this post was submitted on 20 Dec 2024
622 points (98.9% liked)

Technology

60029 readers
2862 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
622
Feds Warn SMS Authentication Is Unsafe After ‘Worst Hack in Our Nation’s History’ (gizmodo.com)
submitted 2 days ago by [email protected] to c/[email protected]
134 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 16 points 1 hour ago

Authentication for my work email: Enter 28 character password, receive sms, enter message, log in

Authentication for my Battle.net account:

-Enter email made before 2000 because they don't let you change email

-Enter password

-Get rejected

-Solve CAPTCHA

-Try backup passwords, get rejected

-Request new password

-Send request to 24 year old email

-Try to log on to 24 year old email, email is suspicious and sends Authentication request to my newer email

-Open newer email, Authenticate older email

-open old email, Put in code to battle.net

-Battle.net requests Authenticator code from Battle.net app

-Open battle.net app (no requests)

-Try manual code, doesn't work

  • Realize Battle.net app Authenticator not connected

-Try to connect Battle.net app Authenticator to account

-Realize you cannot connect Authenticator without signing in AND signing in requires Authenticator

-Close Battle.net app

-Open Blizzard Authenticator

-Close warning that this app got depreciated in January

-Enter manual code

-it works

-Attempt to change password to password I first attempted

-Won't let me use same password

-Try logging in using that password

-Still doesn't work - Solve one more CAPTCHA

-Change password to backup password and back to original password - have to solve 2 more Captchas

-Finally works

-Log in

[–] [email protected] 3 points 1 hour ago

Do many services still don't even offer 2FA at all. Any service that stores payment information and PII without any 2FA options, let alone a secure one, at this point are a disgrace.

[–] [email protected] 1 points 10 minutes ago

What are yall using as an alternative?

[–] [email protected] 5 points 2 hours ago (1 children)

Incoming forced 4-factor authentication

[–] [email protected] 6 points 1 hour ago* (last edited 1 hour ago)

Something you know, something you are, something you have, and something you saw in a dream once when you were a kid at summer camp during a feverish Dr Pepper-overdose-driven fitful sleep at age 12.

[–] [email protected] 20 points 18 hours ago* (last edited 18 hours ago) (1 children)

The end of an era.

Or actually, probably not until we redo whole cellular phone technology works and kick out all the bad actors using SS7 vulnerabilities for stuff like spoofing numbers and stealing messages. We really shouldn't be using a 45 year old system for almost all communications.

[–] [email protected] 5 points 1 hour ago* (last edited 1 hour ago) (1 children)

Use Telegram.

Not the app, the 200 year old wire radio messaging system based on Morse code, E2EE (Elderly man to Elderly man Enciphered)

[–] [email protected] 1 points 1 hour ago

I guarantee you that is the opposite of a solution, old man encryption is very easily hacked by other old men for spoofing, redirecting, or listening.

[–] [email protected] 37 points 1 day ago (2 children)

I hate forced 2FA that you can't disable anyway. I don't want to waste time waiting for an insecure text, I don't want to input an unencrypted code you sent to my email, I don't want to click your damn notification that runs through Play Services, and no I'm not enrolling in passwordless auth. I don't need to be babied into securing my accounts. Any account I do actively and willingly secure is already using TOTP. Let me put in my username and password, then kindly fuck off.

[–] [email protected] 15 points 23 hours ago (2 children)

Yeah. So you, myself, and some others are the exception to the rule. But, you can't look at it that way because its a 'lowest common denominator' problem. The least secure of us means we are all only as secure. Others need to be hand held.

It's definitely time to raise all boats and drop SMS 2fa like a hot rock.

[–] [email protected] 3 points 20 hours ago

The most natural authentication mechanism for humans is a key. That thing you carry with yourself. A physical key containing, well, the actual secret (shouldn't be retrievable, should be used for decrypting access request and signing the response) that, maybe combined with your password (another natural for humans authentication mechanism) or maybe, yes, TOTP, gives you access.

Like those "security keys" Imperial officers in Jedi Outcast carry with them. Maybe a bad example.

Phone numbers are used as identifiers because governments like it, nerds don't like it, and normies explicitly like what nerds don't like and also want everything to be insecure, they call it "having nothing to hide".

Also "normal and social" people have that idea that their social prowess is more elegant, smarter at ensuring their security that those dumb and boring nerd technical solutions. So them always choosing things logically opposite of sane, like social media instead of forums, and phone numbers instead of any other identifier, is literally a matter of principle. It's really not that hard to use something else. They do the stupidest possible thing technically to prove a point that you only have to do the smart thing socially. I mean, in Galileo Galilei's case the other side of the disagreement is generally considered right, but that's not an argument effective in society.

I should admit that I've been doing the opposite - the stupidest possible thing socially to prove a point that only technical sense matters, which is why nobody would send me encrypted mail except Facebook with its notifications, and nobody would write me in Tox, and nobody would even contact me via XMMP. Which is why I'm now using TG, VK, FB, WA and Signal for communication, of these Signal is secure, and WA is kinda better than the rest of them.

load more comments (1 replies)
[–] [email protected] 2 points 19 hours ago

is already using TOTP.

A lot of things are moving to phishing-resistant technologies like FIDO2/WebAuthn or passkeys. All my important accounts, like my password manager, are secured using Yubikeys (one that I keep with me and one as a backup in a secure place).

[–] [email protected] 18 points 1 day ago* (last edited 1 day ago) (1 children)

Since when was sms ever secure? My understanding is that messages are sent in the clear, meaning your carrier and the recipient's carrier both have the opportunity to intercept messages.

I mean that's the message content, not the authentication, but still, sms is the opposite of secure, always has been.

[–] [email protected] 5 points 1 day ago (3 children)

Not true. SMS is encrypted in 3G, LTE, 5G. Block cyphers like Kasumi and A/9 are used. SMS is reasonably secure, because it's hard to infiltrate telecom systems like S7

[–] [email protected] 3 points 5 hours ago* (last edited 5 hours ago) (1 children)

because it’s hard to infiltrate telecom systems like S7

cough You can pay a few grand and get access to SS7 networks.

Might be out of reach for most of us, but we can rest assured that any and all security firms and goverrnment agencies have access to this information at a moment's notice.

[–] [email protected] 1 points 32 minutes ago

Simply paying is not sufficient. You need to be a telecom company, or a researcher afaik.

In what world would the US gov care to get into your bank account? Or your Facebook account when it's already tightly controlled?

[–] [email protected] 5 points 19 hours ago* (last edited 18 hours ago) (1 children)

it's hard to infiltrate telecom systems like S7

Telecom systems can be (and are) infiltrated though, which is what the FBI is warning about.

SS7 is very insecure. See this video, too: https://www.youtube.com/watch?v=wVyu7NB7W6Y

[–] [email protected] 1 points 49 minutes ago

Watch the video again to see how hard it was for Derrick to get access. He got it via his telecom/academia researcher contact.

[–] [email protected] 4 points 1 day ago (5 children)

It's hard, but not hard enough from what I've been able to gather. We should want something better IMO. I'm surprised that TOTP isn't more common.

load more comments (5 replies)
[–] [email protected] 13 points 1 day ago (1 children)

an astronaut pointing a gun at their colleague, with earth in the background. ( "always has been" meme template, no text)

[–] [email protected] 4 points 1 day ago

'nuf said

[–] [email protected] 13 points 1 day ago (1 children)

id take email Authentication over sms Authentication if there was only them 2 let me use my 2facter app for the love of god plz i hate how banks use sms its like come on man

[–] [email protected] 2 points 9 hours ago (1 children)

Email is also unencrypted

[–] [email protected] 1 points 1 hour ago

Ya just saying I don't like sms I wish email was encrypted maybe one day

[–] [email protected] 32 points 1 day ago

Always has been

[–] [email protected] 103 points 1 day ago (1 children)

NIST has been saying since 2016 not to use SMS for MFA. It's always been horribly insecure.

[–] [email protected] 66 points 1 day ago (18 children)

The problem for me is that most Canadian Banks give you the choice of SMS or their shitty adware filled bank app that relies on Google Play Services and wont implement TOTP so I can use a true MFA app. And Im done with being forced to accept user policies I don't agree with to do shit, and most of all done with Google Play Services on my device 😑

[–] [email protected] 6 points 5 hours ago* (last edited 5 hours ago) (1 children)

Should be illegal to put ads in something as crucial to day-to-day life as a banking app.

If it's not illegal, then everyone is going to do it and we won't have the "choice" that crapitalists love to tout so much.

[–] [email protected] 0 points 2 hours ago* (last edited 2 hours ago)

Its supposed to be illegal for banks to be in "sales" but my wife was working for BMO and they were forcing her to prioritize outbound cold calls ans upselling products the customer didnt need and would clearly be bad for their financials as a Personal Banking Assistant. The conflict of interest was so great it stressed her right the fuck out and she had to take leave and start therapy. Her MS also spiked likely due to the stress levels. She was there to help people, and she made the bank earn loyal customers and they willing got more products from the bank because she helped them. She was the top performer at the bank if she just let her do the job she was there to do, but instead her boss started ragging on her daily about her cold calling numbers and forcing her to cancel necessary appointments and focus time to deal with customer requests and instead prioritize sales.

In the end her numbers dropped, her customer satisfaction dropped, and her MS got worse from the stress and she's now on long term leave, uncertain if she'll recover her focus and able to go back to work. Her neurologist has said she cannot go back for now.

Not sure how that bullshit helped the bank, but I can sure see how I didn't, and I may be wrong but I think there are laws against it.

Also worth noting that this change in tactics happened right at the same time BMO took all their "we're here to help" signage down. Brings so many memories of Google dropping the "don't be evil". Everything that came after in both cases was shit.

[–] [email protected] 11 points 1 day ago (1 children)

My bank prides itself being the first in the country to support yubikeys for 2fa. I was so happy until i learned it's just for logging in, transactions are still confirmed by SMS or their app. And security experts all say it's better this way, using a regular 2fa solution would be insecure because you wouldn't know what you're confirming.

There really is no hope.

[–] [email protected] 6 points 1 day ago (1 children)

It's definitely possible to have a hardware token which allows confirming the transfer details - https://www.manua.ls/nationwide/card-reader-security-for-internet-banking/manual

load more comments (1 replies)
load more comments (16 replies)
[–] [email protected] 53 points 1 day ago* (last edited 1 day ago) (3 children)

Oh it turns out we needed NSA to do its actual fucking job after all rather than holding onto exploits for the surveillance state.

Now — for the second time — we have an adversarial administration eager to weaponize government departments while Americans are vulnerable. Why? Because America is the good guys and would never abuse its extrajudicial powers (say, by detaining, rendering and torturing Americans with names similar to those of POIs.)

We could have had twenty-four years of robust communications security developments if NSA didnt sell the public out like Judas.

load more comments (3 replies)
load more comments
view more: next ›