Your phone company's shitty security is all that's standing between you and total digital destruction

Originally published at: https://boingboing.net/2018/07/20/sms-smh.html

…

Nah, my phone is a land line, and I don’t use my company cell phone as the key to anything I can’t easily do without.

National Institute of Standards & Technology (NIST) has been recommending against using SMS for 2-factor authentication for some time. But nobody seems to be listening.

As I see it, it’s really only an issue for people that have high-value, easily-transferable assets secured by 2FA… So pretty much just cryptocurrency, at the moment.

Banks have pretty good fraud detection in place these days, and also have pretty strong forensics, so an attacker that goes after your bank account is going up against a powerful entity. But if they steal your BTC… Well, it’s just you they’re contending with. Hmm. Wonder which one they’re gonna choose.

Not saying that 2FA is safe or necessarily a good idea, but you could say the same thing about front door locks - they’re not there to secure your gold bullion, FFS, they’re there to keep casual potential thieves from just walking in and snagging your laptop that’s visible from the front window and walking out.

Security lesson of the day: you don’t have to have perfect or even very good security, just make sure that your security level is equivalent to the value of the thing you’re trying to secure, at least relative to other people so you’re not the easiest target out there. As long as you’re a little bit more trouble than, say, the bottom 25th percentile of people with similar “stuff” that you’re all trying to secure, you’re usually pretty safe.

“Certain services, including Instagram, require that users provide a phone number when setting up two-factor, a stipulation with the unintended effect of giving hackers another method of getting into an account.”

in other words “If you’d like to improve your security by enabling two factor authentication, you must also undermine it by enabling one factor authentication.” Great. Just great.

They are even going backwards. PayPal dumped security tokens as an option and now only uses SMS 2F for consumer accounts - kind of a problem should I ever need to use PayPal when I’m abroad, using a local sim and phone number… :-/

PayPal tries to position SMS-only 2FA as “super security”.

“Security key
Set up a PayPal Security Key by entering a one-time pin that’s unique for each login. This gives you a second authentication factor whenever you log in to your account. That’s fancy talk for a super secure account!”

I gathered this is aimed at people who mostly use smartphones for access.

(I’m not one of them, but I get why someone might not want or need anything else, especially these days.)

I mean, it’s just anecdotal evidence, but a former flatmate had to fight her bank for six months because someone allegedly used her credit card in Indonesia while she was in Germany, and had never been to Indonesia (or Asia) in her life. She got her 6k back, in the end, but couldn’t pay any bills for six friggin months including her rent. Nobody explained at any point why someone was able to withdraw the amount anyways, but we suspected usage of several ATMs at the same time. (She had a monthly cap on the card.)

Another friend got his credit card withdrawn by the ATM on Christmas Eve, when he wanted to pay me back expenses of a good meal. His card had been used for online shopping, also somewhere in Asia. Security measures alerted the bank, which suspended his account. Took him three weeks to get his card back, but at least he had another card and didn’t loose any money and didn’t get into other trouble.

In the U.S., 5% of SMS messages are never delivered. A larger percentage can be delayed for minutes to hours. (Long ago, I received one nine days after it was sent.)

I don’t have reliable cell service at home, so, when I’m home, my cell phone is powered off. (Otherwise, it jams the power to the radio to max in an effort to maintain signal and quickly discharges the battery.)

Mandatory 2FA over SMS is a non-starter.

Anyone using SMS as a “second factor” is basically screaming that they are incompetent and/or apathetic.

It’s cheap(and a good excuse to hoover up customer phone numbers for definitely-benign purposes…); but that’s where the list of virtues ends. Even the software implementations of time-based tokens(while obviously vulnerable to spilling state to other programs in our glorious future of smartphone security) at least don’t rely on the known-broken state of SS7 or carrier resistance to social engineering.

Another reason not to have a smart phone.

Not really. This has nothing to do with “smart” phones per se. You don’t need a smart phone to send or receive texts, including 2FA texts. Texting pre-dates smart phones. And having a smart phone doesn’t some how force you to sign up for SMS 2FA.

2FA, especially via SMS is really a double-edged sword. Because it’s a PITA, you don’t want to use it on trivial accounts, only the most important. But that dramatically increases your chances of being locked out of your most important accounts, or having them hijacked. Phone dead? No reception? Drying out in a bag of rice? Changed numbers and forgot to update this account? No access for you! Someone else wants access? All they need is a 4-digit code, which they can relatively-easily get.

The theory sounds good, but in practice, it’s so often implemented poorly that having it is worse than not having it. Some places won’t use a modern 2FA app, only SMS. Some provide no backup codes in case you don’t have access to your phone. Some allow it alone to be used to reset your password and take over an account. And of course, if you’re logging in on your phone in the first place it’s completely pointless because it’s not actually another factor.

The slight problem with that or with refusing to use unsecure sms authentication (which is more the subject of that thread) is that you will find less and less firms willing to do business with you.

Many banks only offer sms authentication, no choice left. In some countries, it has become difficult to pay without a smartphone. Shops will accept cash, but only small sums as they don’t want the risk to hold large sums of money. They will not be able to gove you change, as they don’t have a till. Refusing the odd customer without a smartphone is much cheaper than the costs associated with cash, so they don’t do it.

Similarly, giving out a cellphone number has become a standard requirement with several Internet portals and the number who don’t require it is dwingling. Same for plane or train bookings, banks of course, merchants in some cases, etc… No phone, no service. You can bring your business somewhere else, but for how long?

For most corporations, it actually makes business sense to refuse to serve prospective customers without a smartphone or without lax security online payment and not willing to leave their privacy wide open. They cost more than what they are worth.

My solution to this, and other problems of authenticating identity, is a birth certificate authority. The same municipality that issues your birth certificate issues a digital certificate. This is your identity; you keep it secure and use it to sign documents. Identity theft is much harder this way and authenticating is much easier. In the event of identity compromise only one place must be notified and can revoke your old certificate and issue a new one. This seems like a basic function of government anyway.

Use TOTP 2FA, with an app that encrypts and backs up your seeds, and doesn’t display them on the lock screen (I.e. Authy)

If your seed store is compromised, no biggie - regenerate them. If you phone is lost/stolen, grab your seed archive and rotate your passwords and seeds.

Don’t use SMS.

Unfortunately, many sites that offer 2FA don’t give you the option of choosing your favorite 2FA and many don’t offer anything but SMS (coughPayPalcough). SMS, IMO, is still better than no 2FA, but not as much as I’d like.

But non-SMS 2FA isn’t a guarantee either. Namecheap manages to implement Authy as a second factor, but still eff that up. It uses a proprietary app implementation of Authy for no legitimate reason, preventing me from storing the tokens off my device and on my Yubikey Neo to use with the Yubico Authenticatior app. I don’t wan’t my 2FA tokens stored on the same device I access the service with, which is one of the problems with SMS 2FA. Grr…

Perhaps you will think it’s pedantic, but the “two factor authentication” (2FA) that is so important in stories like these is usually no such thing.

One of the banks I have an account with really does have 2FA; to access my account, I have to supply a password and demonstrate that I’m receiving phone calls or texts to my phone number of record. Every time.

The VPN at my wife’s office requires real 2FA to connect: Both a password and an RSA token value are needed, every time.

The “2FA” weakness discussed in the story is quite different. It’s just a password reset / account recovery mechanism. If you can receive texts to the number of record, you can take control of the account. Without the password.

That’s 1FA. The people offering it have taken to calling it 2FA, but it’s really 1FA x 2; no additional security, but twice the vulnerability, at best.

You can have real 2FA with or without a crummy account recovery feature connected. Real 2FA does provide real additional security at the cost of being a pain in the neck. Account recovery features provide convenience at the cost of real security.

I’ve been suspicious of SMS based account recovery for a long time and it’s both frustrating and gratifying to see that I wasn’t crazy.

Not pedantic at all. It’s a critical difference, and why I don’t keep my Authy tokens on my phone. It’s also why it is utterly stupid for LastPass to suggest you include your 2FA backups in your LastPass account. If LastPass is breached, I’m pretty SOL, but I’m totally SOL if my 2nd factor is right there with my log ons and passwords… :-/

Your point reminds me of the terrible account recovery “Security Questions” some companies have, questions that are really just easier to guess (or look up if they are personal details) passwords :-/ And email-based account recovery means that your primary email account is the keys to the kingdom, no matter what other security measures you may have on those accounts. A friend of a friend doesn’t memorize passwords for different accounts. She just uses email account recovery everytime she needs into an infrequently used account :-0

Awesome - and we will require this from foreign governments how?

Many, many US people were born overseas - please don’t give people another reason to try and treat us like second class citizens