Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«262 »
  • Post
  • Reply
Volmarias
Dec 31, 2002


D. Ebdrup posted:

I would be 100% okay with SMS 2FA if the standard had just recommended that every message be prepended with something like "Authentication Code:" so that iOS and Android could look for that in SMS messages and then blur the rest of the contents of the SMS from being displayed on the lock screen. Heck, it should be possible to implement the information as meta-data in the message itself.
I'm half-convinced that would solve every problem with SMS 2FA that doesn't involve the targeted attacks, for example where accounts are stolen via social engineering.

I'm the non-targeted attack that relies on reading the SMS code from someone's locked phone.

Adbot
ADBOT LOVES YOU

D. Ebdrup
Mar 13, 2009



Volmarias posted:

I'm the non-targeted attack that relies on reading the SMS code from someone's locked phone.
I mean, I get what you're saying, but the point is that doing it via phone apps which require biometric locks straddle the 'something your own' and 'something you are' part of MFA, so you end up with 3FA, not just 2FA.

Space Gopher
Jul 31, 2006
BLITHERING IDIOT

D. Ebdrup posted:

I would be 100% okay with SMS 2FA if the standard had just recommended that every message be prepended with something like "Authentication Code:" so that iOS and Android could look for that in SMS messages and then blur the rest of the contents of the SMS from being displayed on the lock screen. Heck, it should be possible to implement the information as meta-data in the message itself.
I'm half-convinced that would solve every problem with SMS 2FA that doesn't involve the targeted attacks, for example where accounts are stolen via social engineering.

The big threat with SMS 2FA isn't somebody reading the code off your lock screen. If you're worried about that, just set your phone to not display SMS previews on the lock screen at all, which will stop exposing both SMS 2FA codes and that message from your ex that says "hey this is awkward but you might wanna get tested." More generally, starting off with "you have to find a way to get the person's phone in your hands" is not a feature of a strong attack.

The problem with SMS 2FA is that phone numbers are not strongly tied to hardware, people, or cryptographic secrets. Phone provider CSRs are willing to help an attacker with a SIM swap, because they're judged on fast resolutions and survey scores, not security. Anyone who can break into not-particularly-secure provider customer accounts can set up call forwarding, and many services that do SMS 2FA also wire it up to a "call me" option that reads the code over a text-to-speech engine. SS7 attacks can redirect incoming SMSes directly to an attacker using the same mechanisms that let your phone number work overseas, and larger-scale organized crime treats access to SS7 as a commodity. There are a lot of ways to compromise 2FA SMS before your phone is ever involved, and that's the reason that SMS is not a good 2FA mechanism.

Space Gopher fucked around with this message at 16:15 on Jul 4, 2020

Volmarias
Dec 31, 2002


D. Ebdrup posted:

I mean, I get what you're saying, but the point is that doing it via phone apps which require biometric locks straddle the 'something your own' and 'something you are' part of MFA, so you end up with 3FA, not just 2FA.

I've written and re-written a response several times and each time it boils down to "What the hell are you even talking about here" so I'll just leave it at that.

D. Ebdrup
Mar 13, 2009



It's me, I'm the secfuck.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!

Pillbug

Yeah, SMS 2FA only if you have absolutely no other option, its still just a risk

CyberPingu
Sep 15, 2013

Ready To Ruck!





Space Gopher posted:

The big threat with SMS 2FA isn't somebody reading the code off your lock screen. If you're worried about that, just set your phone to not display SMS previews on the lock screen at all, which will stop exposing both SMS 2FA codes and that message from your ex that says "hey this is awkward but you might wanna get tested." More generally, starting off with "you have to find a way to get the person's phone in your hands" is not a feature of a strong attack.

The problem with SMS 2FA is that phone numbers are not strongly tied to hardware, people, or cryptographic secrets. Phone provider CSRs are willing to help an attacker with a SIM swap, because they're judged on fast resolutions and survey scores, not security. Anyone who can break into not-particularly-secure provider customer accounts can set up call forwarding, and many services that do SMS 2FA also wire it up to a "call me" option that reads the code over a text-to-speech engine. SS7 attacks can redirect incoming SMSes directly to an attacker using the same mechanisms that let your phone number work overseas, and larger-scale organized crime treats access to SS7 as a commodity. There are a lot of ways to compromise 2FA SMS before your phone is ever involved, and that's the reason that SMS is not a good 2FA mechanism.

They arent great but they are a hell of a lot better than no 2FA at all.


The biggest issue though is education & attitude. How do you expect someone who doesn't even set a lock pin on their phone to use it for 2FA.

Education can be kinda treated, as the infosec industry we do a really bad job of education imo. Attitude is a lot harder, some people won't bother acting until it's too late and it's almost impossible to get through to them because of the "I don't have any worth stealing so why would I be hacked". As they think the only things hackers do is steal poo poo.

Arsenic Lupin
Apr 11, 2012

This particularly rapid unintelligible patter isn't generally heard, and if it is, it doesn't matter.





Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!

Pillbug

Arsenic Lupin posted:

Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people.

Yeah we had to do a big education push at our office to inform users they should never reveal 2FA to anyone after we had someone share it with a phish.

CyberPingu
Sep 15, 2013

Ready To Ruck!





Arsenic Lupin posted:

Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people.

That could be done with literally any code though unfortunately. Social engineering is scarily easy.

Imo it should be included in more Pen Testing as if you have a lack of understanding from a people side of things then that's something I would want to know about.

Cup Runneth Over
Aug 8, 2009

She said life's
too short to worry
She said life's
too long to wait
It's too short not
to love everybody
Life's too long to hate





Arsenic Lupin posted:

Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people.

You think that's scary? I know from experience there are banks with customer support that will trigger a 2FA auth and ask you to repeat it back to them to verify your identity. No, not a scammer. The actual customer support.

Buff Hardback
Jun 11, 2019


Cup Runneth Over posted:

You think that's scary? I know from experience there are banks with customer support that will trigger a 2FA auth and ask you to repeat it back to them to verify your identity. No, not a scammer. The actual customer support.

When working with phone support I'm not really sure what the better situation is.

I know Simple (my bank) does do this, but the phrasing of the message is "Your Simple verification code to provide to the Simple team member is xxxxxx", not just "Your Simple verification code to log in is xxxxxx".

Arsenic Lupin
Apr 11, 2012

This particularly rapid unintelligible patter isn't generally heard, and if it is, it doesn't matter.





My bank, after repeatedly assuring me in email footers that they would never ask for private financial information in email .... asked for private financial information in email. I called and told them this was dumb. It's Wells Fargo, so I assume this was about as useful as pissing in the ocean.

Ynglaur
Oct 9, 2013



Arsenic Lupin posted:

My bank, after repeatedly assuring me in email footers that they would never ask for private financial information in email .... asked for private financial information in email. I called and told them this was dumb. It's Wells Fargo, so I assume this was about as useful as pissing in the ocean.

Wells Fargo, an ocean full of piss, sounds about right.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!

Pillbug

Arsenic Lupin posted:

My bank, after repeatedly assuring me in email footers that they would never ask for private financial information in email .... asked for private financial information in email. I called and told them this was dumb. It's Wells Fargo, so I assume this was about as useful as pissing in the ocean.

Wells Fargo, so it checks out. As far as banks that make gross errors, they are top on my list.

Martytoof
Feb 25, 2003

 
 


I would be 100% fine with SMS MFA if I hadn’t walked into a Rogers store last year and successfully SIM-jacked ... myself.

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

Martytoof posted:

I would be 100% fine with SMS MFA if I hadn’t walked into a Rogers store last year and successfully SIM-jacked ... myself.

Yeah, I did that too when I moved back to Canada.

“So do you want to see ID?”
“Nah, that’s fine.”

Martytoof
Feb 25, 2003

 
 


Yeah I moved my SIM to an e-Sim and the guy was like “ok what’s the phone number” and 30 seconds later gave me a QR code to scan

I was same. Want some ID? Nah.

Adbot
ADBOT LOVES YOU

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!

Pillbug

Did the same thing when I moved from Sprint to T-Mobile. No proof of ID requires, just a couple digital signatures and I had my number transferred in less than 30 minutes.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«262 »