Frank Slootweg <this@ddress.is.invalid> wrote:

> As I mentioned, you don't (have to use 2FA (actually 2SV in this
> case) to use Gmail). You just use it *once* per device (i.e. your
> desktop) and tick the box to add that device as a trusted device. No
> more 2SV/2FA for that device.

That won't work if you configure your web browser to purge all locally
cached data on its exit, as I do with Firefox. That tickbox will use
DOM/Web Storage, or maybe cookies, in the web browser to create a
fingerprint on your return visit. No matter how many times I have
ticked the "Remember me" checkbox to supposedly allow quick reentry to
an account, on a return the site doesn't know my web browser, and I have
to do the 2FA process again.

When I exit Firefox, all of the following are purged: browsing &
download history, active logins, form & search history, cookies, [web]
cache, site settings, offline website data (DOM Storage). When I
revisit a web site, it is as if it is the first time I visit there. The
site doesn't get to use any locally cached data to remember me. They
know nothing about my client, so they know nothing about my device,
either. They don't get to track me between web sessions.

VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
>
> > As I mentioned, you don't (have to use 2FA (actually 2SV in this
> > case) to use Gmail). You just use it *once* per device (i.e. your
> > desktop) and tick the box to add that device as a trusted device. No
> > more 2SV/2FA for that device.
>
> That won't work if you configure your web browser to purge all locally
> cached data on its exit, as I do with Firefox. That tickbox will use
> DOM/Web Storage, or maybe cookies, in the web browser to create a
> fingerprint on your return visit. No matter how many times I have
> ticked the "Remember me" checkbox to supposedly allow quick reentry to
> an account, on a return the site doesn't know my web browser, and I have
> to do the 2FA process again.

Yes, that's the consequence of clearing browser data.

> When I exit Firefox, all of the following are purged: browsing &
> download history, active logins, form & search history, cookies, [web]
> cache, site settings, offline website data (DOM Storage). When I
> revisit a web site, it is as if it is the first time I visit there. The
> site doesn't get to use any locally cached data to remember me. They
> know nothing about my client, so they know nothing about my device,
> either. They don't get to track me between web sessions.

You could use a different profile for trusted services - like in this
example Gmail - and a profile for everything else.

Bottom line: If you're clearing browser data. it's going to have
consequences, desirable and undesirable. News at eleven.

On Tue, 27 Feb 2024 14:52:27 -0600, VanguardLH <V@nguard.LH> wrote:

>Have you ever measured the time from when you click Send in the web form
>to have the site send you the 2FA code to when you view it and manually
>enter the characters from the message into the web form to click Okay
>there to complete the roundabout routing of the 2FA code?
>
>The point isn't about how fast you can enter the 2FA code. It's about
>claiming 2FA is more secure when you're already at an HTTPS site to then
>send the code using INSECURE communication venues. E-mail is not
>secure. SMS is not secure. Phone calls are not secure. The window of
>opportunity exists when the 2FA code is insecurely transmitted.

It doesn't bother me in the slightest that a 2FA/2SV code is transmitted to me
insecurely. It's a one-time use code with a relatively short time to live. If
I've initiated it, I'm standing by to receive the code so that I can finish
logging in. If someone else sees the code, which is possible but unlikely, they
can't do anything with it.

If someone else has my password to a specific site, for example as the result of
a data breach, I might receive the code via SMS or email, which would be an
indicator that someone is trying to log in and it's probably time for me to
change that password.

>2FA is security theater.

I don't see it the same way.

Char Jackson wrote:

[snip]
>
> If someone else has my password to a specific site, for example as the result of
> a data breach, I might receive the code via SMS or email, which would be an
> indicator that someone is trying to log in and it's probably time for me to
> change that password.
>
>> 2FA is security theater.

The issue is not with the code.

It is that your phone may be cloned so that you don't receive the code,
but the criminal does. This is because phone companies have
historically not been good at preventing such cloning - and from their
point of view their loss is only the potential revenue from a few phone
calls.

It is true that the criminal needs access to your bank account; but if
he can clone your phone then stealing your login credentials may not be
too difficult. If he works for the bank it's even easier!

From the bank's point of view it's quite a challenge to confirm that
you really are who you claim to be, and that you're not acting under
duress. This is the area that needs innovative development.

--
Graham J

On 03/03/2024 4:50 PM, Graham J wrote:
> Char Jackson wrote:
>
> [snip]
>>
>> If someone else has my password to a specific site, for example as the
>> result of
>> a data breach, I might receive the code via SMS or email, which would
>> be an
>> indicator that someone is trying to log in and it's probably time for
>> me to
>> change that password.
>>
>>> 2FA is security theater.
>
> The issue is not with the code.
>
> It is that your phone may be cloned so that you don't receive the code,
> but the criminal does.  This is because phone companies have
> historically not been good at preventing such cloning - and from their
> point of view their loss is only the potential revenue from a few phone
> calls.
>
> It is true that the criminal needs access to your bank account; but if
> he can clone your phone then stealing your login credentials may not be
> too difficult.  If he works for the bank it's even easier!
>
> From the bank's point of view it's quite a challenge to confirm that
> you really are who you claim to be, and that you're not acting under
> duress.  This is the area that needs innovative development.
>
This is the reason the I will never put secure data on my phone. I only
use a laptop on my personal LAN when accessing bank and other secure
information.
Cell phones are too easily lost, and stolen. The convenience is just
not worth the risk.

On Sun, 3 Mar 2024 21:50:08 +0000, Graham J <nobody@nowhere.co.uk> wrote:

>Char Jackson wrote:
>
>[snip]
>>
>> If someone else has my password to a specific site, for example as the result of
>> a data breach, I might receive the code via SMS or email, which would be an
>> indicator that someone is trying to log in and it's probably time for me to
>> change that password.
>>
>>> 2FA is security theater.
>
>The issue is not with the code.

I'd have to hear that from VanguardLH, the person to whom I was responding. In
his post, the issue seemed to be almost entirely about the code being
transmitted via an unsecure means.

>It is that your phone may be cloned

That risk is low enough that I'm not going to worry about it. I'm much more
likely to be struck by lightning every day at 3PM for 7 days in a row.

I made up the stat for dramatic effect, before anyone tries to do the math.

>so that you don't receive the code,
>but the criminal does.

I don't think it works that way, but ICBW.

Graham J <nobody@nowhere.co.uk> wrote:
> Char Jackson wrote:
>
> [snip]
> >
> > If someone else has my password to a specific site, for example as
> > the result of a data breach, I might receive the code via SMS or
> > email, which would be an indicator that someone is trying to log in
> > and it's probably time for me to change that password.
> >
> >> 2FA is security theater.
>
> The issue is not with the code.
>
> It is that your phone may be cloned so that you don't receive the code,
> but the criminal does. This is because phone companies have
> historically not been good at preventing such cloning - and from their
> point of view their loss is only the potential revenue from a few phone
> calls.

It's not the phone which is/can_be cloned, but the SIM.

> It is true that the criminal needs access to your bank account; but if
> he can clone your phone then stealing your login credentials may not be
> too difficult.

There's no way that the other phone with the cloned SIM has the login
credentials. *If* the criminal has the login credentials, he must have
gotten them by other means.

> If he works for the bank it's even easier!

Can we get back to earth please!?

> From the bank's point of view it's quite a challenge to confirm that
> you really are who you claim to be, and that you're not acting under
> duress. This is the area that needs innovative development.

That's why banks have developed better 2SV (actually 2FA) means than
SMS, but that does not mean that SMS is dangerous. 2SV by SMS is used
billions of times witout any great problems.

On 4 Mar 2024 20:02:30 GMT, Frank Slootweg <this@ddress.is.invalid> wrote:

>Graham J <nobody@nowhere.co.uk> wrote:
>> Char Jackson wrote:
>>
>> [snip]
>> >
>> > If someone else has my password to a specific site, for example as
>> > the result of a data breach, I might receive the code via SMS or
>> > email, which would be an indicator that someone is trying to log in
>> > and it's probably time for me to change that password.
>> >
>> >> 2FA is security theater.
>>
>> The issue is not with the code.
>>
>> It is that your phone may be cloned so that you don't receive the code,
>> but the criminal does. This is because phone companies have
>> historically not been good at preventing such cloning - and from their
>> point of view their loss is only the potential revenue from a few phone
>> calls.
>
> It's not the phone which is/can_be cloned, but the SIM.

True, of course, but over here in the States we're somewhat behind the times in
that many phones don't have removable SIMs, so for those phones it mostly means
the same thing when you clone the phone versus when you clone the SIM. We're
slowly catching up, I think. My last couple of phones have finally had removable
SIM cards, long after the rest of the world had them.

>
>> It is true that the criminal needs access to your bank account; but if
>> he can clone your phone then stealing your login credentials may not be
>> too difficult.
>
> There's no way that the other phone with the cloned SIM has the login
>credentials. *If* the criminal has the login credentials, he must have
>gotten them by other means.
>
>> If he works for the bank it's even easier!
>
> Can we get back to earth please!?
>
>> From the bank's point of view it's quite a challenge to confirm that
>> you really are who you claim to be, and that you're not acting under
>> duress. This is the area that needs innovative development.
>
> That's why banks have developed better 2SV (actually 2FA) means than
>SMS, but that does not mean that SMS is dangerous. 2SV by SMS is used
>billions of times witout any great problems.

Char Jackson wrote on 3/4/24 12:17 PM:
> On Sun, 3 Mar 2024 21:50:08 +0000, Graham J <nobody@nowhere.co.uk> wrote:

>
>> so that you don't receive the code,
>> but the criminal does.
>
> I don't think it works that way, but ICBW.
>

Yes, it does not work that way.

--
....w¡ñ§±¤ñ

On Tue, 5 Mar 2024 10:38:47 -0700, ...w¡ñ§±¤ñ <winstonmvp@gmail.com> wrote:

>Char Jackson wrote on 3/4/24 12:17 PM:
>> On Sun, 3 Mar 2024 21:50:08 +0000, Graham J <nobody@nowhere.co.uk> wrote:
>
>>
>>> so that you don't receive the code,
>>> but the criminal does.
>>
>> I don't think it works that way, but ICBW.
>>
>
>Yes, it does not work that way.

Thanks.