f



=?UTF-8?Q?Re:_=e2=80=9cFree=e2=80=9d_Wi-Fi_from_Xfinity_and_AT&T_al?= =?UTF-8?Q?so_frees_you_to_be_hacked?=

On 12/17/2016 9:47 PM, nospam wrote:
> AL <l452236747@invalid.com> wrote:

>> 2 step verification. Even if someone has my password they can't
>> log on to any of my CC accounts unless they have my phone in their
>> physical possession.
>
> or they intercept it, which isn't particularly difficult.

They would have to be logging in to my CC account on their device having
my user name/password at the exact same time they intercept my phone's
verifying text. How likely is that? Nothing's perfect but that tiny
risk is way better than no 2FA.

> it also won't work at all if you are outside cellular service, where
> you can't get a text, at which point you can't log in *at* *all*.

If I'm out of cell range I can't use my phone's CC app anyway?? And
anyway, my phone is a trusted device so I don't need to log in using 2FA
every time, only the first time.

> Acknowledging there¹s a risk that SMS messages can be intercepted or
> redirected, NIST is encouraging any service considering adopting
> two-factor authentication in the future to ³consider alternative
> authenticators.²

I'll be quick sign up when they make 2FA better. But the current SMS
risk is teeny tiny compared to the risk of someone using my
name/password in a hack (like Yahoo) when I don't have 2FA.

> The last few months have demonstrated that SMS text messages are
> often the weakest link in two-step logins: Attacks on political
> activists in Iran, Russia, and even here in the US have shown that
> determined hackers can sometimes hijack the SMS messages meant to
> keep you safe.

Which is safer. 2FA or no 2FA?

>> Text notification. I get a text for every CC transaction over $50
>> listing the merchant and amount. I would know quickly of any
>> unauthorized transaction.
>
> easier and *much* safer use the bank's app for that.

Easier? I have all my financial stuff set up like that. I know when a
check is cashed, a dividend is paid, CC transactions, etc. No having to
sign into the separate apps unless I need the encrypted details.

Safer?? Someone getting my text on how much the wife spent at Target??

0
AL
12/18/2016 5:59:11 AM
comp.mobile.android 1779 articles. 0 followers. Post Follow

7 Replies
170 Views

Similar Articles

[PageSpeed] 24

In article <o358go$bon$1@dont-email.me>, AL <l452236747@invalid.com>
wrote:

> >> 2 step verification. Even if someone has my password they can't
> >> log on to any of my CC accounts unless they have my phone in their
> >> physical possession.
> >
> > or they intercept it, which isn't particularly difficult.
> 
> They would have to be logging in to my CC account on their device having
> my user name/password at the exact same time they intercept my phone's
> verifying text. How likely is that? Nothing's perfect but that tiny
> risk is way better than no 2FA.

it's not 'way better'.

> > it also won't work at all if you are outside cellular service, where
> > you can't get a text, at which point you can't log in *at* *all*.
> 
> If I'm out of cell range I can't use my phone's CC app anyway?? And
> anyway, my phone is a trusted device so I don't need to log in using 2FA
> every time, only the first time.

of course you can, via wifi.

> > Acknowledging there1s a risk that SMS messages can be intercepted or
> > redirected, NIST is encouraging any service considering adopting
> > two-factor authentication in the future to 3consider alternative
> > authenticators.2
> 
> I'll be quick sign up when they make 2FA better. But the current SMS
> risk is teeny tiny compared to the risk of someone using my
> name/password in a hack (like Yahoo) when I don't have 2FA.

the risk may be small, but so is the risk of someone actually hacking
your bank account and the bank won't hold you liable anyway if they
did.

> > The last few months have demonstrated that SMS text messages are
> > often the weakest link in two-step logins: Attacks on political
> > activists in Iran, Russia, and even here in the US have shown that
> > determined hackers can sometimes hijack the SMS messages meant to
> > keep you safe.
> 
> Which is safer. 2FA or no 2FA?

*proper* 2fa, such as a totp code, not sms, which is not secure.

> >> Text notification. I get a text for every CC transaction over $50
> >> listing the merchant and amount. I would know quickly of any
> >> unauthorized transaction.
> >
> > easier and *much* safer use the bank's app for that.
> 
> Easier? I have all my financial stuff set up like that. I know when a
> check is cashed, a dividend is paid, CC transactions, etc. No having to
> sign into the separate apps unless I need the encrypted details.

there's no need to sign into the app. the bank sends push notifications
for transactions or other activity.

> Safer?? Someone getting my text on how much the wife spent at Target??

cancel her credit card.
0
nospam
12/18/2016 4:30:40 PM
On 12/18/2016 9:30 AM, nospam wrote:
> In article <o358go$bon$1@dont-email.me>, AL <l452236747@invalid.com>
> wrote:

>>> it also won't work at all if you are outside cellular service,
>>> where you can't get a text, at which point you can't log in *at*
>>> *all*.

Of course I can. See below.

>> If I'm out of cell range I can't use my phone's CC app anyway??

> of course you can, via wifi.

Use a strange WiFi for sensitive financial apps? Good security thinking.

But since my devices are trusted I could certainly log in using that
strange WiFi, even with 2FA installed, even with no cell service.

> the risk may be small, but so is the risk of someone actually
> hacking your bank account

Which is the smaller risk, 2FA or no 2FA?

> and the bank won't hold you liable anyway if they did.

Why put up with the hassle of straightening out a bank hack if you can
prevent it with 2FA?

>> Which is safer. 2FA or no 2FA?
>
> *proper* 2fa, such as a totp code, not sms, which is not secure.

You dodged the question. Which is safer, 2FA or no 2FA?

> cancel her credit card.

The CC is much cheaper than divorce...


0
AL
12/18/2016 5:48:49 PM
In article <o36i39$2ks$1@dont-email.me>, AL <l452236747@invalid.com>
wrote:

> >>> it also won't work at all if you are outside cellular service,
> >>> where you can't get a text, at which point you can't log in *at*
> >>> *all*.
> 
> Of course I can. See below.

then you don't have true 2fa.

> >> If I'm out of cell range I can't use my phone's CC app anyway??
> 
> > of course you can, via wifi.
> 
> Use a strange WiFi for sensitive financial apps? Good security thinking.


i didn't say anything about a strange wifi, but regardless, the bank
uses https, which is encrypted, and you can always use a vpn. 

you clearly don't understand how it all works

> But since my devices are trusted I could certainly log in using that
> strange WiFi, even with 2FA installed, even with no cell service.

if you can log in without getting a text, you don't have 2fa.

that also means that if your trusted device is lost/stolen, someone
*else* could potentially log in.

> > the risk may be small, but so is the risk of someone actually
> > hacking your bank account
> 
> Which is the smaller risk, 2FA or no 2FA?

no 2fa, assuming the 2fa you're using uses sms texts.

2 factor authentication is two of:
something you know (password)
something you have (code generator via app, dongle, etc.)
something you are (fingerprint, retina scan, etc.)

a text message sent to you via an unencrypted channel and which can be
intercepted is none of those.

> > and the bank won't hold you liable anyway if they did.
> 
> Why put up with the hassle of straightening out a bank hack if you can
> prevent it with 2FA?

there's nothing to straighten out beyond contacting the bank that your
account was hacked.

and in reality, they probably know already and will be contacting you
first because if their database was compromised, millions of people
will be affected, not just you.

> >> Which is safer. 2FA or no 2FA?
> >
> > *proper* 2fa, such as a totp code, not sms, which is not secure.
> 
> You dodged the question. Which is safer, 2FA or no 2FA?

i didn't dodge it at all.

i gave *two* links that explain why security professionals, including
bruce schneir and the nist, say using text messages for 2fa is an
incredibly bad idea.

> > cancel her credit card.
> 
> The CC is much cheaper than divorce...

not in the long run.
0
nospam
12/19/2016 3:40:21 PM
On 12/19/2016 8:40 AM, nospam wrote:
> AL <l452236747@invalid.com> wrote:

> you don't have true 2fa.

What's true 2FA? Google wants to know.

> you clearly don't understand how it all works

You clearly don't understand the various ways 2FA can work.

>> But since my devices are trusted I could certainly log in using
>> that strange WiFi, even with 2FA installed, even with no cell
>> service.
>
> if you can log in without getting a text, you don't have 2fa.

Course I do. Google says so. And I still have the 2FA protection because
someone knowing my name/password trying to hack my account on a strange
device would generate a text to *my* phone. He would be unsuccessful and
I would be warned of the hack attempt. And of course that scary
unencrypted text you worry so much about is only sent once to a trusted
device for the life of the app - many months in my case.

> that also means that if your trusted device is lost/stolen, someone
> *else* could potentially log in.

Nope. They would need several further passwords to break in both the
device and to each separate app.

> 2 factor authentication is two of: something you know (password)
> something you have (code generator via app, dongle, etc.) something
> you are (fingerprint, retina scan, etc.)

Google can save passwords on the device for you, is that no longer a
real password? And Google can save a 2FA code on a trusted device, is
that no longer 2FA?

> a text message sent to you via an unencrypted channel and which can
> be intercepted is none of those.

On a trusted device the text code is sent only once for the life of the
app, perhaps once in months. Not a real big security risk IMO.

> there's nothing to straighten out beyond contacting the bank that
> your account was hacked.

Bwahahahah!!! You've obviously never dealt with my bank...

> and in reality, they probably know already and will be contacting
> you first because if their database was compromised, millions of
> people will be affected, not just you.

Yup. Twice already for me. Change passwords and free credit monitoring.
Big Whoop.


> i gave *two* links that explain why security professionals,
> including bruce schneir and the nist, say using text messages for 2fa
> is an incredibly bad idea.

Perhaps. But using texted 2FA rather than no 2FA is still an incredibly
good idea.

0
AL
12/19/2016 11:33:38 PM
In article <o39qlp$2gu$1@dont-email.me>, AL <l452236747@invalid.com>
wrote:

> 
> > you don't have true 2fa.
> 
> What's true 2FA? Google wants to know.

no they don't, since they know exactly what it is already, given that
they offer proper totp 2fa, with several third party apps that can
generate the codes. nothing is sent over the air.

> > you clearly don't understand how it all works
> 
> You clearly don't understand the various ways 2FA can work.

more than you do, that much is clear.

here's more:
<http://thehackernews.com/2016/07/two-factor-authentication.html>
  However, NIST argues that SMS-based two-factor authentication is an
  insecure process because it's too easy for anyone to obtain a phone
  and the website operator has no way to verify whether the person who
  receives the 2FA code is even the correct recipient.

  In fact, SMS-based two-factor authentication is also vulnerable to
  hijacking, if the individual uses a voice-over-internet protocol
  (VoIP) service, which provides phone call service via a broadband
  internet connection instead of a traditional network.

  Since some VoIP services allow the hijacking of SMS messages, hackers
  could still gain access to your accounts protected with SMS-based
  two-factor authentication.

  Also, the designing flaws in SS7 or Signalling System Number 7 also
  allows an attacker to divert the SMS containing a one-time passcode
  (OTP) to their own device, which lets the attacker hijack any
  service, including Twitter, Facebook or Gmail, that uses SMS to send
  the secret code to reset account password.

  Even some devices leak secret 2FA code received via SMS on the lock
  screen.

> >> But since my devices are trusted I could certainly log in using
> >> that strange WiFi, even with 2FA installed, even with no cell
> >> service.
> >
> > if you can log in without getting a text, you don't have 2fa.
> 
> Course I do. Google says so. And I still have the 2FA protection because
> someone knowing my name/password trying to hack my account on a strange
> device would generate a text to *my* phone. He would be unsuccessful and
> I would be warned of the hack attempt. And of course that scary
> unencrypted text you worry so much about is only sent once to a trusted
> device for the life of the app - many months in my case.

all they need to do is intercept the sms messages, or even better,
activate a new sim/phone under your account. 

now the 2fa codes go to the bad guys, and as for the passwords, they
can be phished, guessed or obtained in other ways.

<https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-
account-could-be-hijacked-identity-thief>
  A few weeks ago an unknown person walked into a mobile phone store,
  claimed to be me, asked to upgrade my mobile phones, and walked out
  with two brand new iPhones assigned to my telephone numbers. My phones
  immediately stopped receiving calls, and I was left with a large bill
  and the anxiety and fear of financial injury that spring from
  identity theft. This post describes my experiences as a victim of ID
  theft, explains the growing problem of phone account hijacking, and
  suggests ways consumers and mobile phone carriers can help combat
  these scams.
0
nospam
12/19/2016 11:55:28 PM
On 12/19/2016 4:55 PM, nospam wrote:
> AL <l452236747@invalid.com> wrote:

>> What's true 2FA? Google wants to know.
>
> no they don't, since they know exactly what it is already, given that
> they offer proper totp 2fa, with several third party apps that can
> generate the codes. nothing is sent over the air.

Google has several ways to do 2FA. None is ID'ed to be 'true'.

> NIST argues that SMS-based two-factor authentication is an insecure
> process because it's too easy for anyone to obtain a phone and the
> website operator has no way to verify whether the person who
> receives the 2FA code is even the correct recipient.

This would apply to both text 2FA and your true 2FA.

> Since some VoIP services allow the hijacking of SMS messages, hackers
> could still gain access to your accounts protected with SMS-based
> two-factor authentication.

My trusted device apps don't request 2FA codes to hijack. (I don't use
VOIP anyway.)

> Also, the designing flaws in SS7 or Signalling System Number 7 also
> allows an attacker to divert the SMS containing a one-time passcode
> (OTP) to their own device, which lets the attacker hijack any
> service, including Twitter, Facebook or Gmail, that uses SMS to send
>  the secret code to reset account password.

Ditto last answer. Unless they catch me when I request that one new code
sometime in the future (probably next few months). Unlikely IMO.

> Even some devices leak secret 2FA code received via SMS on the lock
> screen.

Leak? There is a setting on my phone that allows texts on the lock
screen. I have it turned off.

> all they need to do is intercept the sms messages,

No 2FA codes to intercept from me in quite awhile.

> or even better, activate a new sim/phone under your account.

Perhaps make calls? But not much else in my name without my Google account.

> now the 2fa codes go to the bad guys,

Without the name/password for my apps there's no way to request a code.

> and as for the passwords, they can be phished,

Getting phished? An idiot problem, not a 2FA problem.

> guessed

Not in my case.

> or obtained in other ways.

Vague...So I will apply it to both text 2FA and your true 2FA.

> identity theft. This post describes my experiences as a victim of ID
>  theft, explains the growing problem of phone account hijacking,

Shit happens. Not sure how you think your true 2FA would help here...

0
AL
12/20/2016 3:19:38 AM
In article <o3a7th$ues$1@dont-email.me>, AL <l452236747@invalid.com>
wrote:

> >> What's true 2FA? Google wants to know.
> >
> > no they don't, since they know exactly what it is already, given that
> > they offer proper totp 2fa, with several third party apps that can
> > generate the codes. nothing is sent over the air.
> 
> Google has several ways to do 2FA. None is ID'ed to be 'true'.

i didn't say true. i said proper. do not twist what i say.

sms 2fa is not 2fa and trivially hacked. 

> > NIST argues that SMS-based two-factor authentication is an insecure
> > process because it's too easy for anyone to obtain a phone and the
> > website operator has no way to verify whether the person who
> > receives the 2FA code is even the correct recipient.
> 
> This would apply to both text 2FA and your true 2FA.

nope and it's not mine. it's an industry standard.

with totp, there is no code to receive which means it *cannot* be
intercepted. the code is generated by the user, either with an app or a
physical key, and must match the code generated by the provider, which
is valid for 30 seconds (typically).

> > Since some VoIP services allow the hijacking of SMS messages, hackers
> > could still gain access to your accounts protected with SMS-based
> > two-factor authentication.
> 
> My trusted device apps don't request 2FA codes to hijack.

then you don't have 2fa.

> (I don't use
> VOIP anyway.)

your loss.

> > Also, the designing flaws in SS7 or Signalling System Number 7 also
> > allows an attacker to divert the SMS containing a one-time passcode
> > (OTP) to their own device, which lets the attacker hijack any
> > service, including Twitter, Facebook or Gmail, that uses SMS to send
> >  the secret code to reset account password.
> 
> Ditto last answer. Unless they catch me when I request that one new code
> sometime in the future (probably next few months). Unlikely IMO.

if you're requesting codes every couple of months, you aren't using 2fa.

> > Even some devices leak secret 2FA code received via SMS on the lock
> > screen.
> 
> Leak? There is a setting on my phone that allows texts on the lock
> screen. I have it turned off.

you might. others don't. and even if you do disable it, all it takes is
intercepting them.

> > all they need to do is intercept the sms messages,
> 
> No 2FA codes to intercept from me in quite awhile.

which means you're not actually using 2fa.

> > or even better, activate a new sim/phone under your account.
> 
> Perhaps make calls? But not much else in my name without my Google account.

phone calls aren't the issue, but that won't work for you either.

> > now the 2fa codes go to the bad guys,
> 
> Without the name/password for my apps there's no way to request a code.

someone who has hijacked your phone will already have all of that.

> > and as for the passwords, they can be phished,
> 
> Getting phished? An idiot problem, not a 2FA problem.

not an idiot problem.

people who are smart enough to know not to be phished get phished,
including reporters doing research on phishing and *expecting* to be
phished so they're on the lookout for suspicious activity.

> > guessed
> 
> Not in my case.

ignorance is bliss.

> > or obtained in other ways.
> 
> Vague...So I will apply it to both text 2FA and your true 2FA.

nothing vague about it and it's not my 2fa. 

how a system is hacked does not matter. what matters is that the
passwords get compromised.

> > identity theft. This post describes my experiences as a victim of ID
> >  theft, explains the growing problem of phone account hijacking,
> 
> Shit happens. Not sure how you think your true 2FA would help here...

because compromising someone's account with 2fa is *extremely*
difficult.

you're in way over your head.
0
nospam
12/23/2016 12:15:16 AM
Reply: