New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
2FA Not secure enough?
In the latest draft of the Digital Authentication Guideline, the rules by which authentication software must abide, the US National Institute for Standards and Technology is preparing to get rid of SMS-based two-factor authentication.
http://www.cnet.com/news/nist-set-to-ban-sms-based-two-factor-authentication/
Comments
Because mobile providers employ staff that are incapable or are taught insufficient verification methods and are victims of social engineering.
Without reading any further I can think of a few reasons 2FA can be spoofed, and I'm no security guru/tin-foil hat.
Social engineering is one reason, or spoofing cell phone towers. I'm sure the thread could list many more.
True
Isn't 2FA still good when you use it with your Google Authenticator? Or is it just as vulnerable as SMS-Based
If someone has a large enough budget for a fake cell tower, they can also afford to (much cheaper) send someone to beat you, take your phone, and make you tell your passwords too.
Should be much more secure since your mobile provider has no access to it and no one else will unless they physically have your phone and it's unlocked.
Nothing is secure enough.
Linus Tech Tips was attacked using social engineering at a cell phone provider. They provider didn't verify who this person was and issued a sim card. Allowing the attacker access to phone calls and sms messages.
https://youtube.com/watch?v=LlcAHkjbARs
There's always going to be vulnerabilities. That's why it's important to remember 2 factor is a second factor in authentication and it should NOT be used as the primary password or as a means of recovery. I remember I saw a major site use just two factor (access key) like it was a breakthrough and not just a security risk. The entire point of two factor is that only you have access to it - and that it cannot be transferred or recovered. Obviously it won't work very well with phone numbers. Once you start adding "convenient" features the security is lost.
If social engineering works, or just having access to your two factor and not your password works, companies have implemented it incorrectly.
A lot of companies still use SMS as a fallback, for 2FA removal and such.
This is key. It's a significant safety net but like all nets, it can only hold so much weight. Each piece is merely a piece, and no one piece should be considered solid on it's own.
With all that said, even SMS 2FA is sufficient for average security. If we're talking about preventing drive-by automatic compromises, which easily makes up for the majority of compromises for average users, it is wildly appropriate. The difference comes in where the user is a specific target of someone else who is motivated to go the extra mile. Admittedly, any of us could find ourselves there at any time, it isn't within our control. However, it is important to note that low-value targets will always easier to keep safe...if only by lack of interest or cost.
My thought is that the security should slightly outweigh the value of the data behind it. The more valuable the data, the more security should be employed. My bank statement, for example, is not worth locking in a faraday cage only accessible by retina scanner access.
I believe it's just SMS based. Recent social engineering attacks allowed an attacker to take someone's phone number (by transferring the phone number from the victim's SIM card to the attacker's SIM card). Since 2FA with Google Authentication or any other 2FA in which you entered a pre-shared key or scanned a QR code, it should be theoretically safe from this social engineering attack.
We still use SMS for my company but.
We also have things like trusted devices then 2fa login.
Doesn't matter if you have 2fa and the password on a new device as that's not all securing it......
A lot of big online celebs and companies are getting hacked because of SMS being used as the 2nd factor.
Up until last week, I could walk into any AT&T wireless store and get a cloned SIM card for any phone if I had the phone number, full name, and address of the person who owned the SIM card (I think a fake ID was required also but I cannot confirm) if the minimum wage earning high school associate behind the counter wasn't extremely diligent or believed a crazy story I made up. I know this because only as of last week did AT&T wireless start enforcing their pass code authorization system in their brick and mortar stores (if you call them up you always have to verify your pass code though).
AT&T isn't the only provider either, I know Verizon and Virgin Mobile/Bell Canada have been found on multiple occasions to be the cause of hacked clients or services because they would disable and active SIM card and then give a new SIM card to a hacker with the other person's phone number on it in order to bypass SMS verification (GMail and Google Apps use Google Authenticator for 2FA but if enabled you can bypass 2FA with SMS).
For most services that offer SMS as a second factor, they also allow password resets via SMS without having to answer any recovery questions.
SMS is a horrible 2nd factor because of the ease of access to hackers. If you follow certain "news" channels on YouTube you'll see that large channels and businesses are getting hacked a few times a week for the past few months and every time it was because of a cloned SIM card to gain access to their SMS messages.
One last thing to consider is that PayPal allows SMS/phone as a second factor so people/businesses were losing money in the process of these hacks.
It should be but remove all phone numbers from your Google account because if you have a phone number listed anybody with your phone number can reset your Google password and disable 2FA via SMS.
Good point...
It'll be interesting to see what new 2nd factor authentication options come out moving forward. Obviously the current methods aren't perfect
I started using DuoSecurity for my PCs but continue using Google Authenticator for everything else. A good security measure I found online was to use a pre-paid cell phone as your backup phone for your Google account or any other service that does use SMS for 2FA or recovery. If the attacker doesn't know the phone number they can't social engineer a SIM card.
In 2FA over SMS - codes often show up in unlocked notification centers even if the phone is locked. That's risky as well.
And this man also apparently
Google Auth should be PW protected. Mines not and I am not sure its an option.
2fa over SMS is pretty lol for all the obvious reasons
Thanks for the info - I'll checkout DuoSecurity. A pre-paid cell phone is smart too, I'll look into that
It's as easy as getting an anonymous sim-card. If nobody knows the name your sim is registered on, how would they get access to it?
"Dear AT&T support, could you send me the sim for the lowendtalk user jarland please? I'm sorry, I forgot my own name, but I am jarland from lowendtalk for sure!"
I move my 2FA to Authy.
I use pre-paid number (used only for authy) for activation, its only $0.2 per sim card
and few cent more per montj to keep sim-card life.
Yeah, it's not a bad idea at all. Add to it, switch up your mobile number every now and then. I don't know about you but there's less than 10 people who I really care to talk to on the phone regularly