2 factor ID?

[Chuckanut]

Why SMS messages are not a good form of 2nd Factor Authentication.


As one person pointed out SMS codes are not something you have, they are something that somebody has sent to you. As such they are subject to a man-in-the-middle attack since SMS is inherently not secure. Not so good.

Geeky stuff below:

https://www.grc.com/sn/sn-612.htm

"Somehow," they write, "the masses have been led to believe" - yes, well, and we know how - "that phone numbers are inextricably bound to identities and therefore make good authentication tools." Of course we on the podcast, as we've been covering recently, know otherwise.

They say: "There's a reason that Kraken has never supported SMS-based authentication. The painful reality is that your telco operates at the security level"- and I got a kick out of this - "of a third-rate coat check clerk.

Here's an example..."

LEO: Where can you find a coat check clerk these days?

STEVE: Yeah. "Here's an example interaction.

Hacker: Can I have my jacket?
Telco: Sure, can I have your ticket?
Hacker: I lost it.
Telco: Well, do you remember the number?
Hacker: No, but it's that one right over there."
LEO: Oh, boy.
"Telco: Okay, cool. Here you go. Please rate us 10 out of 10 on the survey." Uh-huh. And I won't go on.

But given a choice, you absolutely want time-based authentication, not an SMS message per instance. And if you can disable SMS in favor of anything else for account recovery, that would be good because remember that typically SMS is hopefully only an additional factor. Somebody first has to have your username and your password, and then also another second factor beyond knowing your password. The problem is it's often used for account recovery. I forgot my password. Oh, well, we'll send you a blurb to your phone number in order to recover it. Well, that's the huge Achilles heel in where we are today is account recovery.

 

[walkinwood]

Thanks for the explanation of the SMS shortcomings.

The one account that I worry about is Vanguard and they only allow SMS 2nd factor authentication. I wish they would support google authenticator.

 

[Fedup]

I wouldn't worry about Vanguard. They take forever to do a proper transfer so they will take the same for crooks.

 

[Alan]

I wouldn't worry about Vanguard. They take forever to do a proper transfer so they will take the same for crooks.

Last year I switched banks, adding the new bank to Vanguard and days after I had validated it via the micro deposits it still was not available to transfer money to. When I called them they told me that there was more validation going on behind the scenes, and they wouldn't divulge exactly what additional checks they made to ensure that all was well.

Vanguard won't send texts to an overseas number so I have a US Skype number and receive a voice message with the validation code, which is only need every 90 days to revalidate the device I use to log on.

I also would prefer that they use an authenticator such as Google or add an authenticator to their mobile app like HSBC.

 

[AutumnElf]

I don't think texting an authentication code to a phone is very secure. I like using Authy. I have it on my Android and my home PC. You need to remember a passcode number to open the app to get your code. If you lose your phone you can also get a code off your PC. I'm sure they must have Authy for the iOS environment.

 

[jonat]

I don't think texting an authentication code to a phone is very secure.

You're right - it's not. Too many ways of subverting the "SS7" switching system used to direct calls and texts. It's a shame that the SSA and financial institutions are moving to text messages when security professionals are warning against it. They do it because it's cheap and accessible.

 

[Lsbcal]

Thanks for the explanation of the SMS shortcomings.

The one account that I worry about is Vanguard and they only allow SMS 2nd factor authentication. I wish they would support google authenticator.

I only have the 2FA set at Vanguard for when it is an unrecognized computer logging in.

Suppose a bad girl (not always a guy) wants to get into my account:
1) They have to know my login and password (PW is very strong).
2) They have to subvert the SMS.
3) They have to create a new transfer path to remove funds from my account and somehow get around the messages I will receive from Vanguard about this action.
4) They then have to wait for the days required to establish this new transfer path.
5) They have to sell something, again triggering messages to me. So they have to subvert this somehow.

Suppose they get the money after all of this. Vanguard would cover me because this is a hugely unlikely event and I have done all the good things to protect the account.

P.S. I just updated my Vanguard alerts setting to include text alerts as well as email. Yes, the bad guys could get into the alerts too but all this stuff has to be done together and is most unlikely.

 

[Lsbcal]

...
Vanguard won't send texts to an overseas number so I have a US Skype number and receive a voice message with the validation code, which is only need every 90 days to revalidate the device I use to log on.

...

We have Tmobil and their Simple Choice plan includes travel in Europe. I think they use Vodafone over there. Vanguard would be sending the text to my USA phone number. So the SMS alerts should get to my phone. Does this sound right?

 

[Alan]

We have Tmobil and their Simple Choice plan includes travel in Europe. I think they use Vodafone over there. Vanguard would be sending the text to my USA phone number. So the SMS alerts should get to my phone. Does this sound right?

Yes, that sounds right and should work, I had AT&T with VOIP enabled so when connected via WiFi all calls were free. When traveling abroad I would always be sure to be in Wifi when making calls or logging onto the likes of Vanguard which may send a code via text message.

Now that we live permanently in England I have the US Skype number for about $39/year. Any calls to the Skype number first call on Skype then if I don't answer within 30 seconds it forwards onto my UK cell phone and the voice call costs 2.3c/minute if I answer on my regular phone line rather than Skype, otherwise the caller can leave a Skype voice message.

Whenever I am logging onto Vanguard I have my iPhone or iPad with me and when I click "Send code" I answer with Skype at no charge.

 

[CoolChange]

AT&T with VOIP - Different Kind of Warning

...I had AT&T with VOIP enabled so when connected via WiFi all calls were free. When traveling abroad I would always be sure to be in Wifi when making calls or logging onto the likes of Vanguard which may send a code via text message.

....

I have this too and was very excited when they rolled it out. Unfortunately, my experience has been spotty receipt of both text messages and voice mail notificaitons via WiFi.

I generally turn off my cell signal and only use WiFi when travelling. My guess is that I get about 50% of my texts while travelling and 50% are delayed until I connect to a cell network in the USA. Very frustrating, especially when trying to access a financial website.

On a positive note: WiFi calling from overseas has worked flawlessly for me. So, I can call when my cards start being declined. (Yes, I do create the travel notifications; also very frustrating.)

 

[BigMoneyJim]

I've enabled 2FA on a few accounts, especially email accounts to which I can send reset password requests.

I was spurred into action when I realized a common password of mine was brute-force guessed on a site I run. At first I thought it was some sort of hacking or vulnerability, but I determined it was a straight password guess. So that happened.

I'm using Google Authenticator for most, and my Microsoft account has its own 2FA app. I am slightly concerned about losing my phone where GA is installed, but each 2FA-secured account has the ability to generate 10 or 20 one-time use passwords, and I printed those out and keep them in a physical place only to cover the case of losing my phone's authenticators.

Unfortunately my financial accounts still (as of a couple of months ago) don't support 2FA. But they've always had more complex, unique passwords, so I can wait a bit longer I guess.

It's a pain in the ass, but I presume it's beats the hell out of having an important account taken over.

Oh, I'm also starting to take more advantage of sites that let you sign up with your Google, Twitter, or Facebook account. The mechanism behind that is called "OAuth", and I'm pretty happy with it, and only the source account needs 2FA and a password. But then all those accounts are tied to another account which surely some years in the future will become a problem. But then these are usually accounts of lesser importance/impact-if-lost.

 

[jonat]

If you are a LastPass user (I am), they have a LastPass Authenticator app compatible with Google/Microsoft Authenticator that has the option of saving the 2FA "seeds" into your encrypted LastPass vault. This way if you lose or replace your phone, you don't have to redo the 2FA setup. I'm not entirely comfortable with this, but it is an option.

I do use LastPass to generate random, strong and unique passwords for every site. LastPass itself offers 2FA through a number of different options.

I will point out the recent hack of OneLogin, an Oauth service used by many companies. While I have a few sites for which I use Google or Facebook for authentication, I generally choose to use a separate password.

 

[AutumnElf]

Don't know if you saw my previous post, Jim, but Authy is a free service that, if you lose your phone, you can still access your codes on the PC. I have a Chrome browser extension for it. It's also very handy when sitting at the computer and need a code. No reason to go out and find your phone. And you can add your Microsoft account...no need for a second app.

 

[Chuckanut]

If you are a LastPass user (I am), they have a LastPass Authenticator app compatible with Google/Microsoft Authenticator that has the option of saving the 2FA "seeds" into your encrypted LastPass vault. This way if you lose or replace your phone, you don't have to redo the 2FA setup. I'm not entirely comfortable with this, but it is an option.

Just this week I heard of a guy who lost a lot of money when the thieves bought a cell phone and managed to convince his provider to transfer his phone number to the thieves' new cell phone. Bingo! They now could get his 2FA SMS messages! Not so good.

I would not recommend the LastPass option to save the 2FA seed. While convenient it defeats the purpose of 2FA. 2FA should be its own independent way of authenticating your ID. Mixing it in with the password is not smart, IMHO.

Convenience and security are like two ends of a seesaw. Increase one and the other goes down.

 

[Lsbcal]

If I'm on my PC at home and logging on to financial sites, isn't that secure enough using Lastpass installed on the PC? Assuming I take care to keep my PC up to date and avoid visiting bogus sites, do I really need Lastpass Authenticator?

If my phone has a fingerprint reader, it would seem that 2FA is already used when employing Lastpass to get into a financial site app on the phone.

 

[Chuckanut]

If I'm on my PC at home and logging on to financial sites, isn't that secure enough using Lastpass installed on the PC? Assuming I take care to keep my PC up to date and avoid visiting bogus sites, do I really need Lastpass Authenticator?

If my phone has a fingerprint reader, it would seem that 2FA is already used when employing Lastpass to get into a financial site app on the phone.

That all depends on how good your password is and how well the financial sites protect it.

Let's assume that bad guys somehow manage to get your password. Then, safely at home in Lower Slobovia, they sign into your account. How is LastPass or similar software on your computer at home going to protect you? They are not using your computer.

2FA is another way to help prove that you are you. If you have it setup to use an Authenticator, then the bad guys in Lower Slobovia are still stumped since they don't have access to your Authenticator.

We need tools like 2FA since the Internet, browsers, OS's, etc., were never designed with security as a high priority. They have a huge attack surface that is hard to secure. By security I mean a rock solid way of authenticating that you are who you say you are, and the site you are contacting is who it says it is.

I doubt if the first people who sent simple messages via the internet ever thought that zillions of dollars of transactions would be flying through it on a daily basis.

 

[Lsbcal]

Are those Lower Slob guys still at it?

I do have 2FA on our main financial site but not through Lastpass Authenticator. Basically the financial site checks the incoming computer ID.

I think banks like Chase will automatically catch logins from Lower Slobovia too. When I login to my account it is always through either my home PC or using Lastpass on my mobile with fingerprint ID to inject the login/password.

Any holes in this approach?

 

[jonat]

I use Duo Security on my phone as a second factor for LastPass, but it isn't an option for any of the other sites I use with 2FA. I also have a Yubikey.

2FA protects you in case your password is somehow discovered (leaked, cracked) by another party. Most sites with 2FA allow you to designate "trusted devices" (home PC, etc.) for which they won't ask for the second factor. Sites that send codes by text message are going against current security recommendations - sadly, this includes the SSA.

I mentioned the LastPass Authenticator backup feature for information - it isn't something I would choose to use. There are about a dozen sites I have authenticator codes for -I use Google Authenticator for these.

 

[easysurfer]

I don't think texting an authentication code to a phone is very secure. I like using Authy. I have it on my Android and my home PC. You need to remember a passcode number to open the app to get your code. If you lose your phone you can also get a code off your PC. I'm sure they must have Authy for the iOS environment.

Seems to me like Authy is about the only authentication app that takes into account what happens if you lose your phone or upgrade to a new phone.

I haven't used Authy (at least yet) as have only use Google Authenticator (GA). But just upgrading to a new phone, looks like there is no backup option in GA like with Authy.

Luckily, I only had one place with GA so moving to Authy shouldn't be too bad.

 

[Chuckanut]

Seems to me like Authy is about the only authentication app that takes into account what happens if you lose your phone or upgrade to a new phone.

Some people are concerned that since Authy stores information needed to create the authorization codes it may be less secure overall than Google Authenticator. I am not sure of this as overall security depends on many factors. But if that is a concern then you can turn off multi-device support when using Authy if you wish.

Also, Authy is also available on your desktop or laptop computer. As far as I know Google Authenticator is only available on mobile devices.

Authy or Google Authenticator is far better than SMS, and if using Authy keeps a person using more secure form of 2FA then all the better. SMS as we now know, is not very secure - though better than no 2FA.

Like my old grand pappy used to say: Never let the perfect become the enemy of the good.

Note1: If you use Google Authenticator and wonder what happens when you get a new mobile device, the answer is simple if you do this from the start: Print out your QR codes and store them in a safe place. When you get a new device, scan the code. Crude, but no bad guy hacking in from Lower Slobovia will be able to get the codes.

Note2: I believe that Microsoft's authentication tool also remembers its authenticating settings and will pass them on to another device that is logged on to the same MS account

Note3: Google lets you print a number of out a one-time-only use codes in the event that your Authenticator is not available. Again, print them, store the paper document in a safe place so Boris from Lower Slobovia won't be able to hack them

 

[Lsbcal]

Seems to me like Authy is about the only authentication app that takes into account what happens if you lose your phone or upgrade to a new phone.

I haven't used Authy (at least yet) as have only use Google Authenticator (GA). But just upgrading to a new phone, looks like there is no backup option in GA like with Authy.

Luckily, I only had one place with GA so moving to Authy shouldn't be too bad.

Regarding backup, on my Google 6P I just go to settings and type "backup" in the search field. That should get you to the relevant section for backup and reset.

 

[easysurfer]

Regarding backup, on my Google 6P I just go to settings and type "backup" in the search field. That should get you to the relevant section for backup and reset.

Thanks. I probably didn't mention as clear as I should have, but the backup I'm talking about is not backup of the phone but the authenticator tokens in case a phone dies or gets replaced by upgrade.

My understanding is authy addresses these concerns by backing up to the cloud, but many (if not, all others) do not.

 

[easysurfer]

Seems to me like Authy is about the only authentication app that takes into account what happens if you lose your phone or upgrade to a new phone.

....

Note1: If you use Google Authenticator and wonder what happens when you get a new mobile device, the answer is simple if you do this from the start: Print out your QR codes and store them in a safe place. When you get a new device, scan the code. Crude, but no bad guy hacking in from Lower Slobovia will be able to get the codes.

.....

To clarify.... So, if I installed Google Authenticator app on a new phone, then scanned with the new phone, should be good to go?

A manual work around of not able to move the tokens from the old phone?

 

[Nightcap]

Does anyone use both Mint and two-factor-authentication on, say, their Vanguard or banking sites? I can't see how that would work.

 

[Chuckanut]

To clarify.... So, if I installed Google Authenticator app on a new phone, then scanned with the new phone, should be good to go?

A manual work around of not able to move the tokens from the old phone?

I did this with an iPhone and an old iPad:

I setup Google Authenticator to work on my iPhone in the normal way, but before the QR code was off the screen, I did a screen save and then printed out the QR code that had been on the screen.

I then installed GA on my old iPad and and told it to add a new (for the iPad) logon site. When time came to scan the QR code I just aimed the camera at the QR code I had printed out. Bingo, GA works on my old iPad and generates the same six digit code as the iPhone does.