Malicious SS7 activity and why SMS should never by used for 2FA
https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c4136... https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now... Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this. -- Tim On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c4136...
https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now...
Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc. -mel via cell On Apr 17, 2021, at 6:27 PM, Tim Jackson <jackson.tim@gmail.com> wrote: Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this. -- Tim On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke@gmail.com<mailto:eric.kuhnke@gmail.com>> wrote: https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c4136... https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now... Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
paypal used to openly support token 2fa, but have since made it nearly impossible to use hardware tokens. they try very hard to ram sms down everyones throats. -Dan On Sun, 18 Apr 2021, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
-mel via cell
On Apr 17, 2021, at 6:27 PM, Tim Jackson <jackson.tim@gmail.com> wrote:
Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this.
-- Tim
On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke@gmail.com<mailto:eric.kuhnke@gmail.com>> wrote: https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c4136...
https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now...
Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
I'd add to that that people probably shouldn't treat phones as a significant increase in security, it's not really the out-of-band device that it used to be/was in the 1990s. Today, it basically equates to a second computer and the probability that the second computer is also compromised isn't overly unrealistic.
by the same attacker? raises the bar a bit. it's just a second factor, not a guarantee. i am a fan of the google token and don't like having to carry a different hw token for everyone who wants to hw 2fa me. but i think $ubject is correct. sms 2fa is roadkill. randy --- randy@psg.com `gpg --locate-external-keys --auto-key-locate wkd randy@psg.com` signatures are back, thanks to dmarc header butchery
Can I make an old f*** comment on all this? We didn't design this network to be highly secure. It's general enough that security can be layered on at various places. But when you get down to it it was mostly designed to get information flowing easy, fast, and freely. Not to lock it down or provide strong accountability, authorization, and authentication. Look at RFCs prior to about 1990, security's hardly considered beyond an occasional login/password scheme or MITM packet injection. It was designed to be very cheap to implement and deploy at least in part because it was designed and implemented on frugal academic budgets. And to share those implementations or roll your own because the specs (RFCs etc) were published free. Then people, corporations by and large, came along and realized they could use the net to make many zillions of dollars if only it were secure. IF...ONLY! Did anyone promise them that? And no one ever really figured out how to make it secure beyond some superficial attempts like adopting login/passwords, wire encryption (SSL etc.), 2FA, MITM avoidance, etc. none of which were really part of some well thought out, engineered scheme. Just some new doo-dad to toss on hoping that maybe this will be good enough. It wasn't. Now, when their sites are compromised, when they lose gazillions of dollars to ransomware, when 100M records walk out the door, whatever, they put on the big sad face and imply they were let down and *they*, someone else, some gearheads, need to try harder. They're terribly, terribly disappointed. What a great con job, try to shame someone else into solving your problems for you basically for free. If they want to protect trillions of dollars in assets maybe they need to toss in a few billion to help, and stop hoping some bad press for the technical community will shame some geniuses into dreaming up better security for them mostly for free in terms of research and specs and acceptance but that's the hard part. You know what the net did successfully produce, over and over? Some of the wealthiest individuals and corporations etc in the history of civilization. Maybe the profit margins were a little too high and now we're paying the price, or someone is. It's like my aged, now gone, adviser who'd worked in software going back to the 50s said about the Y2K problem at that time: It's not that we couldn't anticipate Y2K problems. It's that we never dreamed the cheap bastards would still be running the same exact software without any updates or review for forty years! -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On 4/20/21 01:46, bzs@theworld.com wrote:
If they want to protect trillions of dollars in assets maybe they need to toss in a few billion to help, and stop hoping some bad press for the technical community will shame some geniuses into dreaming up better security for them mostly for free in terms of research and specs and acceptance but that's the hard part.
You know what the net did successfully produce, over and over? Some of the wealthiest individuals and corporations etc in the history of civilization. Maybe the profit margins were a little too high and now we're paying the price, or someone is.
For the most part, services that (want to) rely on security are providing their own security solutions. But they are bespoke, and each one is designing and pushing out their own solution in their own silo. So users have to contend with a multitude of security ideas that each of the services they consume come up with. Standardization, here, would go a long way in fixing much of this, but what's the incentive for them to all work together, when "better security" is one of their selling points? If, "magically", the Internet community came up with a solution that one felt is fairly standard, we've seen how well that would be adopted, a la DNSSEC, DANE and RPKI. At the very least, the discussions need to be had; but not as separate streams. Internet folk. Mobile folk. Telco folk. Service folk. Mark.
Something which binds them together are their insurance underwriters who generally want to set minimum requirements without having to review home-brewed security schemes. They want buzzwords and acronyms to put onto checklists. Others would be courts (e.g., when lawsuits arise) and government and other contractors who, similarly, don't want to have to evaluate beyond checklists of accepted industry practices. And a major value of standardized practices is precisely so they don't become competitive advantages particularly by their omission. It's one reason, for example, car manufacturers are ok with something like requiring seat belts or air bags, or in many industries environmental regs, precisely so a competitor can't lower their costs (and likely prices) by omitting them. Everyone has to have them and up to some standard, compete on something else. Perhaps if we began referring to a lot of this as "safety" rather than "security" that would sink in. On April 20, 2021 at 06:59 mark@tinka.africa (Mark Tinka) wrote:
On 4/20/21 01:46, bzs@theworld.com wrote:
If they want to protect trillions of dollars in assets maybe they need to toss in a few billion to help, and stop hoping some bad press for the technical community will shame some geniuses into dreaming up better security for them mostly for free in terms of research and specs and acceptance but that's the hard part.
You know what the net did successfully produce, over and over? Some of the wealthiest individuals and corporations etc in the history of civilization. Maybe the profit margins were a little too high and now we're paying the price, or someone is.
For the most part, services that (want to) rely on security are providing their own security solutions. But they are bespoke, and each one is designing and pushing out their own solution in their own silo. So users have to contend with a multitude of security ideas that each of the services they consume come up with. Standardization, here, would go a long way in fixing much of this, but what's the incentive for them to all work together, when "better security" is one of their selling points?
If, "magically", the Internet community came up with a solution that one felt is fairly standard, we've seen how well that would be adopted, a la DNSSEC, DANE and RPKI.
At the very least, the discussions need to be had; but not as separate streams. Internet folk. Mobile folk. Telco folk. Service folk.
Mark.
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate. I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's. We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access". Mark.
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do. There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization. -mel
On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
On 4/18/21 15:04, Mel Beckman wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.
There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.
It's quite likely that most institutions (especially financial ones) will prefer to use their own homegrown app-based authenticators. But again, those require a smartphone, which is still not the most basic pathway. The good news - I just ran a test to log on to my banking profile from my laptop. I disconnected my phone from the world (Airplane mode) and while the app complained about not having Internet access, it was still able to generate a log-on, transaction or re-authentication code. So that helps. But that's just one of them... the other banks I use either don't have apps that replace physical authenticators, or require an Internet connection for 2FA. Thankfully, none of them require SMS to authenticate. Nearly all the banks use SMS to either confirm a transaction has taken place, or to deliver an OTP to complete a transaction (but don't use SMS to do the initial or follow-up authentication). Some of them are sending secure messages to confirm (and notify about) transactions within their apps, in lieu of SMS. Mark.
On top of this most TOTP and HOTP systems have additional security checks like blocking reuse of codes, rate-limiting of guesses, and in some cases acceptance of earlier codes (in TOTP) if the clock skews too far that make them much stronger options which decreases security but is certainly more of a convenience factor. -john On Sun, Apr 18, 2021 at 6:06 AM Mel Beckman <mel@beckman.org> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.
There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.
-mel
On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
On top of this most TOTP and HOTP systems have additional security checks
On Sun, Apr 18, 2021 at 12:03 PM John Adams <jna@retina.net> wrote: like blocking reuse of codes, rate-limiting of guesses, and in some cases acceptance of earlier codes (in TOTP) if the clock skews too far that make them much stronger options which decreases security but is certainly more of a convenience factor. Hi John, On a site, the symmetric key used to generate the TOTP code is stored in the same database as the user's password. Unencrypted or with readily reversible encryption since unlike a password it can't be verified by comparing ciphertext. Your protection is that every site uses a different TOTP key, just like you're supposed to use a different password, so compromise of a single site doesn't broadly compromise you elsewhere. It can also be captured with malware on your phone, the same place an adversary will sniff your password, which -will- broadly compromise you if you're also entering the passwords on your phone. None of these authentication schemes are magic. They all have attack vectors with varying degrees of difficulty, none of which are particularly harder than breaking a well chosen password. 2FA doesn't solve this. All it does is require an adversary to break -two- completely different authentication schemes in close enough proximity that you won't have closed the first breach before they gain the second. That's it. That's all it does. While attacks on SMS are certainly practical, stop and think for a moment on how you would scale them up and break 10000 accounts per day. Got a plan where you're not caught in the first two days? No, you don't. SMS is not a strong authentication factor. When used well, it's not intended to be. It's meant to require an adversary to do enough extra work after having already captured your password that unless they're specifically targeting you, the odds favor discovering and correcting the original breach before much harm can be done. For that use and that use only, it performs about as well as TOTP. If you can reset your email password with an SMS message and reset your bank password with an email then SMS has been misused as a very weak single factor authentication process. Not because SMS offers weak authentication (that's all it's meant to offer) but because it was used incorrectly in a process that needed strong authentication. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
I’m sorry - I think we miscommunicated here. I was not advocating for TOTP or HOTP for SMS - in fact I’m completely against SMS being used for multi factor auth at all. -j Sent from my iPhone
On Apr 18, 2021, at 12:48, William Herrin <bill@herrin.us> wrote:
On Sun, Apr 18, 2021 at 12:03 PM John Adams <jna@retina.net> wrote:
On top of this most TOTP and HOTP systems have additional security checks like blocking reuse of codes, rate-limiting of guesses, and in some cases acceptance of earlier codes (in TOTP) if the clock skews too far that make them much stronger options which decreases security but is certainly more of a convenience factor.
Hi John,
On a site, the symmetric key used to generate the TOTP code is stored in the same database as the user's password. Unencrypted or with readily reversible encryption since unlike a password it can't be verified by comparing ciphertext. Your protection is that every site uses a different TOTP key, just like you're supposed to use a different password, so compromise of a single site doesn't broadly compromise you elsewhere. It can also be captured with malware on your phone, the same place an adversary will sniff your password, which -will- broadly compromise you if you're also entering the passwords on your phone.
None of these authentication schemes are magic. They all have attack vectors with varying degrees of difficulty, none of which are particularly harder than breaking a well chosen password. 2FA doesn't solve this. All it does is require an adversary to break -two- completely different authentication schemes in close enough proximity that you won't have closed the first breach before they gain the second. That's it. That's all it does.
While attacks on SMS are certainly practical, stop and think for a moment on how you would scale them up and break 10000 accounts per day. Got a plan where you're not caught in the first two days? No, you don't.
SMS is not a strong authentication factor. When used well, it's not intended to be. It's meant to require an adversary to do enough extra work after having already captured your password that unless they're specifically targeting you, the odds favor discovering and correcting the original breach before much harm can be done. For that use and that use only, it performs about as well as TOTP.
If you can reset your email password with an SMS message and reset your bank password with an email then SMS has been misused as a very weak single factor authentication process. Not because SMS offers weak authentication (that's all it's meant to offer) but because it was used incorrectly in a process that needed strong authentication.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection
Lots of people still use feature phones that are not capable of running applications such as this. On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.
There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.
-mel
On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk -mel On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote: As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection Lots of people still use feature phones that are not capable of running applications such as this. On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do. There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization. -mel
On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
On 4/19/21 14:47, Mel Beckman wrote:
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk
Most regular folk (especially those that may not have smartphones) who have the option of SMS or a key fob will end up using SMS because it does not cause them to spend time standing in a queue in a building to give up cash. Their belief that SMS is secure (enough) has nothing to do with whether it actually is. It's all about convenience, and how much they can get done without speaking to human. If a key fob can be sent to them - preferably for free - that would help. Mark.
On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
It's all about convenience, and how much they can get done without speaking to human.
Hi Mark, Convenience is the most important factor in any security scheme. The user nearly always has a choice, even if the choice is as rough-grained as "switch to a different company." If your process is too onerous (the user's notion of onerous) then it simply won't be used. An effective security scheme is the strongest which can be built within that boundary.
If a key fob can be sent to them - preferably for free - that would help.
Hint: carrying around a separate hardware fob for each important Internet-based service is a non-starter. Users might do it for their one or two most important services but yours isn't one of them. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
An unfortunate fact is that many companies don't support anything other than sending a token via email, SMS, or sometimes a voice call. I've seen several large banks, insurers, etc. who do this. It's maddening when you sign up for access to something and are restricted to these options. On Mon, Apr 19, 2021 at 11:49 AM William Herrin <bill@herrin.us> wrote:
On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
It's all about convenience, and how much they can get done without speaking to human.
Hi Mark,
Convenience is the most important factor in any security scheme. The user nearly always has a choice, even if the choice is as rough-grained as "switch to a different company." If your process is too onerous (the user's notion of onerous) then it simply won't be used. An effective security scheme is the strongest which can be built within that boundary.
If a key fob can be sent to them - preferably for free - that would help.
Hint: carrying around a separate hardware fob for each important Internet-based service is a non-starter. Users might do it for their one or two most important services but yours isn't one of them.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/
Shop with your feet if security is weak. I changed banks because of SMS 2FA. -mel via cell On Apr 20, 2021, at 9:06 AM, Mike <craigslist4md@gmail.com> wrote: An unfortunate fact is that many companies don't support anything other than sending a token via email, SMS, or sometimes a voice call. I've seen several large banks, insurers, etc. who do this. It's maddening when you sign up for access to something and are restricted to these options. On Mon, Apr 19, 2021 at 11:49 AM William Herrin <bill@herrin.us<mailto:bill@herrin.us>> wrote: On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
It's all about convenience, and how much they can get done without speaking to human.
Hi Mark, Convenience is the most important factor in any security scheme. The user nearly always has a choice, even if the choice is as rough-grained as "switch to a different company." If your process is too onerous (the user's notion of onerous) then it simply won't be used. An effective security scheme is the strongest which can be built within that boundary.
If a key fob can be sent to them - preferably for free - that would help.
Hint: carrying around a separate hardware fob for each important Internet-based service is a non-starter. Users might do it for their one or two most important services but yours isn't one of them. Regards, Bill Herrin -- William Herrin bill@herrin.us<mailto:bill@herrin.us> https://bill.herrin.us/
The goal of U2F is one key fob that works on many services. Implementation is pretty simple and the hardware is inexpensive. Sent from my iPhone
On Apr 19, 2021, at 08:51, William Herrin <bill@herrin.us> wrote:
On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
It's all about convenience, and how much they can get done without speaking to human.
Hi Mark,
Convenience is the most important factor in any security scheme. The user nearly always has a choice, even if the choice is as rough-grained as "switch to a different company." If your process is too onerous (the user's notion of onerous) then it simply won't be used. An effective security scheme is the strongest which can be built within that boundary.
If a key fob can be sent to them - preferably for free - that would help.
Hint: carrying around a separate hardware fob for each important Internet-based service is a non-starter. Users might do it for their one or two most important services but yours isn't one of them.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/
It appears that William Herrin <bill@herrin.us> said:
If a key fob can be sent to them - preferably for free - that would help.
Hint: carrying around a separate hardware fob for each important Internet-based service is a non-starter. Users might do it for their one or two most important services but yours isn't one of them.
You think? https://obvious.services.net/2013/07/better-have-big-pockets-if-you-want.htm... R's, John
On 4/19/21 17:48, William Herrin wrote:
Convenience is the most important factor in any security scheme.
But often not at the top of the implementation priority list.
Hint: carrying around a separate hardware fob for each important Internet-based service is a non-starter. Users might do it for their one or two most important services but yours isn't one of them.
You make my point for me. Mark.
HW tokens are great, sure. Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. ) I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse. On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk
-mel
On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection
Lots of people still use feature phones that are not capable of running applications such as this.
On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.
There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.
-mel
On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
On 4/19/21 15:07, Tom Beecher wrote:
I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse.
This! Nowadays, the businesses that tend to do very well while seeming like a black box to most of their customers, are the ones who are consistently solving problems from the perspective of real people, at scale. If you solve it for 1, you solve it for 10,000 - and then the rest of exponential impact. Mark.
Tom, Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us. -mel On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote: HW tokens are great, sure. Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. ) I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse. On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk -mel On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote: As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection Lots of people still use feature phones that are not capable of running applications such as this. On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do. There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization. -mel
On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa<mailto:mark@tinka.africa>> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
These low-income people are not the targets of identity thieves, spear fishers, or data ransomers.
This is patently false. Low-income / disabled / minority / non-english speakers are absolutely targets of scams like those, and in significant numbers. On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org> wrote:
Tom,
Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us.
-mel
On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc> wrote:
HW tokens are great, sure.
Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. )
I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse.
On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk
-mel
On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection
Lots of people still use feature phones that are not capable of running applications such as this.
On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.
There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.
-mel
On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
Can you cite data? Or provide a rational argument other than “they are”? -mel via cell On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote: These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. This is patently false. Low-income / disabled / minority / non-english speakers are absolutely targets of scams like those, and in significant numbers. On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: Tom, Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us. -mel On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote: HW tokens are great, sure. Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. ) I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse. On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk -mel On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote: As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection Lots of people still use feature phones that are not capable of running applications such as this. On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do. There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization. -mel
On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa<mailto:mark@tinka.africa>> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network... https://www.bjs.gov/content/pub/pdf/vit18.pdf On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <mel@beckman.org> wrote:
Can you cite data? Or provide a rational argument other than “they are”?
-mel via cell
On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote:
These low-income people are not the targets of identity thieves, spear fishers, or data ransomers.
This is patently false. Low-income / disabled / minority / non-english speakers are absolutely targets of scams like those, and in significant numbers.
On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org> wrote:
Tom,
Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us.
-mel
On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc> wrote:
HW tokens are great, sure.
Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. )
I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse.
On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk
-mel
On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection
Lots of people still use feature phones that are not capable of running applications such as this.
On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.
There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.
-mel
On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
I don’t see any data showing that poor people are targets of Account access attacks. Can you point out the specific data you think supports your claim? -mel via cell On Apr 19, 2021, at 7:33 AM, Tom Beecher <beecher@beecher.cc> wrote: https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network... https://www.bjs.gov/content/pub/pdf/vit18.pdf On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: Can you cite data? Or provide a rational argument other than “they are”? -mel via cell On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote: These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. This is patently false. Low-income / disabled / minority / non-english speakers are absolutely targets of scams like those, and in significant numbers. On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: Tom, Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us. -mel On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote: HW tokens are great, sure. Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. ) I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse. On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk -mel On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote: As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection Lots of people still use feature phones that are not capable of running applications such as this. On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do. There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization. -mel
On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa<mailto:mark@tinka.africa>> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
Can you point out the specific data you think supports your claim?
I can, but I'm not going to, because that's not what this side discussion has been based on. You said : These low-income people are not the targets of identity thieves, spear
fishers, or data ransomers.
I just showed you data that shows they are, but now are trying to move the goalposts with new quantifiers. I think this discussion has run its course for me. Take care. On Mon, Apr 19, 2021 at 10:45 AM Mel Beckman <mel@beckman.org> wrote:
I don’t see any data showing that poor people are *targets* of Account access attacks. Can you point out the specific data you think supports your claim?
-mel via cell
On Apr 19, 2021, at 7:33 AM, Tom Beecher <beecher@beecher.cc> wrote:
https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network...
https://www.bjs.gov/content/pub/pdf/vit18.pdf
On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <mel@beckman.org> wrote:
Can you cite data? Or provide a rational argument other than “they are”?
-mel via cell
On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote:
These low-income people are not the targets of identity thieves, spear fishers, or data ransomers.
This is patently false. Low-income / disabled / minority / non-english speakers are absolutely targets of scams like those, and in significant numbers.
On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org> wrote:
Tom,
Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us.
-mel
On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc> wrote:
HW tokens are great, sure.
Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. )
I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse.
On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk
-mel
On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection
Lots of people still use feature phones that are not capable of running applications such as this.
On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.
There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.
-mel
On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
> On 4/18/21 05:18, Mel Beckman wrote: > > No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
On 4/19/21 16:10, Mel Beckman wrote:
Can you cite data? Or provide a rational argument other than “they are”?
https://www.businessinsider.co.za/whatsapp-scam-asking-for-money-after-numbe... https://www.sowetanlive.co.za/news/south-africa/2020-01-06-beware-south-afri... https://www.news24.com/fin24/companies/financial-services/just-hang-up-consu... This is a country full of low-income (or blatantly unemployed) citizens. Mark.
On 4/19/21 15:33, Mel Beckman wrote:
Tom,
Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us.
Hmmh, I'm not quite sure that is accurate. Low-income folk will certainly have a mobile service, even though they might not have enough to buy a security alarm once the rent is paid. Take finance, for example, in places like East Africa, they folk are lucky that they don't need a bank account to either put money away or transact for everyday needs. In other countries that don't have this (mobile money), low-income folk who earn a living will have a bank account, and even that one will come with some kind of online access. The issue isn't so much the product. The issue is that mobile services are so basic and fundamental, everybody, regardless of their financial position, will have one. The stats say that as of 2020, of the number of users around the world using mobile phones, only 46% of them are "smart". Mark.
One of my main problems with SMS 2FA from a usability standpoint, aside from SS7 hijacks and security problems, is that it cannot be relied upon when traveling in many international locations. I have been *so many places* where there is just about zero chance of my T-Mobile SIM successfully roaming onto the local network and receiving SMS at my US or Canadian number successfully. What am I supposed to do, take the SIM out of my phone, put it in a burner and give it to a trusted family member in North America, just for the purpose of receiving SMS 2FA codes (which I then have to call them and get the code from manually each time), before going somewhere weird? In the pre covid19 era when people were actually traveling places, imagine you've had reason to go somewhere weird and need access to a thing (such as your online banking, perhaps?) protected by SMS 2FA, but you have absolutely no way of receiving the SMS where you're presently located... Many of the people designing SMS 2FA systems used by people with accounts/services in the US 50 states and Canada seem to assume that their domestic customers will forever remain in a domestic location. On Sun, Apr 18, 2021 at 5:44 AM Mark Tinka <mark@tinka.africa> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.
On 4/19/21 05:05, Eric Kuhnke wrote:
One of my main problems with SMS 2FA from a usability standpoint, aside from SS7 hijacks and security problems, is that it cannot be relied upon when traveling in many international locations. I have been /so many places/ where there is just about zero chance of my T-Mobile SIM successfully roaming onto the local network and receiving SMS at my US or Canadian number successfully.
What am I supposed to do, take the SIM out of my phone, put it in a burner and give it to a trusted family member in North America, just for the purpose of receiving SMS 2FA codes (which I then have to call them and get the code from manually each time), before going somewhere weird?
In the pre covid19 era when people were actually traveling places, imagine you've had reason to go somewhere weird and need access to a thing (such as your online banking, perhaps?) protected by SMS 2FA, but you have absolutely no way of receiving the SMS where you're presently located...
Many of the people designing SMS 2FA systems used by people with accounts/services in the US 50 states and Canada seem to assume that their domestic customers will forever remain in a domestic location.
This is a practical problem that I suffer with one of my South African providers, every time I traveled to the U.S. in the last 3 years. I could roam on all GSM networks in the U.S., and even make voice calls, but SMS's would not get delivered. Delivery of those only resumed the moment I transited in the Gulf on my way back home. This did not affect other countries I traveled to. But you are right, most network operators and SMS authentication designers do not necessarily work together to account for folk that travel. Mark.
On 19/4/21 2:36 pm, Mark Tinka wrote:
On 4/19/21 05:05, Eric Kuhnke wrote: [...]
In the pre covid19 era when people were actually traveling places, imagine you've had reason to go somewhere weird and need access to a thing (such as your online banking, perhaps?) protected by SMS 2FA, but you have absolutely no way of receiving the SMS where you're presently located...
Many of the people designing SMS 2FA systems used by people with accounts/services in the US 50 states and Canada seem to assume that their domestic customers will forever remain in a domestic location.
This is a practical problem that I suffer with one of my South African providers, every time I traveled to the U.S. in the last 3 years. I could roam on all GSM networks in the U.S., and even make voice calls, but SMS's would not get delivered. Delivery of those only resumed the moment I transited in the Gulf on my way back home. This did not affect other countries I traveled to.
But you are right, most network operators and SMS authentication designers do not necessarily work together to account for folk that travel.
This is already probably past the point of being on topic here, but you tickled my personal favorite one of these. My airline of choice (Qantas) has mandatory SMS second factor, after perhaps a mobile carrier requiring it for support one of the most facepalm-worthy uses of SMS 2FA I've seen.
On 4/19/21 06:50, Julien Goodwin wrote:
This is already probably past the point of being on topic here, but you tickled my personal favorite one of these.
My airline of choice (Qantas) has mandatory SMS second factor, after perhaps a mobile carrier requiring it for support one of the most facepalm-worthy uses of SMS 2FA I've seen.
It's interesting that VoWiFi is meant to support both voice and SMS, domestically and when one travels. So I'm curious why SMS's would not work with VoWiFi when traveling to a country that won't deliver your SMS's generically. After all, VoWiFi is, as far as I understand it, meant to be a direct IP tunnel back to your home network for both billing and service. If anyone has more clue about this on the list, I'd really like to know, as my mobile service providers hardly know what I'm talking about when I ring them up with questions. Mark.
I would start with cellular carriers and nations that intentionally take steps to block anything VoIP as a threat to their revenue model. Or because anything vpn/ipsec/whatever related is a threat to local Internet censorship laws. Plenty of places the sort of ipsec tunnel used for vowifi is not usable on whatever consumer-grade cellular or local broadband ISP you might find. On Sun, Apr 18, 2021 at 11:11 PM Mark Tinka <mark@tinka.africa> wrote:
On 4/19/21 06:50, Julien Goodwin wrote:
This is already probably past the point of being on topic here, but you tickled my personal favorite one of these.
My airline of choice (Qantas) has mandatory SMS second factor, after perhaps a mobile carrier requiring it for support one of the most facepalm-worthy uses of SMS 2FA I've seen.
It's interesting that VoWiFi is meant to support both voice and SMS, domestically and when one travels. So I'm curious why SMS's would not work with VoWiFi when traveling to a country that won't deliver your SMS's generically. After all, VoWiFi is, as far as I understand it, meant to be a direct IP tunnel back to your home network for both billing and service.
If anyone has more clue about this on the list, I'd really like to know, as my mobile service providers hardly know what I'm talking about when I ring them up with questions.
Mark.
On 4/19/21 11:17, Eric Kuhnke wrote:
I would start with cellular carriers and nations that intentionally take steps to block anything VoIP as a threat to their revenue model. Or because anything vpn/ipsec/whatever related is a threat to local Internet censorship laws.
Plenty of places the sort of ipsec tunnel used for vowifi is not usable on whatever consumer-grade cellular or local broadband ISP you might find.
Not sure what that says for the US of A, as that is where this has hit me so far. Mark.
On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
Hi Eric, SMS for 2FA is fine. It's understood that a single authentication factor is not secure enough; that's why you use two. SMS for 1FA is hugely risky and should not be used for anything important, like money. SMS for a password reset is an example of 1FA -- your ability to receive SMS messages at the required phone number becomes the sole authentication factor needed to access the account. If the adversary has captured your password -and- reprogrammed your phone number, what makes you think they lack the wherewithal to have captured the shared secret used to generate your TOTP code? Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Bill, SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you: https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html -mel On Apr 18, 2021, at 6:31 AM, William Herrin <bill@herrin.us> wrote: On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote: Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'. Hi Eric, SMS for 2FA is fine. It's understood that a single authentication factor is not secure enough; that's why you use two. SMS for 1FA is hugely risky and should not be used for anything important, like money. SMS for a password reset is an example of 1FA -- your ability to receive SMS messages at the required phone number becomes the sole authentication factor needed to access the account. If the adversary has captured your password -and- reprogrammed your phone number, what makes you think they lack the wherewithal to have captured the shared secret used to generate your TOTP code? Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org> wrote:
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:
https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
Mel, That Schneier article is from 2016. The 3/2020 update to the NIST recommendation (four years later and the currently active one) still allows the use of SMS specifically and the PSTN in general as an out of band authenticator in part of a two-factor authentication scheme. The guidance includes a note explaining the social engineering threat to SMS authenticators: "An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker." https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1 The bottom line is that an out-of-band authenticator like SMS is meant to -enhance- the security of a memorized secret authenticator, not replace it. If properly used, it does exactly that. If misused, it of course weakens your security. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for 2FA. There are many ways to attack SMS, not the least of which is social engineering of the security-unconscious cellular carriers. The bottom line is, why use an insecure form of communication for 2FA at all? Since very good hardware-token-quality OTP apps are freely available, why be so lazy as to implement 2FA using radically insecure SMS? Your argument that 2FA is only meant to “enhance” the security of a memorized password is just wrong. 2FA is meant as a bulwark against passwords that very often are disclosed by data breaches, through no fault of the password owner. 2FA enhances nothing. It guards against the abject security failures of others. Consider this sage advice from 2020, long after NIST caved to industry pressure on its recommendations. https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html -mel On Apr 18, 2021, at 8:02 AM, William Herrin <bill@herrin.us<mailto:bill@herrin.us>> wrote: On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you: https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html Mel, That Schneier article is from 2016. The 3/2020 update to the NIST recommendation (four years later and the currently active one) still allows the use of SMS specifically and the PSTN in general as an out of band authenticator in part of a two-factor authentication scheme. The guidance includes a note explaining the social engineering threat to SMS authenticators: "An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker." https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1 The bottom line is that an out-of-band authenticator like SMS is meant to -enhance- the security of a memorized secret authenticator, not replace it. If properly used, it does exactly that. If misused, it of course weakens your security. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Bill, You don’t even have to bother with social engineering, as Bruce Schneier points out in his blog from last month: https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html "It turns out that with a little bit of anonymous money — in this case, $16 off an anonymous prepaid credit card — and a few lies, you can forward the text messages from any phone to any other phone.” -mel On Apr 18, 2021, at 8:24 AM, Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for 2FA. There are many ways to attack SMS, not the least of which is social engineering of the security-unconscious cellular carriers. The bottom line is, why use an insecure form of communication for 2FA at all? Since very good hardware-token-quality OTP apps are freely available, why be so lazy as to implement 2FA using radically insecure SMS? Your argument that 2FA is only meant to “enhance” the security of a memorized password is just wrong. 2FA is meant as a bulwark against passwords that very often are disclosed by data breaches, through no fault of the password owner. 2FA enhances nothing. It guards against the abject security failures of others. Consider this sage advice from 2020, long after NIST caved to industry pressure on its recommendations. https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html -mel On Apr 18, 2021, at 8:02 AM, William Herrin <bill@herrin.us<mailto:bill@herrin.us>> wrote: On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you: https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html Mel, That Schneier article is from 2016. The 3/2020 update to the NIST recommendation (four years later and the currently active one) still allows the use of SMS specifically and the PSTN in general as an out of band authenticator in part of a two-factor authentication scheme. The guidance includes a note explaining the social engineering threat to SMS authenticators: "An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker." https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1 The bottom line is that an out-of-band authenticator like SMS is meant to -enhance- the security of a memorized secret authenticator, not replace it. If properly used, it does exactly that. If misused, it of course weakens your security. Regards, Bill Herrin -- William Herrin bill@herrin.us<mailto:bill@herrin.us> https://bill.herrin.us/
On Sun, Apr 18, 2021 at 8:31 AM Mel Beckman <mel@beckman.org> wrote:
You don’t even have to bother with social engineering [...] $16 off an anonymous prepaid credit card — and a few lies
Mel, What do you think social engineering is? It's a couple well placed lies that convince someone to do the wrong thing. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Fine. And you think 2FA trivially susceptible to social engineering is OK. “Come on, man”, as Biden would say :) -mel
On Apr 18, 2021, at 11:29 AM, William Herrin <bill@herrin.us> wrote:
On Sun, Apr 18, 2021 at 8:31 AM Mel Beckman <mel@beckman.org> wrote:
You don’t even have to bother with social engineering [...] $16 off an anonymous prepaid credit card — and a few lies
Mel,
What do you think social engineering is? It's a couple well placed lies that convince someone to do the wrong thing.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/
I wonder how much of this is moot because the amount of actual SS7 is low and getting lower every day. Aren't most "SMS" messages these days just SIP MESSAGE transactions, or maybe they use XMPP? As I understand a lot of the cell carriers are using SIPoLTE directly to your phone. Mike On 4/18/21 8:24 AM, Mel Beckman wrote:
Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for 2FA. There are many ways to attack SMS, not the least of which is social engineering of the security-unconscious cellular carriers. The bottom line is, why use an insecure form of communication for 2FA at all? Since very good hardware-token-quality OTP apps are freely available, why be so lazy as to implement 2FA using radically insecure SMS?
Your argument that 2FA is only meant to “enhance” the security of a memorized password is just wrong. 2FA is meant as a /bulwark /against passwords that very often are disclosed by data breaches, through no fault of the password owner. 2FA enhances nothing. It guards against the abject security failures of others.
Consider this sage advice from 2020, long after NIST caved to industry pressure on its recommendations.
https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html <https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html>
-mel
On Apr 18, 2021, at 8:02 AM, William Herrin <bill@herrin.us <mailto:bill@herrin.us>> wrote:
On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org <mailto:mel@beckman.org>> wrote:
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:
https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html <https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html>
Mel,
That Schneier article is from 2016. The 3/2020 update to the NIST recommendation (four years later and the currently active one) still allows the use of SMS specifically and the PSTN in general as an out of band authenticator in part of a two-factor authentication scheme. The guidance includes a note explaining the social engineering threat to SMS authenticators: "An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker."
https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1 <https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1>
The bottom line is that an out-of-band authenticator like SMS is meant to -enhance- the security of a memorized secret authenticator, not replace it. If properly used, it does exactly that. If misused, it of course weakens your security.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/
participants (15)
-
bzs@theworld.com -
Dan Hollis -
Eric Kuhnke -
John Adams -
John Levine -
Julien Goodwin -
Mark Tinka -
Mel Beckman -
Michael Thomas -
Mike -
Nathaniel Ferguson -
Randy Bush -
Tim Jackson -
Tom Beecher -
William Herrin