.me> <slrnuuufkq.2dnu.trepidation@vps.jonz.net> <uso5sl$3t2g9$1@dont-email.me> <usogor$2qg7$1@dont-email.me> <uspj7v$9u60$1@dont-email.me> <dh16ckxstg.ln2@Telcontar.valinor> <1xkfdi6umcwrp.dlg@v.nguard.lh> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Trace: individual.net fEb4Nm0qfDo2LrWaTSCzXgTVl1eeJnoNEO99NlofhVTxt3RY2J X-Orig-Path: Telcontar.valinor!not-for-mail Cancel-Lock: sha1:5kE4SwJ36RldYDgkgDNfmiFFqKE= sha256:hnvg20OUt/bUwTGZR/XZ+pdqzNZoB3+u0aQQ4oUiIik= User-Agent: Mozilla Thunderbird Content-Language: es-ES, en-CA In-Reply-To: <1xkfdi6umcwrp.dlg@v.nguard.lh> Bytes: 8765 On 2024-03-12 21:21, VanguardLH wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: > >> On 2024-03-12 13:53, Newyana2 wrote: >>> "AJL" <noemail@none.org> wrote >> >> ... >> >>> >>> As Carlos put it, people addicted to cellphones >>> would like to believe that everyone else "does not matter". >>> They not only want cellphone options, they want cellphone >>> interaction to be enforced as the only option. They >>> want to live in Cellphone World. >> >> Addicted? No, simply banks are using a device that everybody has, >> instead of making their clients buy an extra hardware device, not cheap, >> for needed extra security. You do have other options if you insist. > > Personally I would prefer if the trend were toward using USB security > sticks instead of SMS and e-mail. One problem there might be: having to > use a computer that has no USB ports, or they've been disabled. Another > problem is no one is going to attach the USB stick to a cord attached to > their body: when they leave the computer, the USB stick must go with > them. Instead the sticks are left plugged into a USB port, so anyone > with physical access to the computer can login using the stick just like > the owner can. The problem of physical access also applies to phones. There are safer methods than the mobile phone, but their rationale is "you already have a phone, so implementing this is very cheap". Of course, a percent doesn't have a phone, but those are not their objective client, and probably they will provide some other means. > > As for cost, if every computer could use a Yubi security key, the $25 > would be worth the freedom of relying on a phone. Weren't some > Europeans charged and fined for pretending to be someone else's phone > through SIM card swap they foisted on the carrier? SIM swap attack is a thing, yes. They can thus receive verification SMSs, but probably not banking app messages. > > What Is a SIM Swap Attack and How Can You Prevent It? > https://www.avast.com/c-sim-swap-scam > > When getting an SMS text, there is no verification that the receiving > phone's IMEI is the one to where the text was intended to drop. If the > IMEI were involved, you'd have to re-register with whomever is sending > 2FA codes via texts to give them yet another piece of valuable info: the > IMEI of your phone. When you change or add phones, you have to update > all your accounts to give them another IMEI. But SMS doesn't link to > IMEI, so there SMS is not secured either during transmission nor > guarantee which phone the SMS targets. > > Maybe if all computers had biometric input (camera for eyes and sensor > for fingers and mic for voice) then the verification really would be to > a person, not the expectation of a device or service to which that > person -- or someone else -- has access. Phones and laptops have those > bio devices (well, maybe not all have finger sensors), but only a > fraction of desktops have even 2 of them. I don't have a camera on my > desktop. I don't do video chats. I have a mic only when I plug in my > headset. I'd have to buy a fingerprint sensor. Bio verification isn't > going to happen on desktops until those devices are built in by default > whether pre-builts or own builts, not appended on. Most recent laptops have finger print sensors and cameras. But I don't have software that uses the former (nor the later, for purposes of ID). > > When sent a 2FA code, how long before you have to use it. Typically the > expiration is 5 to 15 minutes. Pretty long time, but they have to > account for delay in SMS transport, and time for users to enter the 2FA > code. Some phone users are handicapped, so they don't quickly enter > anything. Do the 2FA codes automatically and immediately expire upon > use, or are they still valid for the original time allowed for > expiration? They expire on use. Ie, they are single use. > I hope that the site enforces automatic expiration on use, > but I haven't verified this is the case. Anyway, the long expiration > time to wait for use of the 2FA code means a larger window of > opportunity for interception. SMS and e-mail are not secure > communication venues. That's why I'm thinking TOTP would be a better > choice; however, doesn't seem that every site wanting to use 2FA > supports TOTP, and it seems you must have the particular TOTP > authenticator that they expect you to use which, to me, hints the > communication protocol is not yet standardized to allow use of *any* > TOTP authenticator. One site uses Authy, another uses Symantec VIP, and > another requires something else. Yeah, but for many purposes SMS is good enough. It doesn't have to be failsafe, but only to block a high enough percent of the "attacks". > > Does everyone that gets a new phone, or just a new SIM card, always get > a new phone number, and keep that one? Depends. I have the same mobile phone number since around 1999. Other people change(d) it frequently, because they use offerings by various providers. Mine was first a pay as you go prepaid card, at some point upgraded to contract, and at some point migrated to another company (for free). Then, when I travel to Canada I get a local number that is valid only for a month. > I use Google Voice which calls > all my phones, so it doesn't matter which phones I have at the time or > what are their phone numbers. All of them (that I've added to my GV > account) get called using simultaneous ring. I even have an Obitalk > added to my GV account, so I get calls on my home phones (VOIP converted > to POTS in my home wiring). However, if I had only 1 phone, I'd try to > port my old phone number to the new phone, if allowed (which costs money > to do the port). I wouldn't have to change my old phone number in every > account where it is recorded, and to where SMS texts would get sent. > With e-mail alerts (GV sends a copy of a text to my e-mail), it doesn't > matter which smartphone I use. If a site is going to use 2FA when you > try to update your account to reflect your new phone number, you're > screwed if you don't have the old phone to get the text. If you have to > talk to tech support, figure on wasting an hour and half on a call, and > the info you give them is the same info the hackers use in a SIM swap. > > With the average ownership of smartphones only around 2 years, seems it > would be a repetitive nuisance to update phone numbers in all accounts > for all those consumers that just must update. With a security key, > wouldn't matter where you got the text, but who wants to keep plugging a > stick into the phone's USB port, or leave the stick dangling out the > port? Even if IMEI were linked to SMS (to the sender, not to the > carrier who doesn't give a fart about the content and is not involved in > securing a login), a change of phone means a different IMEI. You can go > to TOTP *if* the other party supports using it, but then you have to get > your tokens to the new phone. Authy does that with its cloud sync, but > not other authenticators. Transferring tokens with other authenticators > is a bitch, but then often the intent to make users think that more > effort means more security. -- Cheers, Carlos.