General > General Technical Chat
2FA two step verification & the obsession with security
<< < (13/15) > >>
madires:

--- Quote from: mac.6 on February 15, 2022, 01:47:21 pm ---SMS OTP is not secure *at all*
SIM theft/hijacking is a thing that is awfully simple and happens everyday:
https://arstechnica.com/information-technology/2022/02/police-in-spain-dismantle-a-sim-swapping-ring-that-drained-bank-accounts/

--- End quote ---

It's not just SIM swapping. There are also many security issues in the SS7 protocol/networks allowing rogue parties to hijack or redirect SMS'. Or some home banking trojan runs on your smart phone.
PlainName:

--- Quote from: madires on February 15, 2022, 02:27:22 pm ---
--- Quote from: mac.6 on February 15, 2022, 01:47:21 pm ---SMS OTP is not secure *at all*
SIM theft/hijacking is a thing that is awfully simple and happens everyday:
https://arstechnica.com/information-technology/2022/02/police-in-spain-dismantle-a-sim-swapping-ring-that-drained-bank-accounts/

--- End quote ---

It's not just SIM swapping. There are also many security issues in the SS7 protocol/networks allowing rogue parties to hijack or redirect SMS'. Or some home banking trojan runs on your smart phone.

--- End quote ---

It's better than the alternative of not using it, if you won't or can't rely on passwords alone. The big problem with things like SMS is that they are treated as infallible, which is one reason why hijacks and similar work so often. Same with biometrics - computer says it's their fingerprint therefore it must be them without question.
PlainName:
Sorry, posted before I'd collected my complete thoughts :)

What's happening here, with SMS and the like, is that they are not perfect, and are therefore deemed to be abhorrent to use. The same is said of security by obscurity wherever that crops up. Sure, it's not perfect but by, for instance, moving your POP3 port to 2371 to hide it you disappear off the radar of a lot of opportunistic hacks. SMS isn't perfect, but by using it you've stiffed the opportunistic hacks where a password has been compromised. Taking it further - obtaining the duplicate SIM (or scanning every port) - is extra work that many, many bad guys aren't going to bother with.

So, SMS isn't perfect, but it strikes a balance between being wide open and having the user jump through flaming hoops. For many applications, that's fine.
Marco:
It's not good enough for crypto gambling/tax evasion at any rate.
ejeffrey:

--- Quote from: dunkemhigh on February 15, 2022, 12:42:38 pm ---One thing highlighted by its absence in this TOTP discussion is that to use it the end user needs to be running either a special product-specific app or generaic authenticator. Not so hot if they are PC users, and the support for user errors is likely to be greater than zero. OTOH, SMS just works and you don't need an iPhone or Android or anything special - a simple decade-old dumb phone will work. Further, the end user isn't in a race to read and type before the pretty short timeout (sods law says they will start with 15 seconds to go).

Won't anyone think of the chiuser?

--- End quote ---

In my opinion SMS is still OK to support is a method of last resort in low security scenarios.  It still prevents against most brute force attacks even if SMS is relatively insecure.  It's not perfect but nearly universal and people understand how to use it pretty easily.  I just don't think it should be the default.

Also, with 2G mostly shut down and 3G scheduled for turn down over the next few years in much of the world the list of phones that can receive SMS but don't have an authenticator app is low, and for sure far less than the reverse: mobile devices able to run a TOTP app but without a cellular connection or with a data-only connection.
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod