|
mystes posted:I think the reason banks in the US gave up on 2FA is that they don't want to deal with people who lose their tokens. again that’s where the card readers shine. they’re interchangeable. lose it? use your partner’s, or drop into a branch and pick up a replacement. your “token” is your bank card, and everyone knows how to deal with lost cards
|
#
?
Sep 12, 2019 21:00
|
|
|
|
| # ? Apr 26, 2024 00:29 |
|
|
old people in the us would immediately be flooded with fake tokens that charge their cards.
|
|
#
?
Sep 12, 2019 21:03
|
|
|
Soricidus posted:again that’s where the card readers shine. they’re interchangeable. lose it? use your partner’s, or drop into a branch and pick up a replacement. your “token” is your bank card, and everyone knows how to deal with lost cards BangersInMyKnickers posted:android isn't doing this poo poo any favors. Those poor suckers have to jump to a new phone install with new tokens every time they change devices, meanwhile I am using the same software token that I setup on my 3gs and have been migrating through 3 phones now In theory you don't want someone to be able to steal the token from your phone but I guess it doesn't necessarily make sense based on the actual threat model since it's much better to make it easy to use the tokens. The recommended procedure is to just save the recovery codes and use those to get a new token for your new phone, but yeah that's massively inconvenient. In practice people who can steal the codes from your phone are probably going to have an exploit to get root and steal them even if you don't allow backups. I guess if you were really worried an alternative compromise might be to save all the codes to somewhere safe (and encrypted) at the time they're generated but still use an app that doesn't allow you to export them. U2F seems really nice because it helps protect against phishing (because it's based on the domain) and you only need one token, but almost nobody is using it yet.
|
|
#
?
Sep 12, 2019 21:08
|
|
|
Microsoft authenticator encrypts its icloud backups with a Microsoft account so you can do backups without the backups containing plain text totp codes. for android I guess it just uses your Microsoft account to store the backups.
|
|
#
?
Sep 12, 2019 21:30
|
|
|
mystes posted:U2F seems really nice because it helps protect against phishing (because it's based on the domain) and you only need one token, but almost nobody is using it yet. u2f tokens still have insane markup if you want to buy them retail (aren't yubikeys still like $50/ea?) and ios blocks rfid for anything that isn't their own payment system so we're stuck with u2f only making sense for your company's SSO
|
|
#
?
Sep 12, 2019 21:34
|
|
|
https://twitter.com/TinkerSec/status/1172174714833428482?s=20
|
|
#
?
Sep 12, 2019 21:49
|
|
|
Progressive JPEG posted:u2f tokens still have insane markup if you want to buy them retail (aren't yubikeys still like $50/ea?) and ios blocks rfid for anything that isn't their own payment system so we're stuck with u2f only making sense for your company's SSO (FIDO2 tokens, which support passwordless login, do need some actual storage to remember usernames though.)
|
|
#
?
Sep 12, 2019 21:53
|
|
|
yeah yubikeys are also smart cards with built-in card readers. we use them for our GPG keys (which in turn are used for SSH). they own
|
|
#
?
Sep 12, 2019 22:32
|
|
|
Soricidus posted:come to Europe. uk banks all hand out chip devices where you stick in your debit card and enter your pin to get a one-time code, or some of them just have authenticated tokens that are the same principle but the thing-you-have is the token rather than the card what no they don't, not all anyway. HSBC and santander use fingerprint id on mobile now, with the HSBC app generating one time logon/signing codes for Web access as well. and HSBC were way behind on their mobile app compared to others until recently so I'd assume the rest are better. edit: before that HSBC used a custom key generator pad thing... santander idk, natwest used the card reader thing but I think have stopped. Powerful Two-Hander fucked around with this message at 23:34 on Sep 12, 2019 |
|
#
?
Sep 12, 2019 23:32
|
|
|
yeah the only british banks i'm aware of that use a cardreader for 2fa are (were?) nationwide and lloyds business, and the latter forces you to set a memorable phrase which can be used to bypass it i wouldn't even mind sms for 2fa. marcus do it when logging in from a new location. other banks (lloyds group retail, tsb, santander) just have a second password they ask for specific characters from. it's hardly ideal
|
|
#
?
Sep 13, 2019 00:46
|
|
|
Shaggar posted:I like azure mfa w/ the Microsoft authenticator. its cool because they have plugins for basically everything so you can stick MFA everywhere with little effort. approving without opening the app or typing in a code is nice. I wish more sites that let you use TOTP supported that
|
|
#
?
Sep 13, 2019 02:43
|
|
|
mystes posted:This makes sense but it would also make it even more inconvenient to report your card stolen. google authenticator doesn't back up to icloud
|
|
#
?
Sep 13, 2019 03:18
|
|
|
Rufus Ping posted:yeah the only british banks i'm aware of that use a cardreader for 2fa are (were?) nationwide and lloyds business, and the latter forces you to set a memorable phrase which can be used to bypass it oh yeah nationwide were the ones with the card reader, not natwest and yes santander web access sucks: enter your security number (6 digits) and then like letters 2,4 and 7 from your login password or something,which is a pain in the rear end when you set that password to a 12 character random string.
|
|
#
?
Sep 13, 2019 08:19
|
|
|
mystes posted:Yubikeys do a ton of stuff that u2f tokens don't need to do. U2f tokens are dead simple and don't need any writable storage at all, so they are already cheaper and probably would be dirt cheap if there was actual demand for them. yeah I bought a couple yubikeys on sale and they basically sit unused because like 3 sites I use actually support them vs the dozen or so that support totp 2fac, so as a result I basically haven't bothered maintaining them since it's easier to just have totp everywhere and have the habit of checking the totp app and since apple blocks nfc I can't do it via my phone either, another win for totp
|
|
#
?
Sep 13, 2019 09:11
|
|
|
also I lost one of the three tokens I'd bought and I guess that means on each of the sites where I'd added them, I'd need to remove all three and then re-pair the two I still have, since it's not like they have names or anything u2f is expensive, cumbersome, and mostly useless outside of a corporate environment. so perfection in the eyes of any security pedant, joining the ranks of e.g. RADIUS and DNSSEC
|
|
#
?
Sep 13, 2019 09:14
|
|
|
to be clear I think u2f is perfect for when you get your work issued laptop with a yubikey included to be used with your corp SSO login, but expecting someone to buy, carry around, and janitor several tokens just for the three sites that actually support them (assuming you never want to log in on an iphone/ipad) is a bit ridiculous
|
|
#
?
Sep 13, 2019 09:21
|
|
|
u2f tokens are like $10 and you can use the same one for an unlimited number of sites it sux that IOS doesn’t support ‘em but you’re being a toddler about it
|
|
#
?
Sep 13, 2019 12:21
|
|
|
i do think it's interesting that there does seem to be some form of support and more for u2f stuff for ios 13. safari currently only supports usb only at the moment, and apple has licensed the lightning port for a yubikey product. https://support.yubico.com/support/solutions/articles/15000006479-getting-started-on-ios
|
|
#
?
Sep 13, 2019 12:34
|
|
|
All places that recognize Yubikeys also let you name them, so you can remove the one you lost. If you mean the yubikeys themselves, you can always use label printer or write some notes into the the smartcard area... Also yeah, it sucks that you use Apple's lovely products and they won't let you use proper security, but I guess that's the apple tax I keep hearing about. 
|
|
#
?
Sep 13, 2019 13:05
|
|
|
Xarn posted:All places that recognize Yubikeys also let you name them
|
|
#
?
Sep 13, 2019 13:21
|
|
|
Man claims to be technician, steals ATM from San Jose museum Nobody noticed until a month later when someone found the ATM dumped on the side of a highway. Amazing what you can get away with by dressing the part.
|
|
#
?
Sep 13, 2019 15:09
|
|
|
klosterdev posted:Man claims to be technician, steals ATM from San Jose museum that's how kevin mitnick did most of his work. he would just pretend to be an employee or a mover and just walk into places and steal computers. honestly you can get away with a lot that way even today.
|
|
#
?
Sep 13, 2019 15:26
|
|
|
Progressive JPEG posted:and since apple blocks nfc I can't do it via my phone either, another win for totp https://developer.apple.com/documentation/corenfc?language=objc
|
|
#
?
Sep 13, 2019 15:31
|
|
|
those docs are great. core nfc is supported in iOS 11+, but they tell you to check readingAvailable before doing anything, which is only in the forthcoming iOS 13. the NDEF sample app also requires 13+.
|
|
#
?
Sep 13, 2019 15:36
|
|
|
mystes posted:Are you talking about U2F keys or specifically about old sites using the HOTP-style yubikey authentication method where it acts like a keyboard? U2F, I disabled the keyboard emulation after my first hour using yubikey.
|
|
#
?
Sep 13, 2019 16:42
|
|
|
CRIP EATIN BREAD posted:that's how kevin mitnick did most of his work. he would just pretend to be an employee or a mover and just walk into places and steal computers. yeah it owns
|
|
#
?
Sep 13, 2019 16:43
|
|
|
in fact just being confident and having any sort of badge (even a blank card) hanging off your pants and most people wont question what you're doing. i've gotten pretty far in places that way before being asked to leave
|
|
#
?
Sep 13, 2019 16:47
|
|
|
Remember kids, scope is everything on a pentest quote:Two security contractors were arrested in Adel, Iowa on September 11 as they attempted to gain access to the Dallas County Courthouse. The two are employees of Coalfire—a "cybersecurity advisor" firm based in Westminster, Colorado that frequently does security assessments for federal agencies, state and local governments, and corporate clients. They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement's response to a break-in. https://arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/
|
|
#
?
Sep 13, 2019 16:50
|
|
|
Trabisnikof posted:Remember kids, scope is everything on a pentest the article doesn't mention the contract at all. My experience has been that pentesters (especially in the last 5-ish years) are not one to invent scope. I would be shocked if physical access was not spelled out in the contract the SCA signed, agreed to and failed to read. But I guess we'll have to wait and see.
|
|
#
?
Sep 13, 2019 17:19
|
|
|
Trabisnikof posted:Remember kids, scope is everything on a pentest someone is going to get sued
|
|
#
?
Sep 13, 2019 17:26
|
|
|
Hey, the good news is that they passed the test!
|
|
#
?
Sep 13, 2019 17:39
|
|
|
also the pentesters probably know how to break out now
|
|
#
?
Sep 13, 2019 17:40
|
|
|
CRIP EATIN BREAD posted:in fact just being confident and having any sort of badge (even a blank card) hanging off your pants and most people wont question what you're doing. ya lol. ive done it by just waving at the guy https://www.youtube.com/watch?v=NiEMcjSQOzg&t=22s i mean idk how much is staged in these videos but its definitely a real thing
|
|
#
?
Sep 13, 2019 19:58
|
|
|
Winkle-Daddy posted:the article doesn't mention the contract at all. My experience has been that pentesters (especially in the last 5-ish years) are not one to invent scope. I would be shocked if physical access was not spelled out in the contract the SCA signed, agreed to and failed to read. But I guess we'll have to wait and see. Maybe, but this ain't tinkersec's first rodeo so I'm sure they know what to put in the contract. lol tinkersex
|
|
#
?
Sep 13, 2019 20:01
|
|
|
Krankenstyle posted:ya lol. ive done it by just waving at the guy clipboards work too
|
|
#
?
Sep 13, 2019 20:07
|
|
|
i... think we agree? also, I didn't realize this was tinkersec, he's usually incredibly careful.
|
|
#
?
Sep 13, 2019 20:08
|
|
|
https://twitter.com/HackerMovieBot/status/1172567829893111809
|
|
#
?
Sep 13, 2019 20:16
|
|
|
:5: whatever the smiley is
|
|
#
?
Sep 13, 2019 20:24
|
|
|
how do you guys deal with legit services that have browser extensions that demand full read and write data? just dehumanize yourself and etc.? the "this is mega convenient" + "this is a serious business" - "they will eventually get hacked" balance is hard to reconcile.
|
|
#
?
Sep 13, 2019 20:26
|
|
|
|
| # ? Apr 26, 2024 00:29 |
|
|
Ur Getting Fatter posted:how do you guys deal with legit services that have browser extensions that demand full read and write data? full read and write on all sites? disable and trash
|
|
#
?
Sep 13, 2019 20:32
|
|
