Security and convenience are usually in direct competition with each other. Customer service people have to listen to people yell at them when convenience is sacrificed and aren't held accountable for security problems. They therefore optimize for customer convenience. I don't completely fault them for it. If anyone has had the frustration of sitting on the phone with a customer service rep trying to remember a PIN code that was setup 5 years ago when signing up with an ISP and was never thought about since, you can probably understand it.
It is easy to blame a single person or a single company for poor practices, but I have yet to encounter any real solution to this problem that allows someone to prove they are who they say they are which is able to hit the sweet spot between too many false positives (hijacked accounts) and too many false negatives (valid customers locked out).
If I was a security-minded person looking for startup ideas, this is the problem I would be looking to solve.
Almost every phone and laptop today supports it, and you can optionally have a backup in the form of a $10 keychain device or 24 words written on paper.
This does mean people will be best off to keep at least one backup safe with other things they can't afford to lose like their SSN card and drivers license.
Once WebAuthn is setup then day to day as long as a person has not lost -all- their devices, then remote identity verification can be fast tracked.
If they have lost all their devices it would be like if they lost all citizenship paperwork and will be a longer, generally in person, process involving reference verification and a waiting period.
I'm super excited for WebAuthn, but unless my sources are out of date it's far from being supported everywhere (https://webauthn.me/browser-support).
A giant challenge with WebAuthn is the lack of platform authenticator integrations, particularly on Linux. You basically need to buy a separate key. And if you're on Android and you swapped out Chrome for Firefox (which you should do) then even the physical key stops working.
I desperately want to start using WebAuthn everywhere and I desperately want to start encouraging devs to swap over to it for most new logins. But I don't think I can. I don't know that I own a single phone or desktop that as configured can use WebAuthn without a security key. If I'm doing something wrong, or if there's some config option that just hasn't gotten flipped by default on platforms like Firefox Linux, then I'd love to know.
I made a FIDO token (a platform authenticator) implementation that uses the TPM to protect your private keys on Linux: https://github.com/psanford/tpm-fido
If malware is on the machine you are basically screwed anyway. A threat model where you happen to never authenticate with a service while you have the malware installed is not especially compelling.
It is supported in virtually all current gen phones/laptops.
Giving up WebAuthn and thus trading security for privacy by dumping Chrome for Firefox is a raw deal. If privacy is a concern run a de-googled ROM like CalyxOS which ships defanged Chromium so you get to have vital security features like WebAuthn without giving up privacy.
> so you get to have vital security features like WebAuthn without giving up privacy.
Yes, Chrome phoning home is a concern to me, but a much bigger concern is the lack of mobile extension and adblock support. Defanged Chromium doesn't solve that problem. Even desktop deGoogled Chromium is just an inferior browser when it comes to privacy right now; it has fewer extension APIs than Firefox and it's missing built in Firefox privacy features like containers.
But on mobile, giving up the ability to run extensions entirely? I'm not sure I can substantively argue whether giving up adblocking is a bigger security tradeoff than giving up webauthn. But it's definitely a pretty big privacy tradeoff given the current state of the mobile web.
I don't know, maybe this is a solved problem. I haven't really looked into CalyxOS. Does it patch mobile Chromium to support extensions? Can I trust the devs to do that securely?
So if anything, that gives me a lot more confidence to claim that this is not widely supported yet and people shouldn't be calling WebAuthn a universal drop-in replacement for other systems.
Not to say that WebAuthn is bad, I expect these problems will be solved over time and support will widen. I do think WebAuthn is the obviously correct long-term solution. But I think the "virtually all" language used here is not currently accurate. At best I'm seeing some (very small) repos trying to work around the problem, and I'm not convinced it's good security practice to entrust login tokens to under-audited 3rd-party services."
The ideal solution should hopefully handle a "mugged in a foreign country" hypothetical. If a normal person traveling abroad loses both their wallet and phone, would they be able to regain access to their digital life before they got home? With Sprint/T-Mobile's current approach, the answer would be yes. With WebAuthn, it is a big maybe and is probably a no for most people. We are back at the security versus convenience choice.
If someone loses their passport while traveling they are often locked out of access to their home country, let alone their digital life.
It is not permissible to use digital backup copies of paper identity documents in most countries but with digital identity you can make all the backups you want and store them places hard to lose. Travelers would be wise to do so. It is free and reasonably easy. There is just a training gap, the tech is here.
Personally I keep an AES encrypted backup needed for emergency recovery of my digital life implanted in my body. Others I know use NFC rings.
First starting point for "I lost my passport" should be "visit your embassy in the country you are in".
It may not be an instant solution, but should normally result in a temporary passport you can use to travel home with, then once home you should be able to bootstrap from there.
if you lose your passport while in a foreign country you’re permanently locked out of ever traveling back home? that can’t possibly be true. I can see it being hard if you have no living family though
And when you get mugged in transit from the hotel to the airport or vis-versa your plan falls apart. Unless you are going to pay someone to drive a different route in a different car with your hardware key...
Good luck making a copy of a security key - most are designed to prevent that (for valid-ish reasons) and the only other option (always enroll two keys) has a host of other problems, especially since in the "always carry two" case you need to also keep a third one at home.
You can’t duplicate hardware MFA keys. You’d have to individually set up the second device everywhere you use MFA, and many services only support a single device (looking at you, AWS).
> many services only support a single device (looking at you, AWS)
I really wish people would stop doing this.
It's not "many services" it's one service. "Many women have played the role of Ellen Ripley in the Alien movies (looking at you, Sigourney Weaver)". No. One woman did that and you just named her, not many.
Don't use "many" to mean, "Well, one, but when I wrote that it didn't seem like I had a point worth making". If you instead present this as "AWS is broken" then we see what the problem actually is and who needs to fix it.
You can't duplicate entry level devices like Yubikeys but hardware wallets like Ledger and Trezor both support backup of FIDO seeds in the form of 24 english words you can store endless ways, or recover to a secondary device.
I have duplicates of all my MFA keys.
These devices are also more secure as they show you the website you are approving on screen to avoid being tricked by malware.
> Then keep another key somewhere else, like with a fellow traveler or at the hotel
Hotels aren’t safe for valuables and people travel alone. We’re getting pretty far removed from convenience here as well. Might as well suggest people keep their keys shoved up their ass.
Maybe we could just use something that can't be stolen. Something like a shared secret that is exchanged through secure channels beforehand and then only resides in the users permanent memory. The second party could even use some kind of novel mathematical function that maps arbitrarily sized secrets to a seemingly random fixed size value that is both sufficiently different for similiar inputs and big enough to avoid collisions. That would allow them to not store the secret in plain text as they could just compare the output of the function with the previously saved one to verify that the secret the user gave is most likely correct.
> If they have lost all their devices it would be like if they lost all citizenship paperwork
If you're running something like a phone company in the US, millions of the people you service probably aren't citizens. If your process is "longer, generally in person, process involving reference verification and a waiting period", then your competitor will get those customers instead. Prepaid plans first became very popular in the US in part because they do not require bank accounts or SSNs.
It's not exactly part of the webauthn standard. Or at least not a described part, it falls under the 'roaming authenticator' and 'backup credentials' mentioned in the spec, effectively it's a function that generates a crypto key where the key matter is the 24 randomly chosen words. It's basically just _another_ key that a service can setup and store for your, but encrypted with the secret they share with you up front in the form of those words.
The Ledger hardware wallet can act as a FIDO U2F (probably other hardware wallets as well). And to back up a hardware wallet you write down the 24 words…
If something doesn't support Web'n'Auth you can use TOTP with a Yubikey, the TOTP moves with the key, much better than those dumb authenticator possibly-spyware apps.
Generating the 6 digit codes from a TOTP seed is < 10 lines of python and requires only core modules. Meaning it's pretty easy to find or make a client you would trust.
For a normal user with an app that doesn't allow export, it's more or less equivalent to a yubikey. There's no reasonable way to get the secrets out of a locked phone or a yubikey, but an expert with a lot of resources probably could. And a normal user isn't reinstalling their phone OS so that worry's out of the way.
For apps that do allow export/transfer, it's up to the user if they want to keep the secret safe. But really at some point it's up to the user no matter what method or hardware you use.
And since most sites don't have an easy way to have multiple tokens, allowing export/transfer also reduces the temptation to insecurely store a copy of enrollment QR codes.
At least in the places I've been in the US, law enforcement doesn't seem to care if you have your physical license with you. They just look it up, since they are doing that anyway...whether you have it or not. I'm sure that varies, though.
That's very surprising. How do they look up your license? Using your name?
Driving is without a license in your "immediate possession" is definitely against the law in California[1] and I've never met someone that intentionally leaves it at home. Restaurants that card for alcohol also makes this a no-go for most people.
In the UK you don't have to carry your license or insurance while driving - although you can be required to give your name, and to take those documents to a police station within 7 days. For certain crimes they can also arrest you and/or seize your vehicle.
Of course, in the UK car registration plates are issued and attached by the dealer, before a car's first sale, and they never expire. So they can find the registered keeper of a vehicle just by looking at the plates.
>Of course, in the UK car registration plates are issued and attached by the dealer, before a car's first sale, and they never expire. So they can find the registered keeper of a vehicle just by looking at the plates.
Yet another situation where foreign registered vehicles are essentially immune from UK traffic enforcement.
That's not that big a deal since the UK is essentially cut off from foreign countries by water (except for northern Ireland, but there's already a ton of exceptions around that...) I wouldn't be too surprised if foreign plates got pulled over randomly just because it's so rare.
If you lose all your ID and don't have family to vouch for you, getting ID back is a real nightmare. I have seen it take months even with living family in the picture.
Getting access to an AWS root account you are locked out of however just requires -photos- of identity documents and billing verification etc.
> I have yet to encounter any real solution to this problem
I can think of a number of solutions. One of them might be taking advantage of timing + an external contact:
0. Require a point of contact upon signup.
1. If any change requires bypassing ordinary authentication, ask contact to approve.
2. If they approve within M minutes, authorize.
3. If they don't reply within H hours, authorize.
4. If contact rejects operation, then deny.
5. If customer disputes denial, require them to wait O(days) for some out-of-band resolution mechanism (like mail verification, video call + ID verification, or whatever makes sense given the context).
(You can also allow the customer to customize the behavior here if they're e.g. particularly paranoid and want longer delays or explicit approval or whatever... lots of possible variations on this method.)
> I have yet to encounter any real solution to this problem that allows someone to prove they are who they say they are
I think the solution is third-party attestation.
The government can offer an identity service - it doesn't need to be linked to your real-person, but could simply require proof of residency (by say, mailing you a postcard that you would bring in), but once established, you could use this service to attest your identity to third-parties.
There are companies that increasingly offer this service (like Facebook, Google, Amazon, and Apple) but I think they struggle to avoid conflicts-of-interest in offering this service, so they make me nervous how popular they are becoming in the US and UK.
Where I live, the government provides a smartcard which you can use with government websites and a few non-government sites, and this is used as a second-factor for making critical changes. If I lose this smartcard, I have to go into a government office with some documentation to start the process of getting a new one (where it will be mailed to me, and I can bring it in with documentation to be activated).
I don't find this onerous; I don't have to use the smartcard to do any "normal" things -- the non-government sites (and some of the government sites) allow me to log in using just a password and a mobile-app, but if I were to lose my phone (or my password), I know I have a government-provided recovery mechanism.
Finally, anticipating a particular antagonist of this idea: As far as I know, the government doesn't actually know what services I use this smartcard with (unless the company shares this information, but we already know Facebook and Google and probably Amazon and Apple do) and I have multiple cards with different identifying details on them, so I think any privacy risk is minimal.
I've seen a lot of both private (MGM properties in Vegas, at least Vdara) and public (CA DMV) using id.me for this purpose. It actually works really well.
I believe id.me is a corporation that sells your personal data, and the identity-holder doesn't benefit from id.me selling their data. Their privacy policy makes mention of list-scrubbing services and marketing uses of data, and other shady things that I understand are quite normal in the US, but make me nervous.
This is part of what I was referring to by "conflicts of interest": I don't see how any private corporation could possibly be trusted to do this.
> It is easy to blame a single person or a single company for poor practices, but I have yet to encounter any real solution to this problem that allows someone to prove they are who they say they are which is able to hit the sweet spot between too many false positives (hijacked accounts) and too many false negatives (valid customers locked out).
We're getting there. Authentication comes down to three things, "Something you know (a password in your head), something you have (a private key, or a phone that gives you a code), and something you are (your face, a retinal scan, or a fingerprint)".
In most cases, people won't lose what they are. There are of course exceptions, such as injuries by fire - which brings us right back to step one, hounding poor support agents with a (possibly fabricated) sob story. The weakest link is often the support folks who can press a button and allow the attacker to authenticate.
The PUK itself is one such method. An ID is another. Have a separate contact #. And so on. There are many ways, but the essence is to have something out-of-band. It's really very simple.
Generally speaking, there are three classes of auth, who you are, what you have, and what you know. Single factor auth is meaningless, which is why many people are stumped by this situation. Use two factor auth, which is verification from two separate categories. Certain industries use 1.5 auth.
There are also software and hardware tokens. Those are generally what you have (and might spill into what you know), but are also time-bound.
Ultimately, security is risk-management. Risk can also be transfered, such as by using a different identity provider. Then it is no longer the company's issue to solve.
You're quite right that it is about striking that balance. We do it by keeping the app focused on recovery codes. From there, users can optionally assemble their own personal recovery team of trusted contacts.
Either way, users get the same universal account recovery experience for every one of their accounts on every service.
The ideal would be DNA-based authentication. You go to their store, they prick you and use rapid sequencing to verify that you are who you say you are.
What if someone bribes the person taking the dna sample? Corrupt telecom employees have already been complicit in ID fraud by redirecting SMS traffic to attackers.
How does the business know the DNA used to set up an account for Bob comes from him and not from attacker Bill? They would have to take his ID at his first visit so you’re still vulnerable to ID fraud.
We can argue back and forth but IMO the DNA idea has two problems:
1 It is too invasive as it requires customers to reveal their DNA to the business.
2 It is impractical. Firstly, the technology doesn’t exist. Secondly, it requires a physical visit to authenticate.
I'm pretty sure I've seen sci-fi movies where they get around this with a fake layer of skin applied and engineered/stolen blood with the desired DNA.
Biometrics are never perfect. Sometimes they can be forged (even something as simple as a printout of a human face looking in a camera), other times you take advantage of a tech vulnerability to feed the desired biometric data in directly without needing to produce anything physical at all.
>John Schneeberger (born 1961) is a North Rhodesian-born former physician who drugged and raped one of his female patients and also his stepdaughter while a physician in Canada. For years, he evaded arrest by implanting a fake blood sample inside a plastic tube in his arm, which confounded DNA test results.
>During his 1999 trial, Schneeberger revealed the method he used to foil the DNA tests. He implanted a 15 cm Penrose drain filled with another man's blood and anticoagulants in his arm.[5] During tests, he tricked the laboratory technician into taking the blood sample from the place the tube was planted.
Why would you need to go to the store plenty of dna sequencing happens over the mail for ancestry and alike. Partner with them and offer discounted dna results.
Ideally you do this once and keep a card and use it everywhere.
Yeah thinking about it more it's probably a cheek swab and not a blood prick. And yeah the card would be the more regularly used 2FA. The DNA test is just for when you lose your card.
As to doing it by mail, that may be potentially doable, but one would need to think through how to prevent e.g. stolen saliva, MITM mail sample interceptions, etc.
Identical twins would be a problem. There's no foolproof way of verifying identity today.
It might be possible for a system to observe you and generate a set of identifiers. I doubt we can make anything accurate enough to be usable today. Maybe in a decade or two.
Their birthmarks and finger prints are different (out of curiosity I verified this myself with twins that were students of mine) and I believe that their iris scans are different. So a combination of DNA and fingerprints/iris scans should be foolproof.
T-Mobile has determined that unauthorized access to some of your information, or others on your account, has occurred, like name, address, phone number and DOB. Importantly, we have NO information that indicates your SSN, personal financial or payment information, credit/debit card information, account numbers, or account passwords were accessed. We take the protection of our customers seriously. Learn more about practices that keep your account secure and general recommendations for protecting yourself: t-mo.co/Protect
It's such a shit feeling knowing my name and info are out there and that it's only a matter of time before they make attempts on my accounts or identity, I'm one of tens of millions and can only hope that I'm far down the list. I'm usually pretty good with online security, I don't even reuse usernames or emails to sign up for different services, use 2fa for anything important, use containerized tabs for social websites, use VPNs on non-familiar site so some random guy's blog doesn't have my IP, etc... and there goes my cell phone provider fucking things up for me anyways. I don't even know if this is actionable info, should I even bother? Should I get a new number and replace my number at all services that use this number?
Are you an adult over the age of 21? Cause if so all your info was likely dumped in the Equifax breach a couple years ago if you had interacted with credit in anyway. It's one of those things that you just have to accept its out there and secure yourself the best you can, 2fa everywhere, password manager, don't re-use passwords, etc. Most of that info is most dangerous when it can be used to break into a weaker account that may be used as auth for a stronger account, like T-Mo redirecting your 2fa texts to an attacker that paid off a customer support agent to sim swap your number. Your phone line is a huge security liability because of 2fa texts and the lax policies around line transfers. And this basically extends to any server, if they can get into your email, they can get into any account that uses your email as auth.
I really wish I had a better answer for you, but I'm stuck there myself. Short of major reform that those that profit off this shit will just lobby away, there's literally nothing we can do but wait for the current notion of credit to collapse, unfortunately.
I guess the only course of action would be to work to make the leaked information out of date. You could change your name and address. Personally, I would not pursue that option.
I live in Washington State, where up until recently, birth records for anyone could be requested by anyone.
Address? If you own a home, already a matter of public record.
Phone #, not secret at all (heck it is part of many people's email signatures!)
Talk to an investigative journalist some time and find out exactly what info can be had publicly.
On a related topic, a few years back I went to a presentation from a member of TMO's marketing team. They mentioned how they used a ad-tech company to real time query the mortgage status of people who visited TMO's homepage in order to help dynamically determine what line of phones to show. Live in a nice neighborhood and didn't have a bunch of late payments? iPhones showed up.
To be clear, their is a vendor out there with an API that offers up, in real time, what your current mortgage status is. "You" of course are determined by a bunch of other web trackers.
A few weeks ago Best Buy sold off the the fact that I was in their store looking at robotic vacuum cleaners. (Either that or some app on my phone was using really good location tracking, but Android has seriously cut down on that, AFAIK background apps aren't granular enough anymore to get section-in-store data) While I was impressed with the ad tech that made that level of targeting possible, it also means I am not likely to step inside a best buy again.
I can always tell what my wife is buying for my birthday, I get ads for the stuff she searches for even though we do not share devices, Google seems to make associations from the IP address.
I watched a video review of a drone on YouTube and that was a huge mistake, got slammed with drone ads for weeks afterwards.
Watching any video mentioning “Planet X” seems to sign you up for a semi truck full of crazy also.
Name, address and phone number has been available for a long time in the phone book. People throw parties and post birthday information all over social media constantly.
That information shouldn't be a risk. It's too easy to get for everybody.
I never posted my real birthday on social media, but then one day it magically showed up on IMDB. That one still pisses me off.
Information posted in the phone books during the time of phone books couldn't really be weaponized against you like it can be now. So yes, times have changed. Just because something used to be done doesn't mean it should still be done that way.
The fact that previous address is relevant is such a strange thing to me. I can't think of anything this actually solves by using, yet it is everywhere with "confirming" you are you. I know I am me, and here's all of these other government issued IDs that say I am me. Prior address does not.
yeah, and so? your id has a gov't issued number. that's the thing that should be used. your address is, as you've stated, not permanent, so why would it be used as an identifier?
even as a second qualifier to reduce the number of exactly 1 hits on a unique number it's not very useful.
Apologies, I didn't intend that as a strong rebuttal. Just an ack that it can be convenient in a non adversarial way to confirm identity. Mainly during transition periods.
But, I fully ack that it is a poor piece of information to do this.
Lamentably, we're at the point where your information is likely out there. It is a shitty feeling, being the victim.
I got the email from my employeer this year that my application for unemployment was reject because I'm still working (I didn't apply). I had an tax check stolen and attempted to cash.. (the bank stopped that one.. Dominican Republic bank cashed that one..), IBM backup tapes with maybe my personal information went missing..
A friend who is supper vigilant had someone apply for a credit card with his credentials.. The card company sent him a letter asking if he had moved.. The card was approved and ready to go.
Its sad, but you have to stay vigilant. I don't know if its worth getting a new cell number. It is kinda your identity now.
I got the same text. I think if people get access to your number, and your number is used as part of a 2fa for another service like your bank, then it is only a matter of time before you get hacked.
The only time it's actionable is if you inquire damages honestly. And even then it's an uphill battle cause you'll have to prove it was because of the leak and not something else.
I recently set up yubikey 2FA for several of my important accounts. I was dismayed to find that several of them (Vanguard, BofA, etc.) require SMS security codes as a backup.
The most infuriating thing is when you go to the trouble of setting up 2FA and a strong password only to discover that the helpdesk will happily turn off 2FA, change your email, and reset your password if you call them on the phone with a sob story. They won't even send a notification to the old email address telling you that it was changed.
I once had a representative from Vanguard call me, and the first thing he asks me for is my security questions. I responded with "I can't be certain you're actually from Vanguard" and he got really annoyed. He was legit, I called them and got him on the line and we went from there, but it was obvious from the exchange most people just happily oblige their info.
I'd like to use a Yubikey, but too few of the accounts I'd want it on allow multiple concurrent 2FA sources, and since I won't have my Yubikey on all devices/with me 24/7 it gets cut for HOTP/TOTP which I can have in multiple places.
I feel like failure by services to allow multiple 2FA providers concurrently is a common weakness that is rarely criticized.
I use KeePass, so I make it generate a long random string and just put that as the the answer. It has encrypted storage of additional name value pairs, so I can label each string with the appropriate question.
I suggest using diceware or similar random words, not random strings. Humans are typically processing these, not machines. "What's your mother's maiden name" can be answered by "Oh, I just put a bunch of random letters" if someone knows your stance on security questions.
Yes! It should be much harder to convince a CSR who can see your plaintext answers that you're legit and don't know you were born in "Peoria" vs "eH2ochomheeVe6ti".
The point isn’t that you will have an issue using a random string, it’s that attackers who know you do so will be able to convince a customer service rep they are you by answering the question “I just put in some random keystrokes”
Well that would require fairly detailed knowledge about me, but point taken. Not sure how random words are much better though, if the person on the other side is ready to accept whatever.
Remember that your answer to that need not necessarily be accurate. You can invent a 'security city' perhaps and always give that... or just give a randomly generated password that you store alongside in your password locker.
FWIW, having gone through support with Vanguard, they didn't even acknowledge that they were random strings when I said they would be. They seemed well trained, at least the one I spoke with.
It's interesting to hear they even support that form of 2FA. Few services outside of Silicon Valley in my experience don't support Yubikey or TOTP besides for enterprise, probably because they either don't understand it themselves or think it will confuse and scare off their customers.
Am I the only one that'd rather we fix the vulnerabilities with SMS verification instead of killing it? The cross platform password manager + OTP (and sidecaring OTP with your passwords is sketchy to begin with) UX is just terrible. Adoption is very important for this stuff and SMS does that best.
Not sure why you’ve been downvoted. I generally agree that it’s easy to bypass with a MITM. Obviously that’s a big step up from non-2FA, but it means unauthorized access will still be frequent.
"Apple, Twilio, and a myriad of other companies cling to it like it's safe when it's not ..."
You're missing the point.
Twilio and Apple (et. al) are not using 2FA for you. It's not to protect you or to help you.
They are faced with a brutal and unceasing spam/scam/puppet onslaught. Forcing you to burn a physical SIM identity to create and maintain an account is just a blunt mechanism to slow this process down.
It is a way of attaching some costs to creating a (Twilio/Apple) account.
Partially, but it's also: you will pay for a phone number, you won't pay for icloud, etc. So, as a result a phone number is costs something like 10 cents for an attacker.
Digital identity, digital identity, digital identity. Until digital identity is a first class citizen in the United States (with support through the various layers of gov from local to federal), private enterprise will continue to lean on suboptimal identity systems (SMS, pictures of government photo ID for proofing a la ID.me and Stripe Identity).
I'd be surprised if it happened any time in the next quarter-century. RealID was passed in 2005 and it's not even fully implemented yet, and only about 1/3 of Americans have one. Even if the Feds launched a digital ID, consumer services aren't going to hop on the bandwagon immediately; most people in the US don't have a need for a federal ID, and millions of them don't have any ID at all. Private enterprise is leaning on weak identity because they want more customers with little friction. There's nothing stopping private industry from issuing cryptographic tokens or similar, and many already do. The problem with selling anything to the general public is that you will a very high number of customers who will lose every token you give them, forget every password, and won't be able to produce good proof of ID.
> The problem with selling anything to the general public is that you will a very high number of customers who will lose every token you give them, forget every password, and won't be able to produce good proof of ID.
The US Postal Service (USPS) has successfully piloted a service to check people’s identity in-person at both USPS locations and at people’s homes using their existing portable tablets used for mail delivery [1]. I'd agree that it's uphill, but it (competent digital identity implementation) is necessary for the reliable functioning of government and commerce in the twenty first century. Otherwise, SIM swaps, identity fraud, and similar will continue to be a (costly) thing.
iOS 15 is rolling out digital IDs in Wallet. I'm excited to see if this enabled a faster deployment with solid primitives.
The descendent of that 2013 pilot is today's login.gov, which is not really the kind of 'digital identity' that solves the problems at hand here. It's basically just SSO for government systems and has many of the same security concerns as other SSO systems. Login.gov passwords can be reset by email.
I think a digital ID will be impossible to implement for the sole reason of evangelicals and the conspiratorial atmosphere in the country. There are already a ton of conspiracies floating around regarding ID2020. Get the government involved, and this shit is dead in the water.
You don't have to be a conspiracy theorist. I don't want most of my online accounts tied to a real ID. In Asia it is apparently common for everything including video games to require your government ID to sign up.
If you make that frictionless, privacy and alt accounts are gone.
There are rational objections apart from superstition. Social security and driver's license numbers have already been abused to the extreme, and now form a backbone of the commercial surveillance web. Secure identification is an utterly terrible idea until the US gets something like the GDPR.
Ultimately it's the court system that backs up identity. Ideally you never end up there, but its existence is what holds society together. That's where identity matters: where you're held to account for previous actions, such as contracts you've agreed to. Your identity in front of the judge has to be the same as the identity that entered into a contract. This is crucial for enforcement. If both parties to a contract cannot trust that this will happen, then a contract isn't useful to them, and business cannot take place.
For this to work, your digital identity needs to be something that the courts will directly accept as your personal identity. The fact that it is currently indirect is what causes all the problems. For example, nobody knows if some digital identity (eg. SMS verification proving ownership of a phone number) is tied 1-1 with a natural person. When companies assume it is, that's where the crack can get opened by fraudsters.
The only way to fix is this for the courts to be able to _directly_ trust an authority that issues digital identities. The only such issuer I can see working is the government.
In the US I suppose that could be a state government or the federal government, since courts (whether state or federal) will generally be able to trust digital identities issued by the other. But I don't see how this can be fixed by anyone _other_ than governments.
Having said that, I suppose it might be possible for credit agencies to issue digital identities. I haven't thought this possibility through.
Agreed, for most services anyway. I like my country's ID card and electronic ID system and use it happily for state-adjacent services or where regulation requires IDs. I am however very much against using it for things like online shops, SaaS or even phone numbers. Most services don't need to and shouldn't identify me as a unique human, they just need enough information to bill me and provide me with their services.
It does not need to be illegal. It's not ideal 2FA, but it does not need to be legislated away.
Apple has a second factor system where you can authorize a new device using another Apple device. While this is convenient, not everybody has 2 Apple devices (for each Apple login). Worse, they use a dark pattern to make enabling this (other device auth) the default choice, so it's really easy to setup when you update your iPhone.
I firmly want it to be legislated away, but for a slightly different reason. Specifically, you should never be required to disclose a phone number to a business that doesn't absolutely need your phone number to directly render services.
I was eating at a restaurant once -- IN PERSON -- and the fucking web interface they force everyone to use to order food wanted a SMS 2FA. WTF? No. I don't require your waitress to disclose her phone number to order food. And in return, you don't ask for mine. Just take my food order, swipe my credit card, and bring the food to the table, there is no need to disclose a phone number.
I think the ideal law should be: Any business that wants 2FA MUST support at least U2F hardware keys. It's okay to also offer SMS but not okay to offer only SMS.
SMS isn't about security. It's about making it harder for bots to set up accounts. The first thing you should do after SMS verifying an account is delete the phone number so it doesn't leave a back door open.
Then why do many try to force you to enable SMS even though you are a well known customer? Sometimes it is a soft-force and a few URL changes until you bypass the request.
Phishing remains a way more common threat than sim swapping, yet you never see these complaints about TOTP. Sim swapping is just sexy and eats up conversation space.
This happened to me. My T-Mobile number was ported to a hacker and they used it to get control of my GMail account. They then tried to use that to get at my Coinbase account. Luckily I had device 2FA enabled on that account so when they realized they couldn’t get in they gave up. Meanwhile though my Google account which has everything was inaccessible to me.
Getting back control of your gmail when all your 2FA and device codes have been reset is very difficult. I had to call in a favor with a friend who worked there. I use true 2FA on all my accounts now.
One thing you can do is call T-Mobile and setup a pass phrase. Phone based customer service won’t do anything for you until you give them that pass phrase.
Google Advanced protection would lock down your account to only allow physical 2FA (like a Yubikey or their titan keys) and completely disable even the option of SMS or authenticator app like codes.
Apart from SMS as a second factor, what's this with "What number would you like me to send this [code] to?", where clearly an attacker could give an arbitrary burner number under their control. They should only use numbers already associated with the account, and adding/changing one should by itself require authentication. Oh well.
Depends on the account type. I have had Microsoft and other systems ask me to send a code to a phone number. It wasn't specific, so I asked my co-worker if, for science, I could send the code to their phone. It worked.
It is common to be part of a family plan in the US. The person in the example must have been in one to have been offered that option. Family plans are much cheaper per phone number than individual plans.
My understanding is that the PUK is used to unlock a SIM that has become locked if too many incorrect SIM PINs were entered.
The advantage of the attacker having a PUK is therefore that they could then physically put the SIM into their own phone, or use the SIM in the target's phone (if they have their phone PIN as well as the PUK). This of course means that they need to have physical possession of the target's SIM, and that the target needs to be unaware that their SIM has been taken, because as soon as they realize they don't have a SIM they'll obviously contact their carrier.
So the adversarial use-case of having a PUK is pretty limited. Which in turn explains why the security in giving it out is comparatively low.
I guess I'm not seeing the issue here too much. There are cases of social engineering carriers that are way more damaging.
The german carrier Telekom allows you to take posession (add it to your customer account as a "contract owner") of a phone number with just the PUK and a one-time code sent to the phone number via SMS. I guess many other carriers use the same system.
You're then able to modify the contract and, for example, can get a second sim card. The affected phone number gets a "Welcome to our customer portal" message, but that's that.
I actually used this to get access to my own phone number after losing access to the connected mail account. :-D
> The german carrier Telekom allows you to take posession (add it to your customer account as a "contract owner") of a phone number with just the PUK and a one-time code sent to the phone number via SMS. I guess many other carriers use the same system.
Ah, very interesting. I was unaware of this usage of the PUK. If it's used for account ownership authentication, then absolutely carriers should be treating it way more securely.
While I never want to see companies suffer data breaches and breakdowns in security, it's possible that the merging of Sprint and T-Mobile's subscriber base and systems might be the kind of cautionary tale told to management in the future to justify more spending on security budgets, especially around the merging of systems.
Nah. As long as costs are negligible and there's no corporate death sentence for repeat offenders (T-Mobile has had 5 breaches in roughly the same number of years), nothing changes. Equifax is still around, right [1]?
Problem with security spending is that a lot of it comes down to useless audits which really don't find any holes - they just "enforce" compliance. Yes, PCI compliance is important but how many PCI compliant companies have been breached in the past decade?
This is why SMS-based "2FA" is not real 2FA. Anything vulnerable to social engineering customer service reps at some giant telecom, or faking documents to port out a number (SS7/PSTN are woefully insecure and should not be trusted by anyone), is a huge gaping hole.
It's exactly (afaik?) what it's for - you want to transfer your number to a different network, you have to request the PUK from the old one and give it to the new one.
So if I know yours (and your number) I can transfer it to a different network, registered to an account in my control.
PUK is Pin Unlocking Key - it's a burned-in passcode on your sim card that can be used to unlock it should you enter your pin incorrectly too many times.
I thought PUK was for (un)locking the SIM to manage its usability, not for porting a number out of a carrier? Never heard of them being related before... I thought they're different things entirely?
PUKs are a 8 digit code burnt on the SIM at manifacture (or whenever the network personalises them), don't change, are not checked by the network, its "just" always you to reset the SIM Pin after entering it wrong 3 times. atleast here in the UK it's normally printed on the full size card of the Combi SIM you punch your desired SIM out of.
Not at lot people I come across use SIM Pins any more, but they help prevent someone taking the SIM out of your phone, placing it in another and authing to the cell network "as you" to be able to make/receive calls/sms. A PUK is only "good" for as long as it takes for the orig owner of the sim to report thier phone lost/stolen (A PUK will unlock a PIN blocked SIM even if its deactivated because it happens before the SIM exchanges any data with the network, but if the SIM is won't any any difference and honestly, I don't come across many PIN protected SIMs even from techies in my social group).
PACs are codes generated by the network at time of request (here in the UK you can get one simply by sms'ing PAC to 65075), they are valid for 30 days and is what you would give to a new network to port your number to them. However they are not the best method of attack IMO. They will still alert the customer that a PAC has been issued. (when I last asked for one I do so online and they still sms'ed me the code, so the orig owner can be alerted. Here in the UK it takes atleast 6 hours to port a number, but personally I've found it to be closer to 24 hours as long as the request is made Monday-Thursday (they don't process them over the weekends).
If you are in phsyical procession of the SIM to ask for a PAC via SMS/Phone in order to do a 2FA SMS attack, might as well do the 2FA SMS there and then and save waiting around for the number to port to a new networks SIM, if you are not in procession of the SIM and you are doing a social engineering attack it's much quicker to walk into a store of the networks and get a "replacement SIM" on the same network as you can walk out of the store with the SIM activated and the original one deactivated.
Stores should be validating ID's for an instant in-person replacement SIMs but often they do not, heck the last time I changed my phone in person (I buy my phone outright and have a SIM only plan) just the fact that I dropped the cash on a brand new phone was enough for them to to issue me a new SIM, but in the process they had reset the adult content block on the account and I had to show ID to prove I was over 18 (I'm clearly over 18 :-P) before they would remove the block. (Got new phone, they activated my new sim, I left the store with a new phone, went around the corner to a bar to set it up over a pint, found the content block, finsihed my pint and went back to the store to get them to unblock it. It only then dawned on me that they just gave someone access to my phone number (granted, it was me they gave the access to) with no checks, but wanted ID to disable the adult content block...)
I have recently ported a number of rare/hard to acquire DIDs from cellular carriers to wholesale SIP trunking providers, and did need the PUK in order to sign in to the cellular carrier's website to make an account, fill out my information and get the documentation to submit for the port.
Yeah, it's way too easy to get information like this from the customer service.
A while ago, I wanted to log into my carriers customer portal, but my account was so old that they still had an ancient email address in their system that I didn't have access to anymore. Previously, one could just login via the phone number and a code sent via SMS, but suddenly they required a password that was sent to the mail address. One could also reset the mail adress with the PUK, but I lost that too while moving. :-P
Ended up "hacking" my own account, by calling customer support a few times. The first two customer support agents wanted me to click on a link on a mail they sent to my mail adress or to go to a physical store with my ID card, to prove I'm not an attacker, even after I told them my name, address, date of birth, customer ID, bank account number, etc.
The third one just gave me the PUK, with no questions attached, after telling him just my name and phone number. :-D
A few years ago many of the captchas on t-mobile’s site had a massive security flaw (no idea if this is still the case). You could request the captcha image multiple times (using the image url) and each time the captcha would be differently generated on demand while still having the same letters/numbers. This meant you could just request the captcha a few times, put each image through an ocr reader, and see what the captcha was most commonly read as (the correct answer almost every time).
I was astonished to find that a multi-billion dollar company had such a massive flaw in their captcha system. That being said these kind of errors are really far too common.
Not just a 2FA bypass, it bypasses all of the FA's.
Then again, somehow losing all 2FA methods is my nightmare reason for being hesitant to turn on 2FA for my Google account because their customer service is so completely awful. Like if my house burned down with my keys, phone, and previously authenticated PC stuck inside. I know, extremely unlikely, but without customer service that is willing to verify my identity without relying on an automated/AI algorithm, I feel safer with a strong unique password along with the other account recovery options.
Am I being unreasonable and missing some method of last resort with Google's 2FA?
I switched away from Google Authenticator app to Microsoft Authenticator app for that reason (it is a generic 2FA, so you can use it as a 2FA for google logins and any other services just fine).
One important difference is that Microsoft Authenticator supports recovery from iCloud (in cause you are on iOS; there is probably something similar for Android too), which is something that Google Authenticator does not. So in case my phone explodes, the only thing i need to recover all my 2FA stuff is a recovery key for iCloud (which i can print out and put in a few places, like a bank storage cell and my parents’ house), because my Apple stuff is behind 2FA as well. So essentially, i just pick up my recovery code, buy a new iphone, authenticate using the recovery code, it restores all my data from iCloud backup, and my Microsoft Authenticator app has all my 2FAs for all services i use it for there.
It is a fairly recent feature for Microsoft Authenticator on iOS iirc, they added it less than a year ago. A few other 2FA apps, like Authy, support that type of 2FA recovery too (and Authy specifically had that feature for much longer).
I was also using Google Authenticator before I bought a new iPhone a few years ago, when I noticed to my surprise that those 2FA codes were the only thing that didn't automatically populate on my new phone. I immediately switched to Authy.
In my threat model, losing my phone is at least 1,000x more likely than the targeted attack it would take to compromise both auth factors for my most important accounts.
Besides, as others pointed out in another similar thread: after SMS hijacking and social engineering, the next weakest link is cookie theft.
Knowing about this fact I wonder why so many sites still allow SMS based 2FA and, even worse, sometimes accept just SMS codes as a proof for the password reset workflow.
The incentives are all wrong: Telco support people are incentivized to handle as many calls in as little time as possible and to be as helpful to customers as possible.
In 99% of calls, being "difficult" about this will cause customers with legitimate issues to be angry and will cause the ticket to stay open for much longer than what's necessary, so I totally understand where they are coming from.
I wish my Telco had an option where I could set a flag to never help me with account recovery at the promise of in return never getting angry at them for not helping me. Then "we can't help you" is the quickest way to solve such a ticket for them and it's also the safest for me.
Honestly, if I ever lose access to my phone account, I'd rather get a new number than have some helpful person hand over the keys to umpteen accounts I have on the internet which I can't secure adequately because of braindead policies at those accounts.
>As a infosec professional by trade, I just can’t believe how easy this was. Billion dollar company with absolutely no security awareness passed down to there techs
They aren't 'techs' manning the support chats. They are (often outsourced) lower skilled workers that follow a script and routine... if anything falls out of that script they are lost.
What I don't understand is why the service person can see the PUK (1).
There are just way too many ways this can go wrong.
(1): Rhetorically, most likely because when their service system was developed this wasn't a concern and since then they never re-evaluated this part for security (or did and didn't care to change it).
Why does the customer-service system even reveal the sensitive info before the agent inputs the code? It could be sent out-of-loop so it wouldn't even be possible for them to bypass.
Related question: What should happen to a customer who legitimately encounters this problem?
The only solution, and people will hate me for saying it, is to replace cash and bitcoins with fully traceable digital currency.
All other solutions posted in this thread won’t work.
Every hack, scam and cyber crime pushes us further towards this inevitable destination. As long as there are more honest people to be victimized than there are criminals and haxxors to profit, the world will demand traceable secure money. I’ll get super downvoted but think it through. It’s not a conclusion I came to easily or without deep lament.
Has anyone convincingly demonstrated actual being able to read message of someone else through any means? I keep reading many theoretical attacks ranging from weak encryption to social hacking to identity spoofing to cloning. This demonstration was when you have physical access to locked SIM, which means that SIM locking is not effective but having a physical SIM is still required.
Lol i recently saw the 2auth for an isp in my country. It works like this.
To see/change your banking details they bring back the banking info (api call) and display it on screen, BUT their security is to 'quickly' bring up a modal(js) to 'hide'
the sensitive information... of course just modify 'display:none' on modal and you can see everything :s
Use Google Voice for SMS 2FA. Almost every service I use supports it (except for the ones that ping telecom companies to verify your address) and Google seems for now committed to keeping it alive as they’ve added voice as a service for Google for Business
It is easy to blame a single person or a single company for poor practices, but I have yet to encounter any real solution to this problem that allows someone to prove they are who they say they are which is able to hit the sweet spot between too many false positives (hijacked accounts) and too many false negatives (valid customers locked out).
If I was a security-minded person looking for startup ideas, this is the problem I would be looking to solve.