Handsome Jack <Jack@handsome.com> wrote:

> VanguardLH <V@nguard.lh> wrote:
>
>> SMS is also insecure. It is not encrypted. We're not talking about
>> using end-to-end encryption using WhatsApp, but just simple texting.
>> So, we have 2FA codes securing a login that are sent via an insecure SMS
>> texting route.
>
> But is it practicable for an adversary to intercept the SMS message in
> the few seconds it takes for the user to log in with it?

I'm not an SMS hacker. No familiarity in how to intercept an SMS
message other than what I can read online. E-mail is usually quick,
too, but sometimes you don't get the 2FA e-mail, and have to click a
resend button in the web form to get another 2FA code. There is
guarantee of delivery with e-mail or SMS.

As for seconds to enter the 2FA code, that doesn't start until the user
gets the 2FA code in an SMS message, or e-mail message, or a phone call
with a robot reciting the characters. Other than e-mail, the device
where you get the 2FA code is separate of the desktop PC where you were
trying to login. Even when using a web browser on the phone, too often
you cannot merely copy-n-paste the 2FA code (from the SMS or e-mail)
into the web form for completing the login. You must view the 2FA code,
and enter it one character at a time into the web form. This can take
more than a few seconds, and can entail user error in entering the
characters.

Have you ever measured the time from when you click Send in the web form
to have the site send you the 2FA code to when you view it and manually
enter the characters from the message into the web form to click Okay
there to complete the roundabout routing of the 2FA code?

The point isn't about how fast you can enter the 2FA code. It's about
claiming 2FA is more secure when you're already at an HTTPS site to then
send the code using INSECURE communication venues. E-mail is not
secure. SMS is not secure. Phone calls are not secure. The window of
opportunity exists when the 2FA code is insecurely transmitted.

2FA is security theater. Nuisance users mode pretending security is
better when, in fact, it is reduced using insecure means of sending
data.

On 2024-02-27 21:42, VanguardLH wrote:
> malone <malone@nospam.net.nz> wrote:
>
>> On Wed-21-Feb-2024 4:42 pm, VanguardLH wrote:
>>> Mike Easter <MikeE@ster.invalid> wrote:

>> What pisses me off is Google's preoccupation with SMS for their 2FA.
>> Some of us live in places like New Zealand where there's not much
>> interest in providing decent communications in rural areas and as I have
>> no cellular coverage SMS is a bit of a problem for me. Most
>> organisations I deal with offer 2FA via email or even voice message via
>> a land line - not ultra-secure, but better than nothing. But it seems
>> Google is far too arrogant and indifferent to customers to consider
>> those options....
>
> Does your cellular provider

He said he has no cellular coverage. I guess he has no mobile phone.

> have the option to send received texts to
> your account with them to an e-mail address? I have that with Google
> Voice, and it eliminates having to find and use my phone to manually
> copy the 2FA code from the phone to the web form at the site to complete
> the login. GV sends me a copy of the text to my e-mail address. I can
> then open e-mail on the same computer where I'm trying to login.
> Sometimes I can just copy-n-paste the 2FA code from the e-mail to the
> login web form, but sometimes I'm stuck entering the 2FA code character
> by character, because the web form has separate input elements
> separately for each character.

Android messages application can be replicated on the computer, same as
WhatsApp. But you need cellular coverage to start it.

>
> I figure if GV has the text-to-email option that other telcos might have
> it, too.

--
Cheers, Carlos.

Frank Slootweg <this@ddress.is.invalid> wrote:

> As I mentioned, you don't (have to use 2FA (actually 2SV in this
> case) to use Gmail). You just use it *once* per device (i.e. your
> desktop) and tick the box to add that device as a trusted device. No
> more 2SV/2FA for that device.

That won't work if you configure your web browser to purge all locally
cached data on its exit, as I do with Firefox. That tickbox will use
DOM/Web Storage, or maybe cookies, in the web browser to create a
fingerprint on your return visit. No matter how many times I have
ticked the "Remember me" checkbox to supposedly allow quick reentry to
an account, on a return the site doesn't know my web browser, and I have
to do the 2FA process again.

When I exit Firefox, all of the following are purged: browsing &
download history, active logins, form & search history, cookies, [web]
cache, site settings, offline website data (DOM Storage). When I
revisit a web site, it is as if it is the first time I visit there. The
site doesn't get to use any locally cached data to remember me. They
know nothing about my client, so they know nothing about my device,
either. They don't get to track me between web sessions.

VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
>
> > As I mentioned, you don't (have to use 2FA (actually 2SV in this
> > case) to use Gmail). You just use it *once* per device (i.e. your
> > desktop) and tick the box to add that device as a trusted device. No
> > more 2SV/2FA for that device.
>
> That won't work if you configure your web browser to purge all locally
> cached data on its exit, as I do with Firefox. That tickbox will use
> DOM/Web Storage, or maybe cookies, in the web browser to create a
> fingerprint on your return visit. No matter how many times I have
> ticked the "Remember me" checkbox to supposedly allow quick reentry to
> an account, on a return the site doesn't know my web browser, and I have
> to do the 2FA process again.

Yes, that's the consequence of clearing browser data.

> When I exit Firefox, all of the following are purged: browsing &
> download history, active logins, form & search history, cookies, [web]
> cache, site settings, offline website data (DOM Storage). When I
> revisit a web site, it is as if it is the first time I visit there. The
> site doesn't get to use any locally cached data to remember me. They
> know nothing about my client, so they know nothing about my device,
> either. They don't get to track me between web sessions.

You could use a different profile for trusted services - like in this
example Gmail - and a profile for everything else.

Bottom line: If you're clearing browser data. it's going to have
consequences, desirable and undesirable. News at eleven.

On Tue, 27 Feb 2024 14:52:27 -0600, VanguardLH <V@nguard.LH> wrote:

>Have you ever measured the time from when you click Send in the web form
>to have the site send you the 2FA code to when you view it and manually
>enter the characters from the message into the web form to click Okay
>there to complete the roundabout routing of the 2FA code?
>
>The point isn't about how fast you can enter the 2FA code. It's about
>claiming 2FA is more secure when you're already at an HTTPS site to then
>send the code using INSECURE communication venues. E-mail is not
>secure. SMS is not secure. Phone calls are not secure. The window of
>opportunity exists when the 2FA code is insecurely transmitted.

It doesn't bother me in the slightest that a 2FA/2SV code is transmitted to me
insecurely. It's a one-time use code with a relatively short time to live. If
I've initiated it, I'm standing by to receive the code so that I can finish
logging in. If someone else sees the code, which is possible but unlikely, they
can't do anything with it.

If someone else has my password to a specific site, for example as the result of
a data breach, I might receive the code via SMS or email, which would be an
indicator that someone is trying to log in and it's probably time for me to
change that password.

>2FA is security theater.

I don't see it the same way.

Char Jackson wrote:

[snip]
>
> If someone else has my password to a specific site, for example as the result of
> a data breach, I might receive the code via SMS or email, which would be an
> indicator that someone is trying to log in and it's probably time for me to
> change that password.
>
>> 2FA is security theater.

The issue is not with the code.

It is that your phone may be cloned so that you don't receive the code,
but the criminal does. This is because phone companies have
historically not been good at preventing such cloning - and from their
point of view their loss is only the potential revenue from a few phone
calls.

It is true that the criminal needs access to your bank account; but if
he can clone your phone then stealing your login credentials may not be
too difficult. If he works for the bank it's even easier!

From the bank's point of view it's quite a challenge to confirm that
you really are who you claim to be, and that you're not acting under
duress. This is the area that needs innovative development.

--
Graham J

On 03/03/2024 4:50 PM, Graham J wrote:
> Char Jackson wrote:
>
> [snip]
>>
>> If someone else has my password to a specific site, for example as the
>> result of
>> a data breach, I might receive the code via SMS or email, which would
>> be an
>> indicator that someone is trying to log in and it's probably time for
>> me to
>> change that password.
>>
>>> 2FA is security theater.
>
> The issue is not with the code.
>
> It is that your phone may be cloned so that you don't receive the code,
> but the criminal does.  This is because phone companies have
> historically not been good at preventing such cloning - and from their
> point of view their loss is only the potential revenue from a few phone
> calls.
>
> It is true that the criminal needs access to your bank account; but if
> he can clone your phone then stealing your login credentials may not be
> too difficult.  If he works for the bank it's even easier!
>
> From the bank's point of view it's quite a challenge to confirm that
> you really are who you claim to be, and that you're not acting under
> duress.  This is the area that needs innovative development.
>
This is the reason the I will never put secure data on my phone. I only
use a laptop on my personal LAN when accessing bank and other secure
information.
Cell phones are too easily lost, and stolen. The convenience is just
not worth the risk.

On Sun, 3 Mar 2024 21:50:08 +0000, Graham J <nobody@nowhere.co.uk> wrote:

>Char Jackson wrote:
>
>[snip]
>>
>> If someone else has my password to a specific site, for example as the result of
>> a data breach, I might receive the code via SMS or email, which would be an
>> indicator that someone is trying to log in and it's probably time for me to
>> change that password.
>>
>>> 2FA is security theater.
>
>The issue is not with the code.

I'd have to hear that from VanguardLH, the person to whom I was responding. In
his post, the issue seemed to be almost entirely about the code being
transmitted via an unsecure means.

>It is that your phone may be cloned

That risk is low enough that I'm not going to worry about it. I'm much more
likely to be struck by lightning every day at 3PM for 7 days in a row.

I made up the stat for dramatic effect, before anyone tries to do the math.

>so that you don't receive the code,
>but the criminal does.

I don't think it works that way, but ICBW.

Graham J <nobody@nowhere.co.uk> wrote:
> Char Jackson wrote:
>
> [snip]
> >
> > If someone else has my password to a specific site, for example as
> > the result of a data breach, I might receive the code via SMS or
> > email, which would be an indicator that someone is trying to log in
> > and it's probably time for me to change that password.
> >
> >> 2FA is security theater.
>
> The issue is not with the code.
>
> It is that your phone may be cloned so that you don't receive the code,
> but the criminal does. This is because phone companies have
> historically not been good at preventing such cloning - and from their
> point of view their loss is only the potential revenue from a few phone
> calls.

It's not the phone which is/can_be cloned, but the SIM.

> It is true that the criminal needs access to your bank account; but if
> he can clone your phone then stealing your login credentials may not be
> too difficult.

There's no way that the other phone with the cloned SIM has the login
credentials. *If* the criminal has the login credentials, he must have
gotten them by other means.

> If he works for the bank it's even easier!

Can we get back to earth please!?

> From the bank's point of view it's quite a challenge to confirm that
> you really are who you claim to be, and that you're not acting under
> duress. This is the area that needs innovative development.

That's why banks have developed better 2SV (actually 2FA) means than
SMS, but that does not mean that SMS is dangerous. 2SV by SMS is used
billions of times witout any great problems.

On 4 Mar 2024 20:02:30 GMT, Frank Slootweg <this@ddress.is.invalid> wrote:

>Graham J <nobody@nowhere.co.uk> wrote:
>> Char Jackson wrote:
>>
>> [snip]
>> >
>> > If someone else has my password to a specific site, for example as
>> > the result of a data breach, I might receive the code via SMS or
>> > email, which would be an indicator that someone is trying to log in
>> > and it's probably time for me to change that password.
>> >
>> >> 2FA is security theater.
>>
>> The issue is not with the code.
>>
>> It is that your phone may be cloned so that you don't receive the code,
>> but the criminal does. This is because phone companies have
>> historically not been good at preventing such cloning - and from their
>> point of view their loss is only the potential revenue from a few phone
>> calls.
>
> It's not the phone which is/can_be cloned, but the SIM.

True, of course, but over here in the States we're somewhat behind the times in
that many phones don't have removable SIMs, so for those phones it mostly means
the same thing when you clone the phone versus when you clone the SIM. We're
slowly catching up, I think. My last couple of phones have finally had removable
SIM cards, long after the rest of the world had them.

>
>> It is true that the criminal needs access to your bank account; but if
>> he can clone your phone then stealing your login credentials may not be
>> too difficult.
>
> There's no way that the other phone with the cloned SIM has the login
>credentials. *If* the criminal has the login credentials, he must have
>gotten them by other means.
>
>> If he works for the bank it's even easier!
>
> Can we get back to earth please!?
>
>> From the bank's point of view it's quite a challenge to confirm that
>> you really are who you claim to be, and that you're not acting under
>> duress. This is the area that needs innovative development.
>
> That's why banks have developed better 2SV (actually 2FA) means than
>SMS, but that does not mean that SMS is dangerous. 2SV by SMS is used
>billions of times witout any great problems.