threesevenths
an hour ago
If you’re looking for privacy don’t bring a two way radio gps tracker with you everywhere you go.
an hour ago
If you’re looking for privacy don’t bring a two way radio gps tracker with you everywhere you go.
12 hours ago
Therefore, by adding multiple ways to log in/recover an account, each additional one lowers the safety?
Also, worse: does this mean that by just having one bad 2FA/recovery method like SMS along with more secure ones like TOTP/RFC 6238 or hardware keys, the overall security level is as low/bad as the worst method undermining the rest? Why do companies still allow or even encourage multiple methods (and SMS)?
I love the convenience of SMS sometimes, but if it doesn't add any security at all, just a sense of fake security that they won't even need an IMEI from me, just my phone number, jeez. This should be solved or forbidden by major institutions and services.
11 hours ago
Like everything in computer security, it's complicated, and there are tradeoffs.
First, intercepting SMS is not that easy. It's "easy" for someone who knows what they are doing and is willing to expend some resources, but it's not a casual attack that can be mounted by a script kiddie. It's a lot easier to steal your phone number using a social engineering attack. The easiest one to execute is to impersonate you somehow and get your number transferred to a "new" phone. That one got me a few years ago. Very scary.
Second, in order to exploit an SMS attack you have to be able to link the number to e.g. a bank account. One mitigation for this is to use different and non-obvious user IDs for critical accounts.
Third, despite its weaknesses, SMS 2FA is better than no 2FA at all. Even if breaking SMS is "easy" it's still an additional cost for a prospective hacker. You don't have to outrun the bear.
But it is good to be aware that SMS 2FA is weak. It's better than nothing, but for things that are really mission-critical you should seek alternatives.
9 hours ago
I just got an email from my credit union that they're "transitioning from email passcode delivery to more secure methods such as phone calls and text messages". I need to send them this video.
That credit union is awful for many other reasons, so I don't keep much in that account, but I wonder why banking in the US is so bad at security. I don't think I have a single bank or credit card online account that allows for TOTP. It's all SMS or phone call, with one bank allowing for app push notifications.
Is there a compliance check box that requires SMS over something with at least some security?
44 minutes ago
> Is there a compliance check box that requires SMS over something with at least some security?
Yes - it ticks the box for 2FA.
an hour ago
Can we keep the original video title when posting?
14 hours ago
Feels like SS7 was deliberately left vulnerable from requests within the country for tracking purposes. A lot of the security seems to be done with firewalls within the walled garden so it's easier for the five eyes to track cell phones live without giving direct access to the databases.
That said, the real world example Veratasium used was chilling.
Having LinusTechTips as a 2nd example (whos showing off his new apple phone) was a nice counter too. I'm pretty sure LTT uses multi factor+user auth though so I'm guessing that sms 2fa email was an alt email for personal use.
Gonna have to watch that 2014 presentation on ss7 it seems.
14 hours ago
I had the same thought on SS7 being kept vulnerable on purpose. With continuous attempts in EU and elsewhere on tapping the E2EE communication and the fact that email remains insecure despite so many proposals makes me think this really is one of those things that get agreed upon behind closed UN doors. And I am NOT a fan of conspiracy theories.
I think that lack of information, i.e. any effort to remediate this, is an information in itself.
13 hours ago
These vulnerabilities are something we know and is already scary. I wonder how much 3 letter organization are capable.
14 hours ago
It’s kind of nuts, with one of those SS7 tickets you could easily use a bot to drain 1000s of bank accounts an hour based on the 2FA vulnerabilities.
13 hours ago
I am worried about Banks who uses sms for 2fa. :/
13 hours ago
Privacy really doesn't exist, huh?