Why You Shouldn't Use Texts For Two-Factor Authentication (theverge.com) 102
An anonymous reader quotes a report from The Verge: A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The group targeted a Coinbase account protected by two-factor authentication, which was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn't actually steal anyone's bitcoin, although that would have been an easy step to take. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces. The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"
Re: (Score:1)
We all lost during the primaries, regardless of who you voted for.... Maybe before that.
All SMS-based 2FA Systems should use Signal (Score:5, Insightful)
End to end encryption easily solves this and other problems related to government spying.
First of all, these are not cellular network "vulnerabilities." These are "features." And these "tools" are not Proof-of-Concepts for finding weaknesses in the networks. They are "products" that are sold to government for the purpose of spying on YOU and ME.
Re: (Score:3)
Why even bother trying to transmit the code? Just use time based codes.
Re: (Score:2)
Agreed. Just use a proper hardware or virtual MFA device.
Codes sent via SMS don't really count as a second factor (it's another "something you know" like your username and password and not a "something you have") and they can be captured during transmission. NIST has been recommending against them since July of 2016.
Re: (Score:2)
Said someone who doesn't now the history of these protocols. SS7 has been around for a long, long time, longer than the IPv4 we all love to hate. It was developed in the days of yore, before the breakup of Ma Bell, when there were only a handful of telephone companies, and they all had reasonably tight control over their signalling networks (having started to learn their lesson from Captain Crunch, blue boxes, and the other phreakers. It was never intended to be used as it is today.
Besides, if the national
Re: (Score:3)
SS7 ISUP, yes, is very old. Other parts of SS7 are not so old. In fact, SS7 allows you to extend it to do custom things and pass vendor specific data in proprietary formats, and many vendors have done this. Some SS7 extensions fell into common use, others didn't. But SS7 has been changing a lot over the last few decades as voice and data services have evolved and many proprietary extensions have become commonly used.
Most of this advancement though has pretty much ended at this point. These days the
Re: (Score:2)
I am waiting for everyone to use Signal!
bank? (Score:2)
My bank uses text messages to verify transactions. Would that be vulnerable in some way as well?
Re: (Score:3, Funny)
Re:bank? (Score:4, Insightful)
Basically SMS isn't secure, and shouldn't be treated as a method of securely transmitting data.
Re:bank? (Score:4, Informative)
Re: (Score:1)
The problem is partly that people don't actually use 2 factor authentication.
For example, you can usually click on a link to reset your password. They'll "verify" it's you doing it by sending a code over SMS that you have to enter, but if that code is intercepted it's adequate to override the password rather than required in addition to the password.
Another example would be somone who saved their password on their phone so the same device once compromised has access to the SMS and the password.
So, really th
Sane system would still need a password (Score:2)
No kidding, if this stuff was actually two-factor, you'd still need the password even if you could prove access to the phone's data.
Also, it wasn't a coin wallet they hacked, it was Gmail. Gmail is apparently where the vulnerability is.
Oh, not to mention it may not be a good idea to farm out the security of your bitcoin (ish) keys to some online third-party. I mean, yeah, we give money to banks instead of putting it under our mattresses, but they're FDIC insured and certified by the government (who can ju
Re: (Score:2)
Re: (Score:2)
My bank uses text messages to verify transactions. Would that be vulnerable in some way as well?
FDIC insurance says everything about the give-a-shit level of most banks.
Re: (Score:1)
That's not what the FDIC is for. FDIC covers bank failures only. Also the cost of FDIC is very very low because even a bankrupt bank as a net asset value of approximately zero, so the FDIC just has to kick in a little cash to get a buyer.
You shouldn't really post if you have no idea what you are talking about.
Re: (Score:3)
What is that even supposed to mean? The FDIC doesn't protect the bank against anything, it protects you in case your bank becomes insolvent. It does not protect you or the bank from fraud, robberies, or anything else.
Re: (Score:2)
It probably could. The method you are depicting could also be used by intercepting your SMS message from the reset of your password as well as a transaction confirmation method. Once they reset your password, make a transaction, okay it all while still intercepting your SMS, and viola. All unbeknownst to you, they have drained your account. Are there other safeguards in place to ensure that this does not happen? I do not know at this point, but that is a good question to ask.
This I hope actually does r
Apps (Score:4, Funny)
Only LUDDITES use text messages for two-factor authentication. Modern app appers app authentication apps for authentication through apps.
Apps!
Re: (Score:3)
You joke, but it sounds like you're describing 2FA apps :-P
Re: (Score:3)
Google may be savage but Google is legal.
Google won't empty your bank account without your permission, Google won't ask you for a ransom, Google won't use you computer as a proxy for all kind of illegal activity.
That's also why it is better to be in debt to a bank than to the mafia, no matter how savage banks are. Sure, debt collectors are annoying and they may take your house but at least your life will be safe and you won't be mailed body parts of family members.
Re: (Score:2)
That's also why it is better to be in debt to a bank than to the mafia, no matter how savage banks are. Sure, debt collectors are annoying and they may take your house but at least your existence will be safe and you won't be mailed body parts of family members.
Your life is still f_%ked either way. It's just that one MAY be recoverable.
Curiosity, why do banks collect relative information on all their loan documents? Habit?
Re: (Score:2)
All the information they ask you all have the same purpose : to judge how risky you are in order to determine how much they will lend you and in which conditions (rate, guarantees, ...). ... If they don't ask questions, it may not be a good sign, because they will assume you are high risk by default.
Having a rich and stable family that can help you is much better than you having a family that that needs help. This will be taken into account, just like your job, your health, your criminal record,
Re: (Score:2)
> Curiosity, why do banks collect relative information on all their loan documents? Habit?
Probably so they can track you don't if you don't pay up. Even many fugitives stay in touch with friends and family at some point.
SMS!=text (Score:2)
This is two-step, NOT two factor (Score:2, Interesting)
Re: (Score:2)
You don't "have" the SMS message; it exists in many places, hence the vulnerability.
It is a second "step" since to receive it you should have already entered a valid password associated with the cell phone number.
Re:This is two-step, NOT two factor (Score:5, Insightful)
Re: (Score:1)
Serious Threat...minor chances (Score:2)
Re: Serious Threat...minor chances (Score:3)
The exactly same attack "false roaming request" has been in the wild since 2003 or 2004. Literally millions of people loose money due to having their phone number hijacked and being used to send SMSes to paid numbers.
Same trick is being used by Russian spies to regularly steal online accounts of European politicians
Re: (Score:2)
They already did. It's called Diameter [wikipedia.org]
stop using your primary phone (Score:2, Interesting)
If you're paranoid or actually at risk of being hacked, buy a burner phone and use that for your 2 step authentication.
Nobody can social engineer or cell tower hack your number because they don't know it.
Still better than password only (Score:5, Insightful)
So... still better than password-only. That's probably good enough for my purposes.
Re:Still better than password only (Score:5, Insightful)
With this SMS intercept exploit, they can get into your account without knowing your password.
You're thinking of using a SMS in addition to your password in order to login to an account - i.e. 2FA. Yes in that case it's better than password-only (unless it lulls you into picking a poor password because you think you're being protected by the SMS). But that's not what this exploit is about. It's about resetting your password by intercepting a SMS that was supposed to go to your phone. The SMS is used to bypass your password, not to augment it. (In your defense, TFA conflates the two as well, leading to the confusion.)
In other words, it's stupid using 2FA to login, if your password reset procedure is 1FA. Attackers will simply ignore the stronger security to target the weakest link - the 1FA step.
Re: (Score:2)
Yes, the article (and summary) confused me. On my Google account, to do a password recovery I believe they'd need to compromise my second email account and know a security question to recover my Gmail account. If they do all that, then yeah I'm screwed but frankly that is a lot of work and they could just steal my identity instead :)
Re: (Score:3)
Replying to myself. Apparently Google discontinued the secret question method so honestly I have no idea what happens when you try to recover your account and I'm not in the mood to try it :)
Re: (Score:3)
But you're not considering security through obscurity. And while we all know that's a bad idea, there is still significant overhead when it comes to knowing enough about my personal details to break into my banking website. In no particular order:
What bank do I use?
What is my login to that bank?
What phone number do I use?
Do I have 2fa using text turned on?
An attacker needs to know all of that in order to leverage this sort of attack. Even getting into my email requires the phone number when
Re: (Score:2)
IMO, currently the user definable Security Question/Answer is a better choice over SMS. This way you do NOT have a set of predefined questions to establish a pattern off of (e.g. Mother's maiden name, high school attended, street you grew up on, etc..), you know, anything that are public record based. Could your phone number also be considered "public record" considering most everyone asks for it as a point of contact on about EVERY document you have to sign on (which they now have your signature as well)
2FA with SMS is not about security (Score:5, Insightful)
It is just an excuse to harvest your phonenumber.
Re: (Score:3)
It is just an excuse to harvest your phonenumber.
For what purpose?
Personally, I think you're nuts. I've been around the security business for the last 20 years, working for and consulting with many organizations that have set up 2FA for their users... and I have never, once, heard anyone suggest that it is useful for phone number harvesting. Moreover, knowing peoples' phone numbers really isn't all that useful. I suppose there may be some rare situation in which it could be used to correlate information from various sources to create a more comprehensiv
Harvest it all, figure out what it's good for l8r (Score:2)
It is just an excuse to harvest your phonenumber.
For what purpose?
To sell it to Rachel from Cardholder Services, I expect.
Personally, I think you're nuts. I've been around the security business for the last 20 years, working for and consulting with many organizations that have set up 2FA for their users... and I have never, once, heard anyone suggest that it is useful for phone number harvesting.
Moreover, knowing peoples' phone numbers really isn't all that useful.
All information about a consumer is useful information, if you have enough of it. You may not know yet when it will be useful, or what it will be useful for, but if you're a big info corporation harvesting info, you want to harvest all the info you can: it will be useful someday, and once people understand how giving that info to you was a bad bad idea, they will stop giving it to you-- so you want to get it now, before they realize it.
Re: (Score:2)
It is just an excuse to harvest your phonenumber.
For what purpose?
To sell it to Rachel from Cardholder Services, I expect.
What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.
Personally, I think you're nuts. I've been around the security business for the last 20 years, working for and consulting with many organizations that have set up 2FA for their users... and I have never, once, heard anyone suggest that it is useful for phone number harvesting. Moreover, knowing peoples' phone numbers really isn't all that useful.
All information about a consumer is useful information, if you have enough of it. You may not know yet when it will be useful, or what it will be useful for, but if you're a big info corporation harvesting info, you want to harvest all the info you can: it will be useful someday, and once people understand how giving that info to you was a bad bad idea, they will stop giving it to you-- so you want to get it now, before they realize it.
All information about a consumer is also a liability. Lots of organizations haven't figured this out yet, but I think pretty much all of them savvy enough to be implementing 2FA understand it.
Re: (Score:2)
It is just an excuse to harvest your phonenumber.
For what purpose?
To sell it to Rachel from Cardholder Services, I expect.
What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.
I don't know where Rachel from Cardholder Services got my cell phone number, but she certainly got it from somewhere.
Basically, what you posted in this thread can be summarized "oh, just trust them with the information, they won't misuse it. And anyway, I can't think of how I would misuse it, so obviously some corporation couldn't think of a way either."
...All information about a consumer is also a liability. Lots of organizations haven't figured this out yet,
Right the first time: Lots of organizations haven't figured this out yet.
but I think pretty much all of them savvy enough to be implementing 2FA understand it.
The historical record does not back you up on this.
https://www.comparitec [comparitech.com]
Re: (Score:2)
It is just an excuse to harvest your phonenumber.
For what purpose?
To sell it to Rachel from Cardholder Services, I expect.
What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.
I don't know where Rachel from Cardholder Services got my cell phone number, but she certainly got it from somewhere.
What makes you think it's from some 2FA? Seriously, what organizations do you give your number to for 2FA? Your bank. Your email provider (e.g. Google). Can you think of one that not suffer more by being discovered to sell those numbers than they would gain?
The historical record does not back you up on this.
Red herring. Those links are about data breaches, not sales. The claim here is that organizations offering 2FA ask for your number specifically to misuse it.
Just trust them- they're not evil, they say so (Score:3)
Red herring.
Your entire post is a red herring. You're basically saying "I don't think they'd do anything bad because we can trust giant corporations."
You haven't put forth any reason to think that, you just do.
I don't. The entire history of the web tells us that you can't trust corporations with personal information.
And, I really don't care whether they gave my number to Rachel at Card Services (and everybody else in the world) because of a data breach or because they sold it. That's a distinction without any differenc
Re: (Score:2)
All information about a consumer is also a liability.
Tell that to Equifax... If what you say is even slightly true they should be out of business 10 times over.
Dollars to donuts in 2 years it'll be business as usual.
Re: (Score:2)
All information about a consumer is also a liability.
Tell that to Equifax.
Well, in their case information about consumers is their entire business. Which means they should be crazy paranoid about security, because it literally is their entire reason for existence, to securely gather and disseminate -- but only when and where it's proper -- highly-personal information.
Dollars to donuts in 2 years it'll be business as usual.
Yeah...
I'm generally pretty laissez-faire, but this is an area that I think we need regulation. There should be specific, and severe, penalties for data breaches. And even more severe penalties for hiding data brea
Re: (Score:2)
It is just an excuse to harvest your phonenumber.
For what purpose?
To sell it to Rachel from Cardholder Services, I expect.
What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.
I was talking more about "free" services than corporate authentication. There are many of them that would like you to give them your phonenumber, it used to be for password recovery, but now they claim it is for extra security. Steam pesters me all the time, I tried installing the mobile app to see if that was enough, but no, they want my phonenumber, even though it is less secure than my email, I can only imagine it is for selling on.
Is there any good form of authentication. (Score:3)
There is always a way in. For Apples face ID that states there is a 1 in a million chance of breaking it. That means they are probably over 6,000 people in the world that could get into your phone with their face alone. And being that close relatives and people with similar generics often live closer by, so some of these 6,000 people may be rather close.
Humans actually make worse assumptions when granting access to security. They can often be conned into thinking you are someone who you are not rather quickly. Being most effective hacks are social hacks where someone actively gives the bad guy access to their computers.
Using text as part of the two factor authentication isn't as bad as most. Being that most security problems don't come from someone hacking into your account, but getting in the backdoor and getting your info that way. So the two factor with the text is probably good enough for rather secure methods to protect your account for sites that they wouldn't bother targeting just you. Just because if they stole a password table they wouldn't spend the time trying to hack the text response if they have a million more passwords to try.
Re: SMS has more problems than that (Score:2)
Or you can lose it by something more common, such as moving.
Depending where you live, and/or move to it may not be "possible" (I'm certain its an artificial limitation) to keep your old number. Some carriers even approach users that are out of their "service area" fot extended periods, sometimes even just cutting them off without notice and forcing them to get a "local" number.
I know this varies largely by what country you live in, but it does happen, and happens quite often in many parts of the world.
SMS wasn't designed to be secure (Score:2)
Starfleet Regulation 46(a) (Score:2)
"If transmissions were being monitored during battle, no uncoded messages were to be transmitted on an open channel."
And yet even though they were aware enough to draft a regulation, their mobile communicators didn't come with a secure messaging system either.
Re: (Score:2)
queen to queen's level 3
Re: (Score:2)
Ha! I'm playing for a draw.
Re: (Score:2)
Oh - it's a pretty oblique reference. http://www.ericweisstein.com/f... [ericweisstein.com]
That was their clear (compromised) channel challenge key.
Re: (Score:2)
Far from oblique, as was my reference to TNG Season 2 Episode 21.
Re: (Score:2)
My mistake! Never became much of a TNG fan...
Just get hardware token for $15 (Score:1)
I happen to have a YubiKey from YubiCo but there are probably other vendors. The cheap version is just USB-A. The expensive version has NFC so you can use it with most modern smartphones to authenticate. It works with Google, which is probably what you care most about. Facebook also supports it, although it's not as important. I haven't used it in months; it only matters if you're on a "new" device and leaves you alone otherwise. Incidentally, Facebook will also encrypt your password-recovery requests with
Just Don't Give It Out (Score:1)
Just don't give out your phone number. Google has no reason to know my phone number. I don't have to disable 'two factor authentication by text message' if they don't have my phone number.
Re: (Score:1)
That's so likely to be a phishing expedition that anybody who actually gives them a phone number is being very foolish.
No, when presented with an 'issue' like that, unless there is an absolute emergency in progress and you need to use 'their service', the proper thing to do is become 'very concerned for your security' and eat up a TON of their tech support with a human operator making certain that it is 'safe' to use 'this device' with their service. Get on their actual human tech support with a very cost
Re: (Score:2)
I have seen just as bad with security Q/A which they implemented later.
Steps:
Reset Password
Enter Security Question (blank, one was not previously set)
Enter Security Answer (blank, also previously not set)
Returns failed reset (as they do not allow a blank security Q/A)
Re: (Score:2)
Alternatives? (Score:1)
For some applications one wants multiple ways to verify identity. Any one of those ways can be hacked, so does that mean multi-"channel"-verification should be done away with altogether, leaving one stuck with weak single-channel verification? What are the alternatives? Humans knocking on doors and taking finger-prints? Even ignoring the cost of personal visits, finger-prints can be hacked also with with rubber facades and bribery. It sounds like the nothing-is-perfect-so-do-nothing argument. The fetal posi
How does Google messenger work? (Score:2)
I changed the number to google voice number. I get the alert in email to my gmail account, and also a message to the phone. But not the default SMS application, but to some google+ messenger kind of thing. Frankly I thought they were dead. But they give me the alert.
Does this also us
PR for another (pseudo) security firm (Score:1)
Practicality (Score:3)
The thing is: Using texts is a lot better than nothing.
The other thing: Using texts is practical. I just had my phone die, with all sorts of authenticator apps on it: for Google, for my credit cards, for my bank, etc.. To get those all replaced is an absolute PITA. Whereas anything using texts was automatically moved to my new phone, just by moving the SIM card.
Security has to be practical, or people won't use it. Texts are very practical. Instead of encouraging people to do something else, why not improve texts? Just as an example, how about if texts were encrypted ("Signal" or some similar protocol)?
Re: (Score:1)