Products > Test Equipment

Test Equipment Anonymous (TEA) group therapy thread

<< < (2518/27437) > >>

BillB:

--- Quote from: tggzzz on June 30, 2018, 01:26:36 pm ---
--- Quote from: bd139 on June 30, 2018, 12:45:22 pm ---To be fair they're pretty good now. They could easily force 2FA on paypal and ebay accounts though. That would kill all the hacked accounts dead.

--- End quote ---

Er, no. It would make it more difficult, though.
...

--- End quote ---

I see the trend of many commercial and govt entities using 2FA, though.  It would be more of a PITA for the user base, but requiring an authenticator app/code challenge should certainly lower the number of stupid user password hacks, shouldn't it?

bd139:

--- Quote from: tggzzz on June 30, 2018, 01:26:36 pm ---
--- Quote from: bd139 on June 30, 2018, 12:45:22 pm ---To be fair they're pretty good now. They could easily force 2FA on paypal and ebay accounts though. That would kill all the hacked accounts dead.

--- End quote ---

Er, no. It would make it more difficult, though.

"Identity" is a known "hard problem". See the governments repeated attempts to introduce identity manangement - when you look at the details the "how it fails" use cases multiply and the "can be used for" cases diminish. It reminds me of the old adage, "If you think encryption will solve your problem, you don't understand encryption ans you don't understand your problem".

The credit card industry doesn't even try to authenticate identity - it, very sensibly, authenticates transactions.

--- End quote ---

If they forced 2FA (I should say MFA) and reauthentication before listing it covers both scenarios in this case. As long as one factor is physical ie a security token then that stops non possessors using intangible secrets which have been obtained or are shared. This leaves the rubber hose as the only remaining vector which you can’t defend against.

Credit cards are completely different. And also wonky as fuck in the authentication side of things. On front office / POS, identity is number one. It’s very difficult which is why there’s a lot of assurance cycles burned up front followed by risk management followed by protection of identity when you have managed to develop a comprehensive profile. Do I want to sell a plan to Bob. Is Bob actually Bob? Is it the same Bob as the other 76 Bobs we have? Identity management is my bread and butter for ref.

There’s no encryption used at a conceptual level here; only in typical token auth scenarios.

Tl;dr: if they have a physical TOTP/HMAC token or less good an app, then it forces them to provide one more bit of information before doing something potentially fraudulently using something an attacker doesn’t have possession of.


--- Quote from: BillB on June 30, 2018, 02:09:21 pm ---
--- Quote from: tggzzz on June 30, 2018, 01:26:36 pm ---
--- Quote from: bd139 on June 30, 2018, 12:45:22 pm ---To be fair they're pretty good now. They could easily force 2FA on paypal and ebay accounts though. That would kill all the hacked accounts dead.

--- End quote ---

Er, no. It would make it more difficult, though.
...

--- End quote ---

I see the trend of many commercial and govt entities using 2FA, though.  It would be more of a PITA for the user base, but requiring an authenticator app/code challenge should certainly lower the number of stupid user password hacks, shouldn't it?

--- End quote ---

It does. It’s good enough to kill nearly all of these class of attacks dead in the water.

Edit: also it’s good enough to shift liability away from the technology provider. “Well you entered the token value. Were you in possession of the token? Oh no? We can’t help you then”

Cerebus:
Well the issue isn't absolute identity, it's relative identity i.e. "Is this the same person that opened this account", which is a much simpler problem. The government's identity problem exists because they are fixated with absolute identity instead of just authenticating entitlement/authority (e.g. using driving licences as a proxy form of personal identification instead of just using them to authenticate that someone is actually qualified to drive). Ninety-nine times out of a hundred in practical situations one doesn't need to actual establish an individual's actual identity, just "is this the guy who paid" or "is this the bloke who left this here" and so on.

bd139:
Government uses identity heavily already as well. HMRC for example. And they use 2FA! (Via sms)

Edit: also passport office, DVLA etc.

Gov needs one data source which is the problem. Gov.uk SSO was getting there. They hired one of the guys I fired about a decade ago amusingly.

tggzzz:

--- Quote from: BillB on June 30, 2018, 02:09:21 pm ---
--- Quote from: tggzzz on June 30, 2018, 01:26:36 pm ---
--- Quote from: bd139 on June 30, 2018, 12:45:22 pm ---To be fair they're pretty good now. They could easily force 2FA on paypal and ebay accounts though. That would kill all the hacked accounts dead.

--- End quote ---

Er, no. It would make it more difficult, though.
...

--- End quote ---

I see the trend of many commercial and govt entities using 2FA, though.  It would be more of a PITA for the user base, but requiring an authenticator app/code challenge should certainly lower the number of stupid user password hacks, shouldn't it?

--- End quote ---

It will introduce new forms of attack, e.g. via unprotected SS7 traffic for SMSs etc.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod