Re: Codes sent by text message

On 2024-03-12 21:21, VanguardLH wrote:

"Carlos E.R." <robin_listas@es.invalid> wrote:
 

On 2024-03-12 13:53, Newyana2 wrote:

"AJL" <noemail@none.org> wrote

>
...
>

>
     As Carlos put it, people addicted to cellphones
would like to believe that everyone else "does not matter".
They not only want cellphone options, they want cellphone
interaction to be enforced as the only option. They
want to live in Cellphone World.

>
Addicted? No, simply banks are using a device that everybody has,
instead of making their clients buy an extra hardware device, not cheap,
for needed extra security. You do have other options if you insist.

 Personally I would prefer if the trend were toward using USB security
sticks instead of SMS and e-mail.  One problem there might be: having to
use a computer that has no USB ports, or they've been disabled.  Another
problem is no one is going to attach the USB stick to a cord attached to
their body: when they leave the computer, the USB stick must go with
them.  Instead the sticks are left plugged into a USB port, so anyone
with physical access to the computer can login using the stick just like
the owner can.  The problem of physical access also applies to phones.

There are safer methods than the mobile phone, but their rationale is "you already have a phone, so implementing this is very cheap".
Of course, a percent doesn't have a phone, but those are not their objective client, and probably they will provide some other means.

 As for cost, if every computer could use a Yubi security key, the $25
would be worth the freedom of relying on a phone.  Weren't some
Europeans charged and fined for pretending to be someone else's phone
through SIM card swap they foisted on the carrier?

SIM swap attack is a thing, yes. They can thus receive verification SMSs, but probably not banking app messages.

 What Is a SIM Swap Attack and How Can You Prevent It?
https://www.avast.com/c-sim-swap-scam
 When getting an SMS text, there is no verification that the receiving
phone's IMEI is the one to where the text was intended to drop.  If the
IMEI were involved, you'd have to re-register with whomever is sending
2FA codes via texts to give them yet another piece of valuable info: the
IMEI of your phone.  When you change or add phones, you have to update
all your accounts to give them another IMEI.  But SMS doesn't link to
IMEI, so there SMS is not secured either during transmission nor
guarantee which phone the SMS targets.
 Maybe if all computers had biometric input (camera for eyes and sensor
for fingers and mic for voice) then the verification really would be to
a person, not the expectation of a device or service to which that
person -- or someone else -- has access.  Phones and laptops have those
bio devices (well, maybe not all have finger sensors), but only a
fraction of desktops have even 2 of them.  I don't have a camera on my
desktop.  I don't do video chats.  I have a mic only when I plug in my
headset.  I'd have to buy a fingerprint sensor.  Bio verification isn't
going to happen on desktops until those devices are built in by default
whether pre-builts or own builts, not appended on.

Most recent laptops have finger print sensors and cameras. But I don't have software that uses the former (nor the later, for purposes of ID).

 When sent a 2FA code, how long before you have to use it.  Typically the
expiration is 5 to 15 minutes.  Pretty long time, but they have to
account for delay in SMS transport, and time for users to enter the 2FA
code.  Some phone users are handicapped, so they don't quickly enter
anything.  Do the 2FA codes automatically and immediately expire upon
use, or are they still valid for the original time allowed for
expiration?

They expire on use. Ie, they are single use.

 I hope that the site enforces automatic expiration on use,
but I haven't verified this is the case.  Anyway, the long expiration
time to wait for use of the 2FA code means a larger window of
opportunity for interception.  SMS and e-mail are not secure
communication venues.  That's why I'm thinking TOTP would be a better
choice; however, doesn't seem that every site wanting to use 2FA
supports TOTP, and it seems you must have the particular TOTP
authenticator that they expect you to use which, to me, hints the
communication protocol is not yet standardized to allow use of *any*
TOTP authenticator.  One site uses Authy, another uses Symantec VIP, and
another requires something else.

Yeah, but for many purposes SMS is good enough. It doesn't have to be failsafe, but only to block a high enough percent of the "attacks".

 Does everyone that gets a new phone, or just a new SIM card, always get
a new phone number, and keep that one?

Depends.
I have the same mobile phone number since around 1999. Other people change(d) it frequently, because they use offerings by various providers.
Mine was first a pay as you go prepaid card, at some point upgraded to contract, and at some point migrated to another company (for free).
Then, when I travel to Canada I get a local number that is valid only for a month.

 I use Google Voice which calls
all my phones, so it doesn't matter which phones I have at the time or
what are their phone numbers.  All of them (that I've added to my GV
account) get called using simultaneous ring.  I even have an Obitalk
added to my GV account, so I get calls on my home phones (VOIP converted
to POTS in my home wiring).  However, if I had only 1 phone, I'd try to
port my old phone number to the new phone, if allowed (which costs money
to do the port).  I wouldn't have to change my old phone number in every
account where it is recorded, and to where SMS texts would get sent.
With e-mail alerts (GV sends a copy of a text to my e-mail), it doesn't
matter which smartphone I use.  If a site is going to use 2FA when you
try to update your account to reflect your new phone number, you're
screwed if you don't have the old phone to get the text.  If you have to
talk to tech support, figure on wasting an hour and half on a call, and
the info you give them is the same info the hackers use in a SIM swap.
 With the average ownership of smartphones only around 2 years, seems it
would be a repetitive nuisance to update phone numbers in all accounts
for all those consumers that just must update.  With a security key,
wouldn't matter where you got the text, but who wants to keep plugging a
stick into the phone's USB port, or leave the stick dangling out the
port?  Even if IMEI were linked to SMS (to the sender, not to the
carrier who doesn't give a fart about the content and is not involved in
securing a login), a change of phone means a different IMEI.  You can go
to TOTP *if* the other party supports using it, but then you have to get
your tokens to the new phone.  Authy does that with its cloud sync, but
not other authenticators.  Transferring tokens with other authenticators
is a bitch, but then often the intent to make users think that more
effort means more security.

--
Cheers, Carlos.