2 factor ID?

[walkinwood]

Quote:

Originally Posted by Chuckanut One problem with getting a text message with you 'secret code' number as the 2nd factor is that the SMS messaging system is very insecure. if the bad guys know your phone number they can interecept your code.

From what I understand, they need to "clone" your SIM card. That's not as easy as knowing your phone number.
Is there another way?

[Alan]

Quote:

Originally Posted by Chuckanut One problem with getting a text message with you 'secret code' number as the 2nd factor is that the SMS messaging system is very insecure. if the bad guys know your phone number they can interecept your code. Use of a random number generator such as Google's Authenticator is better. Or have the number sent to you via email if possible.

I think that if the bad guys know your username, password and are able to intercept your SMS messages then you are in bad shape. ( not seen any movies where the cops or intelligent services do this so it may be harder than just knowing your phone number).

However, I much prefer receiving a code via email (such as used by the Treasury Dept to access bonds) or a random number generator because being out of the country can be a pain in the butt receiving SMS messages. (My ATT carrier allowed phone and text over wifi which was great while traveling.)

[easysurfer]

I try to use 2FA when available.

[mpeirce]

Quote:

Originally Posted by walkinwood From what I understand, they need to "clone" your SIM card. That's not as easy as knowing your phone number. Is there another way?

No need to clone a SIM card. There are known weaknesses in the phone system's SS7 -

Quote:

the protocol that allows telecom networks to communicate with each other. Hackers can exploit SS7 to spoof a change to a user’s phone number, intercepting their calls or text messages. “Any network can tell any other network ‘your subscriber’s here now,’ and until your phone says otherwise, every call and text is diverted to this other network,” says Karsten Nohl, the chief scientist at Security Research Labs, who recently demonstrated the attack for 60 Minutes. “If there’s an attacker, they get all your text messages. it’s completely trust-based…It’s so simple it’s almost embarrassing to call it a hack.”

So if you are using two factor authentication for enhanced security, DO NOT use an SMS message as one of the factors.

Frankly, skip the phone network completely if you really need privacy (most of us don't really). You have to assume governments have full access all voice and text communication. And if governments have access, then bad guy hackers do to.

[Rustic23]

Not sure what I'm going to do with it, but I have an iPhone 4s. I reset it and logged it onto my Apple account. I put two apps on it, Lastpass, and Lastpass Authenticator. This phone has no service and after I downloaded the software, I turned off WIFI. The Authenticator still works! The numbers are in sync with the app on my IPhone 6s, and Ipad for Google, Amazon, and Lastpass. Apparently, the authenticator works without a data conection and works as a stand alone Authenticator. While interesting, I don't think I will carry both phones. I am OK using the fingerprint reader for security, and this works with all my major 2fd accounts.

[Chuckanut]

Why SMS messages are not a good form of 2nd Factor Authentication.


As one person pointed out SMS codes are not something you have, they are something that somebody has sent to you. As such they are subject to a man-in-the-middle attack since SMS is inherently not secure. Not so good.

Geeky stuff below:

https://www.grc.com/sn/sn-612.htm

Quote:

"Somehow," they write, "the masses have been led to believe" - yes, well, and we know how - "that phone numbers are inextricably bound to identities and therefore make good authentication tools." Of course we on the podcast, as we've been covering recently, know otherwise. They say: "There's a reason that Kraken has never supported SMS-based authentication. The painful reality is that your telco operates at the security level"- and I got a kick out of this - "of a third-rate coat check clerk. Here's an example..." LEO: Where can you find a coat check clerk these days? STEVE: Yeah. "Here's an example interaction. Hacker: Can I have my jacket? Telco: Sure, can I have your ticket? Hacker: I lost it. Telco: Well, do you remember the number? Hacker: No, but it's that one right over there." LEO: Oh, boy. "Telco: Okay, cool. Here you go. Please rate us 10 out of 10 on the survey." Uh-huh. And I won't go on.

Quote:

But given a choice, you absolutely want time-based authentication, not an SMS message per instance. And if you can disable SMS in favor of anything else for account recovery, that would be good because remember that typically SMS is hopefully only an additional factor. Somebody first has to have your username and your password, and then also another second factor beyond knowing your password. The problem is it's often used for account recovery. I forgot my password. Oh, well, we'll send you a blurb to your phone number in order to recover it. Well, that's the huge Achilles heel in where we are today is account recovery.

[walkinwood]

Thanks for the explanation of the SMS shortcomings.

The one account that I worry about is Vanguard and they only allow SMS 2nd factor authentication. I wish they would support google authenticator.

[Fedup]

I wouldn't worry about Vanguard. They take forever to do a proper transfer so they will take the same for crooks.

[Alan]

Quote:

Originally Posted by Fedup I wouldn't worry about Vanguard. They take forever to do a proper transfer so they will take the same for crooks.

Last year I switched banks, adding the new bank to Vanguard and days after I had validated it via the micro deposits it still was not available to transfer money to. When I called them they told me that there was more validation going on behind the scenes, and they wouldn't divulge exactly what additional checks they made to ensure that all was well.

Vanguard won't send texts to an overseas number so I have a US Skype number and receive a voice message with the validation code, which is only need every 90 days to revalidate the device I use to log on.

I also would prefer that they use an authenticator such as Google or add an authenticator to their mobile app like HSBC.

[AutumnElf]

I don't think texting an authentication code to a phone is very secure. I like using Authy. I have it on my Android and my home PC. You need to remember a passcode number to open the app to get your code. If you lose your phone you can also get a code off your PC. I'm sure they must have Authy for the iOS environment.

[jonat]

Quote:

Originally Posted by AutumnElf I don't think texting an authentication code to a phone is very secure.

You're right - it's not. Too many ways of subverting the "SS7" switching system used to direct calls and texts. It's a shame that the SSA and financial institutions are moving to text messages when security professionals are warning against it. They do it because it's cheap and accessible.

[Lsbcal]

Quote:

Originally Posted by walkinwood Thanks for the explanation of the SMS shortcomings. The one account that I worry about is Vanguard and they only allow SMS 2nd factor authentication. I wish they would support google authenticator.

I only have the 2FA set at Vanguard for when it is an unrecognized computer logging in.

Suppose a bad girl (not always a guy) wants to get into my account:
1) They have to know my login and password (PW is very strong).
2) They have to subvert the SMS.
3) They have to create a new transfer path to remove funds from my account and somehow get around the messages I will receive from Vanguard about this action.
4) They then have to wait for the days required to establish this new transfer path.
5) They have to sell something, again triggering messages to me. So they have to subvert this somehow.

Suppose they get the money after all of this. Vanguard would cover me because this is a hugely unlikely event and I have done all the good things to protect the account.

P.S. I just updated my Vanguard alerts setting to include text alerts as well as email. Yes, the bad guys could get into the alerts too but all this stuff has to be done together and is most unlikely.

[Lsbcal]

Quote:

Originally Posted by Alan ... Vanguard won't send texts to an overseas number so I have a US Skype number and receive a voice message with the validation code, which is only need every 90 days to revalidate the device I use to log on. ...

We have Tmobil and their Simple Choice plan includes travel in Europe. I think they use Vodafone over there. Vanguard would be sending the text to my USA phone number. So the SMS alerts should get to my phone. Does this sound right?

[Alan]

Quote:

Originally Posted by Lsbcal We have Tmobil and their Simple Choice plan includes travel in Europe. I think they use Vodafone over there. Vanguard would be sending the text to my USA phone number. So the SMS alerts should get to my phone. Does this sound right?

Yes, that sounds right and should work, I had AT&T with VOIP enabled so when connected via WiFi all calls were free. When traveling abroad I would always be sure to be in Wifi when making calls or logging onto the likes of Vanguard which may send a code via text message.

Now that we live permanently in England I have the US Skype number for about $39/year. Any calls to the Skype number first call on Skype then if I don't answer within 30 seconds it forwards onto my UK cell phone and the voice call costs 2.3c/minute if I answer on my regular phone line rather than Skype, otherwise the caller can leave a Skype voice message.

Whenever I am logging onto Vanguard I have my iPhone or iPad with me and when I click "Send code" I answer with Skype at no charge.

[CoolChange]

Quote:

Originally Posted by Alan ...I had AT&T with VOIP enabled so when connected via WiFi all calls were free. When traveling abroad I would always be sure to be in Wifi when making calls or logging onto the likes of Vanguard which may send a code via text message. ....

I have this too and was very excited when they rolled it out. Unfortunately, my experience has been spotty receipt of both text messages and voice mail notificaitons via WiFi.

I generally turn off my cell signal and only use WiFi when travelling. My guess is that I get about 50% of my texts while travelling and 50% are delayed until I connect to a cell network in the USA. Very frustrating, especially when trying to access a financial website.

On a positive note: WiFi calling from overseas has worked flawlessly for me. So, I can call when my cards start being declined. (Yes, I do create the travel notifications; also very frustrating.)

[BigMoneyJim]

I've enabled 2FA on a few accounts, especially email accounts to which I can send reset password requests.

I was spurred into action when I realized a common password of mine was brute-force guessed on a site I run. At first I thought it was some sort of hacking or vulnerability, but I determined it was a straight password guess. So that happened.

I'm using Google Authenticator for most, and my Microsoft account has its own 2FA app. I am slightly concerned about losing my phone where GA is installed, but each 2FA-secured account has the ability to generate 10 or 20 one-time use passwords, and I printed those out and keep them in a physical place only to cover the case of losing my phone's authenticators.

Unfortunately my financial accounts still (as of a couple of months ago) don't support 2FA. But they've always had more complex, unique passwords, so I can wait a bit longer I guess.

It's a pain in the ass, but I presume it's beats the hell out of having an important account taken over.

Oh, I'm also starting to take more advantage of sites that let you sign up with your Google, Twitter, or Facebook account. The mechanism behind that is called "OAuth", and I'm pretty happy with it, and only the source account needs 2FA and a password. But then all those accounts are tied to another account which surely some years in the future will become a problem. But then these are usually accounts of lesser importance/impact-if-lost.

[jonat]

If you are a LastPass user (I am), they have a LastPass Authenticator app compatible with Google/Microsoft Authenticator that has the option of saving the 2FA "seeds" into your encrypted LastPass vault. This way if you lose or replace your phone, you don't have to redo the 2FA setup. I'm not entirely comfortable with this, but it is an option.

I do use LastPass to generate random, strong and unique passwords for every site. LastPass itself offers 2FA through a number of different options.

I will point out the recent hack of OneLogin, an Oauth service used by many companies. While I have a few sites for which I use Google or Facebook for authentication, I generally choose to use a separate password.

[AutumnElf]

Don't know if you saw my previous post, Jim, but Authy is a free service that, if you lose your phone, you can still access your codes on the PC. I have a Chrome browser extension for it. It's also very handy when sitting at the computer and need a code. No reason to go out and find your phone. And you can add your Microsoft account...no need for a second app.

[Chuckanut]

Quote:

Originally Posted by jonat If you are a LastPass user (I am), they have a LastPass Authenticator app compatible with Google/Microsoft Authenticator that has the option of saving the 2FA "seeds" into your encrypted LastPass vault. This way if you lose or replace your phone, you don't have to redo the 2FA setup. I'm not entirely comfortable with this, but it is an option.

Just this week I heard of a guy who lost a lot of money when the thieves bought a cell phone and managed to convince his provider to transfer his phone number to the thieves' new cell phone. Bingo! They now could get his 2FA SMS messages! Not so good.

I would not recommend the LastPass option to save the 2FA seed. While convenient it defeats the purpose of 2FA. 2FA should be its own independent way of authenticating your ID. Mixing it in with the password is not smart, IMHO.

Convenience and security are like two ends of a seesaw. Increase one and the other goes down.

[Lsbcal]

If I'm on my PC at home and logging on to financial sites, isn't that secure enough using Lastpass installed on the PC? Assuming I take care to keep my PC up to date and avoid visiting bogus sites, do I really need Lastpass Authenticator?

If my phone has a fingerprint reader, it would seem that 2FA is already used when employing Lastpass to get into a financial site app on the phone.