Feds Warn SMS Authentication Is Unsafe After ‘Worst Hack in Our Nation’s History’
Feds Warn SMS Authentication Is Unsafe After ‘Worst Hack in Our Nation’s History’
Even the U.S. government is telling Americans to use encrypted apps.Matt Novak (Gizmodo)
like this
Imgonnatrythis
in reply to return2ozma • • •like this
DaGeek247 likes this.
Telorand
in reply to Imgonnatrythis • • •like this
DaGeek247 and Australis13 like this.
brbposting
in reply to Telorand • • •ERROR: Earth.exe has crashed
in reply to return2ozma • • •like this
TVA likes this.
Agent641
in reply to ERROR: Earth.exe has crashed • • •ERROR: Earth.exe has crashed
in reply to Agent641 • • •Security against foreign hackers, of course
(But with the additional purpose of securing the #LandOfTheFree against those pesky #Terrorists, of course. Who's a terrorist? Why of couse that's anyone who dares to ~~criticize the government~~ ahem I mean... make threats against the United States of America 🇺🇸🦅)
someguy
in reply to return2ozma • • •10 years ago, the Feds wanted backdoors to all of phones so they could read all of our text messages. Now, the Feds want everyone not to use software that has backdoors so the Chinese cannot read our phones. The Feds don't want competition.
like this
TVA, KaRunChiy and granolabar like this.
Godnroc
in reply to someguy • • •like this
KaRunChiy and someguy like this.
merde alors
in reply to Godnroc • • •did you forget to add "/s" or do you really believe what you wrote?
essteeyou
in reply to merde alors • • •like this
granolabar likes this.
NeatoBuilds
in reply to essteeyou • • •adage of Internet culture that, without a clear indicator of intent, one can’t parody extreme views such that some can’t mistake it for a sincere expression of the parodied views
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)WindyRebel
in reply to NeatoBuilds • • •It was a joke, bruh!
Edit: Huh. Guess people didn’t read up on Poe’s Law posted above. Shocked! Well, not that shocked.
NoForwardslashS
in reply to merde alors • • •brbposting
in reply to merde alors • • •quotation marks used to indicate non-standard usage
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)Godnroc
in reply to merde alors • • •chingadera
in reply to merde alors • • •Rentlar
in reply to Godnroc • • •brbposting
in reply to Rentlar • • •chingadera
in reply to brbposting • • •【J】【u】【s】【t】【Z】
in reply to Rentlar • • •sugar_in_your_tea
in reply to 【J】【u】【s】【t】【Z】 • • •【J】【u】【s】【t】【Z】
in reply to sugar_in_your_tea • • •SirEDCaLot
in reply to someguy • • •Absolutely. They were so arrogant they never thought it would happen to us. After all, we are in charge of our own networks so why would we expect the enemy to be at the gates? Let's make those gates out of cardboard so it's easier to spy on everyone.
Of course then you have things like CALEA mandating a back door, you have cheap telecom companies that will happily buy cheap lowest bidder Chinese hardware and install it "everywhere* without concern for security (after all, it's not their data being stolen) and now the enemy isn't just at the gates but inside the walls.
A decade ago, making sure the feds could read everyone's mail was the national security priority. Suddenly when the Chinese can read everyone's mail, good security is the national security priority.
It's too bad there was no way to predict this in advance. Oh wait...
like this
someguy likes this.
Björn Tantau
in reply to return2ozma • • •like this
dcpDarkMatter, TVA, Chozo and mbinn like this.
Ugurcan
in reply to Björn Tantau • • •Björn Tantau
in reply to Ugurcan • • •Agent641
in reply to Ugurcan • • •metaStatic
in reply to return2ozma • • •like this
Australis13 and KaRunChiy like this.
sugar_in_your_tea
in reply to metaStatic • • •desktop_user
in reply to sugar_in_your_tea • • •Obinice
in reply to sugar_in_your_tea • • •shortwavesurfer
in reply to return2ozma • • •like this
dcpDarkMatter, Australis13, Chozo and KaRunChiy like this.
Screen_Shatter
in reply to shortwavesurfer • • •shortwavesurfer
in reply to Screen_Shatter • • •Screen_Shatter
in reply to shortwavesurfer • • •shortwavesurfer
in reply to Screen_Shatter • • •Screen_Shatter
in reply to shortwavesurfer • • •shortwavesurfer
in reply to Screen_Shatter • • •frostysauce
in reply to Screen_Shatter • • •Screen_Shatter
in reply to frostysauce • • •en.m.wikipedia.org/wiki/SMS_sp…
So, it's not that the message itself is insecure, but the inability to verify the sender makes phishing attacks possible or similar things. I get a text from a random number saying "click this link to pay your bill!" And I don't have any way to trust its legit.
SIM swaps make it so people can take over your phone number temporarily and then generate 2fa requests to gain access to accounts. Doing the swap usually involves bribing someone or gaining access to a providers database by other means, but its been done a lot.
There are ways to prevent this, but the most straight forward is using a MFA app. Barring that 2FA via email is the next best thing.
SMS spoofing - Wikipedia
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)frostysauce
in reply to Screen_Shatter • • •Screen_Shatter
in reply to frostysauce • • •frostysauce
in reply to Screen_Shatter • • •Screen_Shatter
in reply to frostysauce • • •BigLime
in reply to return2ozma • • •communism
in reply to return2ozma • • •like this
TVA likes this.
Zorsith
in reply to communism • • •ChillPill
in reply to Zorsith • • •like this
granolabar likes this.
communism
in reply to ChillPill • • •EngineerGaming
in reply to communism • • •phoneymouse
in reply to return2ozma • • •Thank god, give me my HMAC hash please.
Nothing more terrifying than losing your phone number these days because of all the accounts tied to it via 2FA.
Altima NEO
in reply to return2ozma • • •Ive been slowly hearing about this over the last week or so, and I couldnt tell if it was real news or just over exaggerated.
And everyone has been on an on about iphone to android RCS, but no word on if anything is being done to fix the vulnerability.
Scolding7300
in reply to Altima NEO • • •conciselyverbose
in reply to Scolding7300 • • •RCS doesn't really do a whole lot of anything. It's a step up from SMS/MMS, but not by much.
All the features people think they mean when they're talking about RCS are proprietary Google extensions that only work if you go through Google's servers. They're basically exactly the same as Apple putting iMessage on top; Apple just brags about it while Google tries to trick you into thinking incompatibility is someone else's fault for not giving them control.
AA5B
in reply to conciselyverbose • • •Usually I’ll defend Apple on this, but yes it’s a step up from SMS, and Apple is a big reason RCS hadnt been widely adopted as a replacement, and incremented to include more features.
I’m definitely on Googles side here: years of no one doing anything until “fine, I’ll take care it myself”
conciselyverbose
in reply to AA5B • • •Apple didn't bother because it sucks. It's not an actual solution (or path to one) for messaging not to be a dumpster fire.
Google "did it itself" exclusively for control. It's exactly the same as their browser behavior.
desktop_user
in reply to conciselyverbose • • •it at least allows larger files than mms* and has reactions.
*size may vary significantly with MMS and is rarely if ever communicated.
sugar_in_your_tea
in reply to AA5B • • •Why would you defend Apple? It's just a stupid form of lock-in, it was at the start, and it always will be.
If you want security, use an app that provides security. RCS does a little to protect against MITM attacks, unless that MITM is your OS vendor.
Scolding7300
in reply to conciselyverbose • • •conciselyverbose
in reply to Scolding7300 • • •Apple did add RCS in one of the iOS 18 updates.
It's just only E2EE when routed through Google.
AA5B
in reply to Scolding7300 • • •sugar_in_your_tea
in reply to AA5B • • •That's precisely what E2EE is supposed to prevent. If the phone company gets hacked, attackers can see all the traffic going through all of their towers, so if everything is encrypted before getting to the towers, they can't see the contents. IIRC, metadata like phone numbers can be read though, so they can see who you're talking to, but they can't see what you're saying.
The phone manufacturer, however, can see everything before it's encrypted and after it's decrypted.
granolabar
in reply to sugar_in_your_tea • • •rarbg
in reply to return2ozma • • •like this
timlyo likes this.
da_peda
in reply to rarbg • • •like this
timlyo likes this.
sunbeam60
in reply to da_peda • • •da_peda
in reply to sunbeam60 • • •I.e. this article from October: techradar.com/pro/chinese-hack…
Chinese hackers allegedly hit US wiretap systems to hit broadband networks
Ellen Jennings-Trace (TechRadar pro)capital
in reply to da_peda • • •sugar_in_your_tea
in reply to capital • • •Yeah, I don't get it. I go out of my way to provide sources even before being asked.
What's really frustrating is when others users criticize me for providing evidence that could be used to counter my claim. I'm not trying to win arguments, I'm trying to show my work so others can correct me if I missed something. I'm here to learn and educate, in that order, yet so many only seem interested in engaging in discussion that jives w/ their existing opinions. That was a problem on Reddit too, but at least someone would chime in w/ sources much of the time.
like this
Georgiana Brummell likes this.
Georgiana Brummell
in reply to sugar_in_your_tea • •sugar_in_your_tea
in reply to Georgiana Brummell • • •Screen_Shatter
in reply to sunbeam60 • • •Its essentially what the apple vs FBI encryption legal battle was about years ago:
en.m.wikipedia.org/wiki/Apple%…
I'm not really a fan of apple, but I was very happy they stood their ground on that one. They were absolutely right to do so.
concerns whether and to what extent courts in the United States can compel manufacturers to assist in unlocking cell phones whose data are cryptographically protected
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)granolabar
in reply to Screen_Shatter • • •The public broohaha surrounding that event makes me think Apple is providing a back door and this psyop was to make people comfortable trusting Apple.
Just a theory though. But apple is all proprietary so nothing is stopping them from doing whatever they want or what ever FISA order said.
Screen_Shatter
in reply to granolabar • • •Encrypt-Keeper
in reply to da_peda • • •umbrella
in reply to return2ozma • • •capital
in reply to umbrella • • •WhatAmLemmy
in reply to capital • • •It was the simplest/cheapest form of 2FA to implement. Grandma will never understand how to setup TOTP.
Capitalism requires regulations, otherwise it will ALWAYS do what is cheapest or most profitable, regardless of how dangerous or destructive.
sugar_in_your_tea
in reply to umbrella • • •Uriel238 [all pronouns]
in reply to return2ozma • • •Oh it turns out we needed NSA to do its actual fucking job after all rather than holding onto exploits for the surveillance state.
Now — for the second time — we have an adversarial administration eager to weaponize government departments while Americans are vulnerable. Why? Because America is the good guys and would never abuse its extrajudicial powers (say, by detaining, rendering and torturing Americans with names similar to those of POIs.)
We could have had twenty-four years of robust communications security developments if NSA didnt sell the public out like Judas.
like this
timlyo and granolabar like this.
sugar_in_your_tea
in reply to Uriel238 [all pronouns] • • •Wait, are they melting people down to make soap now? Fight Club wasn't just a meme then...
Uriel238 [all pronouns]
in reply to sugar_in_your_tea • • •sugar_in_your_tea
in reply to Uriel238 [all pronouns] • • •Looks like I missed that movie, I'll have to check it out.
And I don't think I've ever heard the term "rendering" used in that context, I guess we just used other terminology. Thanks!
Cornelius_Wangenheim
in reply to return2ozma • • •like this
timlyo likes this.
Routhinator
in reply to Cornelius_Wangenheim • • •like this
timlyo likes this.
HellsBelle
in reply to Routhinator • • •Adding to this that my Canadian bank just updated their app and it doesn't work with my older phone. So my only option is to use online services with SMS/call verification.
It's such a joy to know that my bank, who made $40.670 billion last year, takes care of every customer equally.
like this
timlyo likes this.
OpenPassageways
in reply to Routhinator • • •carpelbridgesyndrome
in reply to OpenPassageways • • •They support USB hardware tokens… but only for the website. Everything else is SMS which kinda defeats the point.
Annoyingly, other than Vanguard, they are the only financial institution to support USB FIDO tokens
DankOfAmerica
in reply to carpelbridgesyndrome • • •DankOfAmerica
in reply to OpenPassageways • • •sugar_in_your_tea
in reply to Routhinator • • •dogma11
in reply to sugar_in_your_tea • • •sugar_in_your_tea
in reply to dogma11 • • •They're fantastic. :)
The only negative stories I've heard are from people who really push the boundaries, like people day trading and whatnot. If you're a regular user looking for a bank alternative, you should be good.
Just know their branches don't really have any banking services, so you can't go there to withdraw or deposit cash, get a cashier's check, etc. I keep an account w/ a local institution and transfer money as needed for banking services.
dan
in reply to sugar_in_your_tea • • •I had a negative experience when initially setting up my account, because of TikTok. This group of kids who called themselves "Fidelity Boyz" discovered that you could deposit a fake check and immediately withdraw the money.
So many people did this that they had to severely lock things down. For most customers, money transferred in either via check or via ACH pull (telling Fidelity to take the money from an account at another bank), was subject to a 16 business day (three weeks and one day) hold. Direct deposits (e.g. paychecks) were not affected, and ACH pushes (when you tell another bank to send the money to Fidelity) were eventually fine too.
It was a big pain. The money I transferred was in limbo for a long time, after I had already switched all my auto-pays over to Fidelity, so I had to switch them all back until the money cleared.
Now that that's over, it's great. I love that they reimburse ATM fees worldwide, and I'm a big fan of their basket portfolios product since it makes it so easy to rebalance a portfolio. Saves me from having to manually do a bunch of calculations, and I love that it has a fixed monthly price instead of being percentage based like roboadvisors.
dan
in reply to dogma11 • • •Routhinator
in reply to sugar_in_your_tea • • •sugar_in_your_tea
in reply to Routhinator • • •2FA Directory
2fa.directoryRouthinator
in reply to sugar_in_your_tea • • •trxxruraxvr
in reply to sugar_in_your_tea • • •sugar_in_your_tea
in reply to trxxruraxvr • • •twofactorauth/CONTRIBUTING.md at master · 2factorauth/twofactorauth
GitHubipkpjersi
in reply to sugar_in_your_tea • • •sugar_in_your_tea
in reply to ipkpjersi • • •dan
in reply to sugar_in_your_tea • • •sugar_in_your_tea
in reply to dan • • •dan
in reply to sugar_in_your_tea • • •Generate Symantec VIP Access Token as TOTP
Gistoldfart
in reply to Routhinator • • •My bank prides itself being the first in the country to support yubikeys for 2fa. I was so happy until i learned it's just for logging in, transactions are still confirmed by SMS or their app. And security experts all say it's better this way, using a regular 2fa solution would be insecure because you wouldn't know what you're confirming.
There really is no hope.
perviouslyiner
in reply to oldfart • • •User manual Nationwide Card reader security for Internet Banking (English - 2 pages)
www.manua.lsoldfart
in reply to perviouslyiner • • •I'm not defending that madness, but that device doesn't show who is the recipient. The argument was that this is protection against phishing sites pretending to be a bank, proxying your connection but sending it to a different recipient.
Makes one wonder how much the user has to fuck up to end in such a scenario, and of it's really worth transmitting everyone's financial data in almost plain text over the air for this
Phoenicianpirate
in reply to return2ozma • • •JoeKrogan
in reply to return2ozma • • •8000gnat
in reply to return2ozma • • •oldfart
in reply to 8000gnat • • •They will now push proprietary apps which steal your data, so you decide.
In a sane world we would move to yubikeys or codes like Google authenticator, but we live in a post sane technological world
capital
in reply to oldfart • • •Edieto12
in reply to return2ozma • • •bokherif
in reply to Edieto12 • • •trxxruraxvr
in reply to Edieto12 • • •Arthur Besse
in reply to return2ozma • • •Cocodapuf
in reply to Arthur Besse • • •Cocodapuf
in reply to return2ozma • • •Since when was sms ever secure? My understanding is that messages are sent in the clear, meaning your carrier and the recipient's carrier both have the opportunity to intercept messages.
I mean that's the message content, not the authentication, but still, sms is the opposite of secure, always has been.
brie
in reply to Cocodapuf • • •Abnorc
in reply to brie • • •brie
in reply to Abnorc • • •JasonDJ
in reply to brie • • •Nah what we need is good privacy-focussed companies getting into the public IAM space.
You know how you can sign into stuff with your Google or Facebook account? And get a 2FA push to your phone?
Like that. Except by a company with a shred of ethics and morality. Like Proton.
I do also think that we all should have a cryptographically secure federally issued identity for official uses such as signing documents or signing into financial accounts and other things that must use your official identity, and not an online pseudonym. Like SSN but on a smartcard. Basically CAC or ECA but for general civilian use.
brie
in reply to JasonDJ • • •Proton is already used for identity management: OTP via email. They'll implement OAuth if there's enough demand for it. A company's purpose is to be profitable, ethics side is largely irrelevant.
Many countries already have digital government ID: Australia, Estonia, Russia.
JasonDJ
in reply to brie • • •Maybe so, but companies such as Proton's biggest asset is their reputation...a reputation of being privacy-focussed. Without that they are nothing, and they know that. As a result, they try to live up to that reputation as well as possible.
Being as it was started by Sir Tim Berners-Lee (among some of CERN's other founding fathers of the web) is just icing on the cake.
brie
in reply to JasonDJ • • •HotChickenFeet
in reply to brie • • •You can use TOTP with multiple devices. For example with an app on your phone and something like KeePass on your laptop/desktop.
Still not convenient since you don't walk around with this in your pocket - but it doesn't have to be just one point of failure.
brie
in reply to HotChickenFeet • • •HotChickenFeet
in reply to brie • • •I agree, it's not a perfect system. Even if you do have multiple devices - you may be locked out if you lose your phone while traveling, can have multiple failures.
Although I don't know what is remotely secure and is elderly friendly. Email or SMS 2FA would have been the closest in mind, but it's not secure, and plenty of elderly struggle with both.
brie
in reply to HotChickenFeet • • •HotChickenFeet
in reply to brie • • •Im not terribly familiar with the HW keys; Are you able to get multiple keys? I would worry that it would be similar to TOTP, in that if you lose/misplace/don't have the device then you would be locked out.
And I probably wouldn't switch banks for it, it would depend on how much more secure I perceived it and any other bank differences.
brie
in reply to HotChickenFeet • • •Yes, you can have multiple devices with the same seed for the pseudorandom number generator. You can turn any computer into a hardware authenticator. In practice, it depends on the bank or your employer. Google reduced phishing success rate to zero after switching to ubikey.
As for perception, you really nailed it. It's more important than actual difficulty of gaining access to your accounts. Remember that most articles are written by low skill blue teamers who manipulate your perception into thinking it's really easy while they don't possess the skills to do it. Always call them out in a manner like "you claim it's easy, have you done it?". They will always say no.
dan
in reply to brie • • •Telecom systems can be (and are) infiltrated though, which is what the FBI is warning about.
SS7 is very insecure. See this video, too: youtube.com/watch?v=wVyu7NB7W6…
- YouTube
www.youtube.combrie
in reply to dan • • •john89
in reply to brie • • •cough You can pay a few grand and get access to SS7 networks.
Might be out of reach for most of us, but we can rest assured that any and all security firms and goverrnment agencies have access to this information at a moment's notice.
brie
in reply to john89 • • •Simply paying is not sufficient. You need to be a telecom company, or a researcher afaik.
In what world would the US gov care to get into your bank account? Or your Facebook account when it's already tightly controlled?
archchan
in reply to return2ozma • • •Charlatan
in reply to archchan • • •Yeah. So you, myself, and some others are the exception to the rule. But, you can't look at it that way because its a 'lowest common denominator' problem. The least secure of us means we are all only as secure. Others need to be hand held.
It's definitely time to raise all boats and drop SMS 2fa like a hot rock.
Kairos
in reply to Charlatan • • •rottingleaf
in reply to Charlatan • • •The most natural authentication mechanism for humans is a key. That thing you carry with yourself. A physical key containing, well, the actual secret (shouldn't be retrievable, should be used for decrypting access request and signing the response) that, maybe combined with your password (another natural for humans authentication mechanism) or maybe, yes, TOTP, gives you access.
Like those "security keys" Imperial officers in Jedi Outcast carry with them. Maybe a bad example.
Phone numbers are used as identifiers because governments like it, nerds don't like it, and normies explicitly like what nerds don't like and also want everything to be insecure, they call it "having nothing to hide".
Also "normal and social" people have that idea that their social prowess is more elegant, smarter at ensuring their security that those dumb and boring nerd technical solutions. So them always choosing things logically opposite of sane, like social media instead of forums, and phone numbers instead of any other identifier, is literally a matter of principle. It's really not that hard to use something else. They do the stupidest possible thing technically to prove a point that you only have to do the smart thing socially. I mean, in Galileo Galilei's case the other side of the disagreement is generally considered right, but that's not an argument effective in society.
I should admit that I've been doing the opposite - the stupidest possible thing socially to prove a point that only technical sense matters, which is why nobody would send me encrypted mail except Facebook with its notifications, and nobody would write me in Tox, and nobody would even contact me via XMMP. Which is why I'm now using TG, VK, FB, WA and Signal for communication, of these Signal is secure, and WA is kinda better than the rest of them.
dan
in reply to archchan • • •A lot of things are moving to phishing-resistant technologies like FIDO2/WebAuthn or passkeys. All my important accounts, like my password manager, are secured using Yubikeys (one that I keep with me and one as a backup in a secure place).
finitebanjo
in reply to return2ozma • • •The end of an era.
Or actually, probably not until we redo whole cellular phone technology works and kick out all the bad actors using SS7 vulnerabilities for stuff like spoofing numbers and stealing messages. We really shouldn't be using a 45 year old system for almost all communications.
Agent641
in reply to finitebanjo • • •Use Telegram.
Not the app, the 200 year old wire radio messaging system based on Morse code, E2EE (Elderly man to Elderly man Enciphered)
finitebanjo
in reply to Agent641 • • •mPony
in reply to finitebanjo • • •𝕸𝖔𝖘𝖘
in reply to finitebanjo • • •In their defense, they JUST applied an update in March 1993, so they're knocking on the doors of cutting edge technology updates -_-
Edit: added link
set of telephony signaling protocols
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)DragonTypeWyvern
in reply to return2ozma • • •Agent641
in reply to DragonTypeWyvern • • •randon31415
in reply to return2ozma • • •Authentication for my work email: Enter 28 character password, receive sms, enter message, log in
Authentication for my Battle.net account:
-Enter email made before 2000 because they don't let you change email
-Enter password
-Get rejected
-Solve CAPTCHA
-Try backup passwords, get rejected
-Request new password
-Send request to 24 year old email
-Try to log on to 24 year old email, email is suspicious and sends Authentication request to my newer email
-Open newer email, Authenticate older email
-open old email, Put in code to battle.net
-Battle.net requests Authenticator code from Battle.net app
-Open battle.net app (no requests)
-Try manual code, doesn't work
-Try to connect Battle.net app Authenticator to account
-Realize you cannot connect Authenticator without signing in AND signing in requires Authenticator
-Close Battle.net app
-Open Blizzard Authenticator
-Close warning that this app got depreciated in January
-Enter manual code
-it works
-Attempt to change password to password I first attempted
-Won't let me use same password
-Try logging in using that password
-Still doesn't work - Solve one more CAPTCHA
-Change password to backup password and back to original password - have to solve 2 more Captchas
-Finally works
-Log in
λλλ
in reply to randon31415 • • •That just kept going. I feel you, but maybe try a password manager? You open it up, type blizzard and it tells you exactly what password you used. Even better, it can generate really good passwords for you.
I use bitwarden.
Chaotic Entropy
in reply to return2ozma • • •𝕸𝖔𝖘𝖘
in reply to Chaotic Entropy • • •Spacehooks
in reply to return2ozma • • •Landless2029
in reply to Spacehooks • • •trxxruraxvr
in reply to Spacehooks • • •Spacehooks
in reply to trxxruraxvr • • •trxxruraxvr
in reply to Spacehooks • • •Spacehooks
in reply to trxxruraxvr • • •