Products > Test Equipment
Ebay SCAMS?
<< < (7/12) > >>
jpanhalt:
If Yubikey is so good, why doesn't PayPal recognize or use it?
https://www.yubico.com/
AVGresponding:

--- Quote from: bd139 on August 15, 2022, 06:09:48 pm ---
--- Quote from: AVGresponding on August 15, 2022, 05:53:19 pm ---
--- Quote from: bd139 on August 15, 2022, 02:31:24 pm ---Yes. That’s usually a separate physical device.

So the credentials are something YOU know.

The SMS is delivered to something YOU have.

Some dude in North Korea does not have your phone.

--- End quote ---

SIM cloning is a thing. The safest thing is to never assume you are safe, and to keep an eye on your paypal account etc.

--- End quote ---

That's very bad security advice.

SIM cloning is not a concern. It requires physical access to the SIM card. The point of this is to prevent remote attacks to your credentials by physically partitioning them. The guy in North Korea can't clone your SIM when your phone is in your pocket but he can rip off your leaked credentials. But they are absolutely no good if you have your SIM in your device.

Also if all of your credentials are exposed then you are 100% compromised already. Your money is gone. And Paypal and eBay have no liability to give it back because you handed the keys over with your bad security posture. And if you just have a username and password then you're already exposed.

This is why 2FA is important and SMS is good enough.

For ref I use a Yubikey authenticator - that's a completely physically isolated factor.

--- End quote ---

Your SIM might be safe from some NK rando, but how about the person in the shop you bought the phone from? Or when you have it repaired? It might be rare but it's not unknown. Being a pauper and buying the cheapest phone in the range probably protects me from such, but I certainly never take it for granted.
Also ISTR you have a low opinion of the security on Android phones in general (not related to SIM cloning I know, but still a possible route to overconfidence re 2FA?)...
bd139:

--- Quote from: jpanhalt on August 15, 2022, 06:15:18 pm ---Probably not, but some dude in Chicago might.  Cell phones are often stolen or lost.  My home landline is buried up to the house and then screwed to its walls.

--- End quote ---

Oh an "expert". Here we go.

If your cell phone is lost / stolen, then one factor is lost. The other two are completely useless without it. Thus the security model is intact.

Your land line can be unburied. I used to be a phone phreaker and have tapped a few phone lines in my time. All you require is a linesman's set on copper pairs and you can make and receive calls outside the premises. If it's like the UK, you can even crack the box open down the road and tap there or just dig the lines up.

A land line is NOT secure at all. In fact it's 10x worse than a mobile phone because if your phone isn't a piece of crap you can destroy it remotely and the PIN is tarpitted so you can't get through it (caveat: don't buy an Android phone).


--- Quote from: jpanhalt on August 15, 2022, 06:15:18 pm ---What's the difference between sending to a cell phone and sending to my registered PC? 

--- End quote ---

1. You access your paypal account from your registered PC. That means there's not a second factor thus 2FA is pointless. You have all your credentials in one place. The point of 2FA is to separate them.
2. Pushing notifications to PCs is somewhat more difficult than mobile devices.


--- Quote from: jpanhalt on August 15, 2022, 06:15:18 pm ---And finally, you are talking theory, not data.  What the incidence of fake sign-ins from registered PC's or landlines v. cell phones?

--- End quote ---

No this is not theory at all. It is a security practice REQUIRED by every financial company in the EU as an example. The reason it exists is because there is data. Lots of it.

See: https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en

If you know better, that's up to you...

Edit: to note if you think you know better, when you get ripped off your bank will laugh and put the phone down on you because it's your fault not theirs so the liability is shifted (always think in terms of who is liable in financial transactions).
bd139:

--- Quote from: jpanhalt on August 15, 2022, 06:19:36 pm ---If Yubikey is so good, why doesn't PayPal recognize or use it?
https://www.yubico.com/

--- End quote ---

It does. Paypal uses TOTP as a standard so you need an authenticator app. In that case I use Yubico Authenticator with my phone: https://www.yubico.com/products/yubico-authenticator/ ... this integrates with the yubikey.


bd139:

--- Quote from: AVGresponding on August 15, 2022, 06:25:48 pm ---
Your SIM might be safe from some NK rando, but how about the person in the shop you bought the phone from? Or when you have it repaired? It might be rare but it's not unknown. Being a pauper and buying the cheapest phone in the range probably protects me from such, but I certainly never take it for granted.
Also ISTR you have a low opinion of the security on Android phones in general (not related to SIM cloning I know, but still a possible route to overconfidence re 2FA?)...

--- End quote ---

You're not wrong. This is why I use a physical hardware key. Also because my risk profile is huge and may result in court if I fuck up :)

The main thing we have here is not to have perfect security but a defence against common problems. If it's 99.9% effective, which basic SMS 2FA is, that reduces the risk for the majority of users and the risk to the business and the costs of handling claims etc.

As for Android, the problem is that you can root an Android intentionally or otherwise without too much of an issue. At that point the hardware and software integrity is gone which means anything on the device could read or generate 2FA tokens or data from messages.

Edit: On iOS there's a physically separate device in the hardware that contains keys which cannot be arbitrarily extracted. Worth reading: https://support.apple.com/en-gb/guide/security/sec59b0b31ff/web

Edit 2: my objections to Android are mostly due to the absolute lax update cycle, attention from vendors and cheap ass SoC implementations, the play store being chock full of malware including fake 2FA apps that steal your bank details (google it) and general user arrogance that it's fine. It's not.
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod