I just got an email from my credit union that they're "transitioning from email passcode delivery to more secure methods such as phone calls and text messages". I need to send them this video.
That credit union is awful for many other reasons, so I don't keep much in that account, but I wonder why banking in the US is so bad at security. I don't think I have a single bank or credit card online account that allows for TOTP. It's all SMS or phone call, with one bank allowing for app push notifications.
Is there a compliance check box that requires SMS over something with at least some security?
I'm surprised they're putting SMS 2fa in now. In 2016 the NIST released new guidelines that essentially "banned" SMS 2fa use. It's heavily suggested that US banks follow NIST guidelines, I'm unsure if there's any actual legal requirement for them to.
You could always send the portion of the guidelines to as many credit union people as possible. Someone may bite.
That's not entirely correct. The main purpose is how US federal agencies handle stuff such as digital identities, this includes all digital identities - employees and citizens/other. Private institutions can use it as guidance for whatever purpose.
You can find this information in the abstract of revisions https://pages.nist.gov/800-63-3/sp800-63-3.html
Therefore, by adding multiple ways to log in/recover an account, each additional one lowers the safety?
Also, worse: does this mean that by just having one bad 2FA/recovery method like SMS along with more secure ones like TOTP/RFC 6238 or hardware keys, the overall security level is as low/bad as the worst method undermining the rest? Why do companies still allow or even encourage multiple methods (and SMS)?
I love the convenience of SMS sometimes, but if it doesn't add any security at all, just a sense of fake security that they won't even need an IMEI from me, just my phone number, jeez. This should be solved or forbidden by major institutions and services.
Like everything in computer security, it's complicated, and there are tradeoffs.
First, intercepting SMS is not that easy. It's "easy" for someone who knows what they are doing and is willing to expend some resources, but it's not a casual attack that can be mounted by a script kiddie. It's a lot easier to steal your phone number using a social engineering attack. The easiest one to execute is to impersonate you somehow and get your number transferred to a "new" phone. That one got me a few years ago. Very scary.
Second, in order to exploit an SMS attack you have to be able to link the number to e.g. a bank account. One mitigation for this is to use different and non-obvious user IDs for critical accounts.
Third, despite its weaknesses, SMS 2FA is better than no 2FA at all. Even if breaking SMS is "easy" it's still an additional cost for a prospective hacker. You don't have to outrun the bear.
But it is good to be aware that SMS 2FA is weak. It's better than nothing, but for things that are really mission-critical you should seek alternatives.
Can we stop requesting sms “authentication” for everything. Holy hell I don’t want my cell number to a back door into everything, so many services are making this account backdoor mandatory
The video actually shows this only applies to 2G and 3G. And while it stated that EU ( as usual ) used 2G for every car sold. They can stop supporting all 2G and 3G on Mobile.
To quote a report from GSA;
>192 operators in 68 countries and territories have completed, planned, or are in the process of switching off their 2G and 3G networks.
So it is not as bad as most people thinks. My only wish is that we could do the 5.5G transition a lot faster and switch off 2G / 3G ASAP.
Feels like SS7 was deliberately left vulnerable from requests within the country for tracking purposes. A lot of the security seems to be done with firewalls within the walled garden so it's easier for the five eyes to track cell phones live without giving direct access to the databases.
That said, the real world example Veratasium used was chilling.
Having LinusTechTips as a 2nd example (whos showing off his new apple phone) was a nice counter too. I'm pretty sure LTT uses multi factor+user auth though so I'm guessing that sms 2fa email was an alt email for personal use.
Gonna have to watch that 2014 presentation on ss7 it seems.
I had the same thought on SS7 being kept vulnerable on purpose. With continuous attempts in EU and elsewhere on tapping the E2EE communication and the fact that email remains insecure despite so many proposals makes me think this really is one of those things that get agreed upon behind closed UN doors. And I am NOT a fan of conspiracy theories.
I think that lack of information, i.e. any effort to remediate this, is an information in itself.
Banks usually have information they can ask like Social Secuirty Number (which is inevitably in some leak).
eBay is the first one that comes to mind. I know I've run into it a couple of other times where a website will just offer to text you a code, but usually there is a small link you can click that says "use my password instead".
Facebook and Amazon don't have my cell phone number, but I bet they have an option.
I don't usually try to reset my passwords since I use a password manager, so it's probably more common than that.
Youtubers regularly swap the video thumbnail + title. Youtube even has tools to A/B test various thumbnails + titles nowadays for different users.
I can confirm that the title "I Hacked My Friend's Phone to Show How Easy It Is" was the actual title when the video was uploaded. However you're right that it now looks like it changed to "Exposing The Flaw In Our Phone System" a day later.
I just got an email from my credit union that they're "transitioning from email passcode delivery to more secure methods such as phone calls and text messages". I need to send them this video.
That credit union is awful for many other reasons, so I don't keep much in that account, but I wonder why banking in the US is so bad at security. I don't think I have a single bank or credit card online account that allows for TOTP. It's all SMS or phone call, with one bank allowing for app push notifications.
Is there a compliance check box that requires SMS over something with at least some security?
> Is there a compliance check box that requires SMS over something with at least some security?
Yes - it ticks the box for 2FA.
I'm surprised they're putting SMS 2fa in now. In 2016 the NIST released new guidelines that essentially "banned" SMS 2fa use. It's heavily suggested that US banks follow NIST guidelines, I'm unsure if there's any actual legal requirement for them to.
You could always send the portion of the guidelines to as many credit union people as possible. Someone may bite.
nist is all about internal controls. It says nothing about dictating controls on your users.
That's not entirely correct. The main purpose is how US federal agencies handle stuff such as digital identities, this includes all digital identities - employees and citizens/other. Private institutions can use it as guidance for whatever purpose. You can find this information in the abstract of revisions https://pages.nist.gov/800-63-3/sp800-63-3.html
Therefore, by adding multiple ways to log in/recover an account, each additional one lowers the safety?
Also, worse: does this mean that by just having one bad 2FA/recovery method like SMS along with more secure ones like TOTP/RFC 6238 or hardware keys, the overall security level is as low/bad as the worst method undermining the rest? Why do companies still allow or even encourage multiple methods (and SMS)?
I love the convenience of SMS sometimes, but if it doesn't add any security at all, just a sense of fake security that they won't even need an IMEI from me, just my phone number, jeez. This should be solved or forbidden by major institutions and services.
Like everything in computer security, it's complicated, and there are tradeoffs.
First, intercepting SMS is not that easy. It's "easy" for someone who knows what they are doing and is willing to expend some resources, but it's not a casual attack that can be mounted by a script kiddie. It's a lot easier to steal your phone number using a social engineering attack. The easiest one to execute is to impersonate you somehow and get your number transferred to a "new" phone. That one got me a few years ago. Very scary.
Second, in order to exploit an SMS attack you have to be able to link the number to e.g. a bank account. One mitigation for this is to use different and non-obvious user IDs for critical accounts.
Third, despite its weaknesses, SMS 2FA is better than no 2FA at all. Even if breaking SMS is "easy" it's still an additional cost for a prospective hacker. You don't have to outrun the bear.
But it is good to be aware that SMS 2FA is weak. It's better than nothing, but for things that are really mission-critical you should seek alternatives.
Can we stop requesting sms “authentication” for everything. Holy hell I don’t want my cell number to a back door into everything, so many services are making this account backdoor mandatory
The video actually shows this only applies to 2G and 3G. And while it stated that EU ( as usual ) used 2G for every car sold. They can stop supporting all 2G and 3G on Mobile.
To quote a report from GSA;
>192 operators in 68 countries and territories have completed, planned, or are in the process of switching off their 2G and 3G networks.
So it is not as bad as most people thinks. My only wish is that we could do the 5.5G transition a lot faster and switch off 2G / 3G ASAP.
Feels like SS7 was deliberately left vulnerable from requests within the country for tracking purposes. A lot of the security seems to be done with firewalls within the walled garden so it's easier for the five eyes to track cell phones live without giving direct access to the databases.
That said, the real world example Veratasium used was chilling.
Having LinusTechTips as a 2nd example (whos showing off his new apple phone) was a nice counter too. I'm pretty sure LTT uses multi factor+user auth though so I'm guessing that sms 2fa email was an alt email for personal use.
Gonna have to watch that 2014 presentation on ss7 it seems.
These vulnerabilities are something we know and is already scary. I wonder how much 3 letter organization are capable.
I had the same thought on SS7 being kept vulnerable on purpose. With continuous attempts in EU and elsewhere on tapping the E2EE communication and the fact that email remains insecure despite so many proposals makes me think this really is one of those things that get agreed upon behind closed UN doors. And I am NOT a fan of conspiracy theories.
I think that lack of information, i.e. any effort to remediate this, is an information in itself.
It’s kind of nuts, with one of those SS7 tickets you could easily use a bot to drain 1000s of bank accounts an hour based on the 2FA vulnerabilities.
How? It's 2FA not 1FA. I have yet to use an authentication system that only required and SMS code.
Lots of authentication systems use an SMS code to reset your password, thereby essentially becoming 1FA.
Can you give an example? I don't think I've ever seen that, especially not from a bank!
Banks usually have information they can ask like Social Secuirty Number (which is inevitably in some leak).
eBay is the first one that comes to mind. I know I've run into it a couple of other times where a website will just offer to text you a code, but usually there is a small link you can click that says "use my password instead".
Facebook and Amazon don't have my cell phone number, but I bet they have an option.
I don't usually try to reset my passwords since I use a password manager, so it's probably more common than that.
If you’re looking for privacy don’t bring a two way radio gps tracker with you everywhere you go.
I'm not looking for perfect location privacy from the government. What's that got to do with the subject at hand?
Can we keep the original video title when posting?
Youtubers regularly swap the video thumbnail + title. Youtube even has tools to A/B test various thumbnails + titles nowadays for different users.
I can confirm that the title "I Hacked My Friend's Phone to Show How Easy It Is" was the actual title when the video was uploaded. However you're right that it now looks like it changed to "Exposing The Flaw In Our Phone System" a day later.
Watch an older Veratasium video about Youtube's title+thumbnail clickbait: https://www.youtube.com/watch?v=S2xHZPH5Sng
This was news to me. Yeah now their title says "Exposing The Flaw In Our Phone System".
+1 for explaination above.
I am worried about Banks who uses sms for 2fa. :/
[dead]
Privacy really doesn't exist, huh?