Re: Codes sent by text message

Liste des GroupesRevenir à cm android 
Sujet : Re: Codes sent by text message
De : V (at) *nospam* nguard.LH (VanguardLH)
Groupes : comp.mobile.android
Date : 12. Mar 2024, 21:21:32
Autres entêtes
Organisation : Usenet Elder
Message-ID : <1xkfdi6umcwrp.dlg@v.nguard.lh>
References : 1 2 3 4 5 6 7 8 9 10 11 12 13
User-Agent : 40tude_Dialog/2.0.15.41
"Carlos E.R." <robin_listas@es.invalid> wrote:

On 2024-03-12 13:53, Newyana2 wrote:
"AJL" <noemail@none.org> wrote
 
...
 
 
    As Carlos put it, people addicted to cellphones
would like to believe that everyone else "does not matter".
They not only want cellphone options, they want cellphone
interaction to be enforced as the only option. They
want to live in Cellphone World.
 
Addicted? No, simply banks are using a device that everybody has,
instead of making their clients buy an extra hardware device, not cheap,
for needed extra security. You do have other options if you insist.

Personally I would prefer if the trend were toward using USB security
sticks instead of SMS and e-mail.  One problem there might be: having to
use a computer that has no USB ports, or they've been disabled.  Another
problem is no one is going to attach the USB stick to a cord attached to
their body: when they leave the computer, the USB stick must go with
them.  Instead the sticks are left plugged into a USB port, so anyone
with physical access to the computer can login using the stick just like
the owner can.  The problem of physical access also applies to phones.

As for cost, if every computer could use a Yubi security key, the $25
would be worth the freedom of relying on a phone.  Weren't some
Europeans charged and fined for pretending to be someone else's phone
through SIM card swap they foisted on the carrier? 

What Is a SIM Swap Attack and How Can You Prevent It?
https://www.avast.com/c-sim-swap-scam

When getting an SMS text, there is no verification that the receiving
phone's IMEI is the one to where the text was intended to drop.  If the
IMEI were involved, you'd have to re-register with whomever is sending
2FA codes via texts to give them yet another piece of valuable info: the
IMEI of your phone.  When you change or add phones, you have to update
all your accounts to give them another IMEI.  But SMS doesn't link to
IMEI, so there SMS is not secured either during transmission nor
guarantee which phone the SMS targets.

Maybe if all computers had biometric input (camera for eyes and sensor
for fingers and mic for voice) then the verification really would be to
a person, not the expectation of a device or service to which that
person -- or someone else -- has access.  Phones and laptops have those
bio devices (well, maybe not all have finger sensors), but only a
fraction of desktops have even 2 of them.  I don't have a camera on my
desktop.  I don't do video chats.  I have a mic only when I plug in my
headset.  I'd have to buy a fingerprint sensor.  Bio verification isn't
going to happen on desktops until those devices are built in by default
whether pre-builts or own builts, not appended on.

When sent a 2FA code, how long before you have to use it.  Typically the
expiration is 5 to 15 minutes.  Pretty long time, but they have to
account for delay in SMS transport, and time for users to enter the 2FA
code.  Some phone users are handicapped, so they don't quickly enter
anything.  Do the 2FA codes automatically and immediately expire upon
use, or are they still valid for the original time allowed for
expiration?  I hope that the site enforces automatic expiration on use,
but I haven't verified this is the case.  Anyway, the long expiration
time to wait for use of the 2FA code means a larger window of
opportunity for interception.  SMS and e-mail are not secure
communication venues.  That's why I'm thinking TOTP would be a better
choice; however, doesn't seem that every site wanting to use 2FA
supports TOTP, and it seems you must have the particular TOTP
authenticator that they expect you to use which, to me, hints the
communication protocol is not yet standardized to allow use of *any*
TOTP authenticator.  One site uses Authy, another uses Symantec VIP, and
another requires something else.

Does everyone that gets a new phone, or just a new SIM card, always get
a new phone number, and keep that one?  I use Google Voice which calls
all my phones, so it doesn't matter which phones I have at the time or
what are their phone numbers.  All of them (that I've added to my GV
account) get called using simultaneous ring.  I even have an Obitalk
added to my GV account, so I get calls on my home phones (VOIP converted
to POTS in my home wiring).  However, if I had only 1 phone, I'd try to
port my old phone number to the new phone, if allowed (which costs money
to do the port).  I wouldn't have to change my old phone number in every
account where it is recorded, and to where SMS texts would get sent.
With e-mail alerts (GV sends a copy of a text to my e-mail), it doesn't
matter which smartphone I use.  If a site is going to use 2FA when you
try to update your account to reflect your new phone number, you're
screwed if you don't have the old phone to get the text.  If you have to
talk to tech support, figure on wasting an hour and half on a call, and
the info you give them is the same info the hackers use in a SIM swap.

With the average ownership of smartphones only around 2 years, seems it
would be a repetitive nuisance to update phone numbers in all accounts
for all those consumers that just must update.  With a security key,
wouldn't matter where you got the text, but who wants to keep plugging a
stick into the phone's USB port, or leave the stick dangling out the
port?  Even if IMEI were linked to SMS (to the sender, not to the
carrier who doesn't give a fart about the content and is not involved in
securing a login), a change of phone means a different IMEI.  You can go
to TOTP *if* the other party supports using it, but then you have to get
your tokens to the new phone.  Authy does that with its cloud sync, but
not other authenticators.  Transferring tokens with other authenticators
is a bitch, but then often the intent to make users think that more
effort means more security.

Date Sujet#  Auteur
9 Mar 24 * Codes sent by text message120The Real Bev
9 Mar 24 +* Re: Codes sent by text message2Jörg Lorenz
10 Mar 24 i`- Re: Codes sent by text message1The Real Bev
9 Mar 24 +- Re: Codes sent by text message1Dave Royal
9 Mar 24 +- Re: Codes sent by text message1Richmond
9 Mar 24 +- Re: Codes sent by text message1VanguardLH
9 Mar 24 `* Re: Codes sent by text message114Newyana2
10 Mar 24  +* Re: Codes sent by text message3The Real Bev
10 Mar 24  i`* Re: Codes sent by text message2Newyana2
10 Mar 24  i `- Re: Codes sent by text message1AJL
10 Mar 24  +* Re: Codes sent by text message90Carlos E.R.
10 Mar 24  i+* Re: Codes sent by text message81Newyana2
10 Mar 24  ii+* Re: Codes sent by text message3AJL
10 Mar 24  iii`* Re: Codes sent by text message2VanguardLH
10 Mar 24  iii `- Re: Codes sent by text message1AJL
10 Mar 24  ii+* Re: Codes sent by text message39Carlos E.R.
10 Mar 24  iii`* Re: Codes sent by text message38Newyana2
11 Mar 24  iii `* Re: Codes sent by text message37Carlos E.R.
11 Mar 24  iii  `* Re: Codes sent by text message36Newyana2
11 Mar 24  iii   +- Re: Codes sent by text message1Carlos E.R.
11 Mar 24  iii   `* Re: Codes sent by text message34Allodoxaphobia
12 Mar 24  iii    `* Re: Codes sent by text message33Newyana2
12 Mar 24  iii     `* Re: Codes sent by text message32AJL
12 Mar 24  iii      `* Re: Codes sent by text message31Newyana2
12 Mar 24  iii       +* Re: Codes sent by text message28Carlos E.R.
12 Mar 24  iii       i+* Re: Codes sent by text message18VanguardLH
12 Mar 24  iii       ii`* Re: Codes sent by text message17Carlos E.R.
13 Mar 24  iii       ii +* Re: Codes sent by text message15VanguardLH
13 Mar 24  iii       ii i+- Re: Codes sent by text message1Carlos E.R.
13 Mar 24  iii       ii i`* Re: Codes sent by text message13Frank Slootweg
14 Mar 24  iii       ii i `* Re: Codes sent by text message12VanguardLH
14 Mar 24  iii       ii i  +- Re: Codes sent by text message1VanguardLH
14 Mar 24  iii       ii i  `* Re: Codes sent by text message10Frank Slootweg
14 Mar 24  iii       ii i   `* Re: Codes sent by text message9Carlos E.R.
14 Mar 24  iii       ii i    `* Re: Codes sent by text message8Newyana2
14 Mar 24  iii       ii i     +- Re: Codes sent by text message1Carlos E.R.
14 Mar 24  iii       ii i     `* Re: Codes sent by text message6The Real Bev
15 Mar 24  iii       ii i      +* Re: Codes sent by text message2Newyana2
15 Mar 24  iii       ii i      i`- Re: Codes sent by text message1The Real Bev
15 Mar 24  iii       ii i      `* Re: Codes sent by text message3Carlos E.R.
15 Mar 24  iii       ii i       +- Re: Codes sent by text message1Newyana2
15 Mar 24  iii       ii i       `- Re: Codes sent by text message1Frank Slootweg
13 Mar 24  iii       ii `- Re: Codes sent by text message1Chris
13 Mar 24  iii       i`* Re: Codes sent by text message9Chris
13 Mar 24  iii       i +* Re: Codes sent by text message7Richmond
13 Mar 24  iii       i i+* Re: Codes sent by text message5Newyana2
13 Mar 24  iii       i ii+* Re: Codes sent by text message3Richmond
13 Mar 24  iii       i iii`* Re: Codes sent by text message2Carlos E.R.
13 Mar 24  iii       i iii `- Re: Codes sent by text message1Richmond
13 Mar 24  iii       i ii`- Re: Codes sent by text message1AJL
13 Mar 24  iii       i i`- Re: Codes sent by text message1Chris
13 Mar 24  iii       i `- Re: Codes sent by text message1Carlos E.R.
12 Mar 24  iii       +- Re: Codes sent by text message1Frank Slootweg
12 Mar 24  iii       `- Re: Codes sent by text message1AJL
10 Mar 24  ii`* Re: Codes sent by text message38Bob Henson
10 Mar 24  ii +- Re: Codes sent by text message1Newyana2
11 Mar 24  ii `* Re: Codes sent by text message36Jörg Lorenz
11 Mar 24  ii  +* Re: Codes sent by text message3Bob Henson
11 Mar 24  ii  i`* Re: Codes sent by text message2Dave Royal
11 Mar 24  ii  i `- Re: Codes sent by text message1Bob Henson
11 Mar 24  ii  +- Re: Codes sent by text message1Richmond
13 Mar 24  ii  `* Re: Codes sent by text message31Chris
13 Mar 24  ii   +- Re: Codes sent by text message1Dave Royal
13 Mar 24  ii   `* Re: Codes sent by text message29Carlos E.R.
13 Mar 24  ii    +* Re: Codes sent by text message5Frank Slootweg
14 Mar 24  ii    i`* Re: Codes sent by text message4Carlos E.R.
14 Mar 24  ii    i `* Re: Codes sent by text message3Frank Slootweg
14 Mar 24  ii    i  `* Re: Codes sent by text message2Carlos E.R.
15 Mar 24  ii    i   `- Re: Codes sent by text message1Frank Slootweg
13 Mar 24  ii    `* Re: Codes sent by text message23Chris
14 Mar 24  ii     `* Re: Codes sent by text message22Carlos E.R.
15 Mar 24  ii      +* Re: Codes sent by text message20Jörg Lorenz
15 Mar 24  ii      i+- Re: Codes sent by text message1Dave Royal
15 Mar 24  ii      i+* Re: Codes sent by text message16Carlos E.R.
15 Mar 24  ii      ii`* Re: Codes sent by text message15Jörg Lorenz
15 Mar 24  ii      ii +* Re: Codes sent by text message10Carlos E.R.
15 Mar 24  ii      ii i`* Re: Codes sent by text message9Jörg Lorenz
15 Mar 24  ii      ii i `* Re: Codes sent by text message8Carlos E.R.
15 Mar 24  ii      ii i  `* Re: Codes sent by text message7Frank Slootweg
15 Mar 24  ii      ii i   `* Re: Codes sent by text message6The Real Bev
15 Mar 24  ii      ii i    +* Re: Codes sent by text message4Frank Slootweg
16 Mar 24  ii      ii i    i`* Re: Codes sent by text message3The Real Bev
16 Mar 24  ii      ii i    i `* Re: Codes sent by text message2Frank Slootweg
17 Mar 24  ii      ii i    i  `- Re: Codes sent by text message1The Real Bev
15 Mar 24  ii      ii i    `- Re: Codes sent by text message1Carlos E.R.
15 Mar 24  ii      ii `* Re: Codes sent by text message4Richmond
15 Mar 24  ii      ii  `* Re: Codes sent by text message3Jörg Lorenz
15 Mar 24  ii      ii   `* Re: Codes sent by text message2Richmond
15 Mar 24  ii      ii    `- Re: Codes sent by text message1Jörg Lorenz
15 Mar 24  ii      i`* Re: Codes sent by text message2Andy Burns
15 Mar 24  ii      i `- Re: Codes sent by text message1Jörg Lorenz
15 Mar 24  ii      `- Re: Codes sent by text message1Chris
10 Mar 24  i+* Re: Codes sent by text message6VanguardLH
11 Mar 24  ii`* Re: Codes sent by text message5Frank Slootweg
11 Mar 24  ii `* Re: Codes sent by text message4VanguardLH
11 Mar 24  ii  `* Re: Codes sent by text message3Frank Slootweg
11 Mar 24  ii   `* Re: Codes sent by text message2AJL
11 Mar 24  ii    `- Re: Codes sent by text message1Frank Slootweg
10 Mar 24  i`* Re: Codes sent by text message2Dave Royal
11 Mar 24  i `- Re: Codes sent by text message1Carlos E.R.
11 Mar 24  `* Re: Codes sent by text message20Chris

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal