[HN Gopher] SMS phishing is way too easy ___________________________________________________________________ SMS phishing is way too easy Author : ricardbejarano Score : 384 points Date : 2022-06-24 14:52 UTC (8 hours ago) (HTM) web link (www.bejarano.io) (TXT) w3m dump (www.bejarano.io) | sgoto wrote: | The first SMS from github is origin bound, it cannot be used for | phishing: https://wicg.github.io/sms-one-time-codes/ | maxwellg wrote: | Origin-bound codes & Web OTP codes [1] are interesting | initiatives, but platform adoption has been poor. For example, | it still isn't possible to use Web OTP in Chrome on MacOS from | a Chrome Web app on iOS. The communication isn't there yet. | | And for what it's worth - origin bound OTP codes aren't | _strongly_ bound - there isn't anything physically stopping | someone from typing that short 6 digit code into a phishing | site. Compare with a Magic Link token - you're much less likely | to take `https://example.com?token=some-long-uuid` and manually | enter that code somewhere else. | | [1]: https://wicg.github.io/web-otp/ | silvestrov wrote: | Another possible solution: Government enacts a law that telecom | companies MUST ensure that SenderID is valid for the company that | sends the SMS. | feet wrote: | Yea but that would require that the government actually | regulate something g which they haven't done since what, the | 70s? | onelesd wrote: | Telecoms lobby against this because they generate big revenues | servicing SMS spammers whom end-users aren't able to | effectively block since the ID is trivially spoofed. | newsclues wrote: | Ding ding ding! | | It's profitable on multiple levels to allow this, so | corporations ensure the political class doesn't enact | legislation for consumers. | ruff wrote: | Hmm... for all 10 digit US numbers the telcos introduce 10 | DLC registrations last year that require you to register and | verify your business in order to send any meaningful amount | of SMS traffic. You have to provide details like a DUNs | number, an EIN, and addresses that match those registrations. | https://support.bandwidth.com/hc/en- | us/articles/150000242224... | | They haven't gotten to blocking messages that don't register | but have raised the fees and fines for folks who don't | register and they're able to track down. | remix2000 wrote: | I wouldn't be surprised if telecoms themselves were the ones | coordinating some SMS scam operations. This may sound | tinfoilish, but we're talking about the same telecoms that | were once caught red-handed tricking people into calling back | foreign numbers... | dotancohen wrote: | Furthermore, SMS competes with Whatsapp. | | I don't use WhatsApp, so with people who do not have Telegram | I use SMS. The more annoying and conotated with spam SMS is, | the more pushy people become with insisting on WhatsApp. | Luckily I'm often in a position to absolutely resist, but I | can see how others, such as job hunters or Tinder hookups, | would be pressured into installing the spyware. | | This is not being done by Facebook/WhatsApp themselves, but | keeping SMS annoying is certainly in Facebook's interest. | kome wrote: | that's why i never used 2FAs using SMS: they are crap. | 0xbeefeed wrote: | A lot of people in this thread saying SMS is bad for 2FA. It's | not. Just because you can send spoof the sender field doesn't | mean you can spoof being a receiver. Only the valid number will | ever receive the 2FA code. | conductr wrote: | But who can read the messages that go to the valid number? How | can unwanted people gain that access? | jkepler wrote: | SMS is bad for 2FA not because it can be spoofed, bit because | of SIM-swapping attacks that let the attacker trivially take | your 2FA codes from you---gaining access to your protected | accounts while you're locked out. NIST recommended against | using SMS for this reason in summer 2016. | smitop wrote: | Android supports "verified SMS" wherein the sender proves their | identity to Google, tells Google the hashes of messages they | send, and Google can tell recipients if the message hash is legit | or not: https://developers.google.com/business- | communications/verifi... | [deleted] | baxtr wrote: | I have two phone numbers. One is for 2-way authentication, the | other I give out freely on any website that requires a phone | number (and to all my friends). | | It's basically the same setup I use with emails. | | Not entirely sure if it's safer that way. But so far I get SMS | spam only on the "burner" number. | semitones wrote: | Funny how friends, life, and everything other than 2-way auth | is on the "burner" :) | jimmywetnips wrote: | It's so fucking annoying. I was wondering if there exists some | kind of service that I can install a browser plugin with and | all it does is provide me a number to receive bullshit sms | codes on, then I can quickly copy and paste quickly without | having to used a phone | franga2000 wrote: | That just shifts the trust to another company. There used to | be a desktop app that did this with Twilio, which is more | trustworty, but I don't remember what it was called or if | it's still around. | amenghra wrote: | Use Google Voice as your 2nd number. | O__________O wrote: | Stop using SMS for 2FA. | | Not familiar with SMS Sender ID Verification, but after quick | Google, I was unable to find any signs that it counters SMS | spoofing. | | SMS as a 2FA channel is broken. There are so many vulnerabilities | that it just makes no sense to use; for example: corrupt telco | employees, SS7, sim card cloning, sim swap, spoofing, | governments, etc. | | Beyond that, if you're located or traveling internationally, it's | a nightmare to deal with. | | NIST has not recommended SMS based 2FA since 2016: | | https://www.schneier.com/blog/archives/2016/08/nist_is_no_lo... | mfbx9da4 wrote: | Can you provide reading links for SS7 and co please. I really | don't understand why it's so insecure. | fasteo wrote: | SMS has a unique advantage that no other channel has: No user | onboard needed. Got a SIM ? got SMS. | | I send lots of 2FA SMS for a number of banks here in Europe and | they - because of the costs after PSD2[1] went live - want | users to use their app for getting notifications as 2FA. They | have launched several communication campaigns over the last 2-3 | years, but only 30% of users have migrated from SMS to in-app | notifications, mostly because they won't even install their | app. | | Then, we have uses cases where users don't have a regular | relation with your business (p.e. e-sign for consumer goods | financing on spot). In this case, I would say that SMS is the | only channel you have to serve these users. | | For better or worse, I do not see SMS disappearing anytime | soon. | | [1] https://ec.europa.eu/info/law/payment-services- | psd-2-directi... | jandrese wrote: | Don't have a SIM? Get fucked. | | There are people who don't have a cell phone because they see | it as a distraction engine that will gobble up their life. | Digital addictive drugs. But it's almost impossible to | maintain this stance in modern life. Have you seen the trend | of restaurants that no longer print menus? Instead there is a | QR code that opens up their website to get the menu. Every | service now wanting SMS verification adds to their problems. | moffkalast wrote: | > Don't have a SIM? Get fucked. | | Well yes, doesn't literally everything need a phone number | to work these days? Can't open a bank account, can't get | paid, can't pay bills, can't exist. | dijonman2 wrote: | I have asked for a paper menu in these cases and almost all | restaurants have been happy to oblige. One time the | restaurant let me use their ipad to see the menu. | | I wouldn't count on this, but I'm trying to give a business | money. Most are happy to satisfy reasonable requests. | reaperducer wrote: | I was at a food court recently where one of the | restaurants didn't have a menu. Just a QR. I asked, and | there's no paper version available. I asked what they do | for blind people and got a blank stare. | | So I went to the restaurant next door. If you can't even | bother to scribble a menu on a chalkboard, you're not a | real business. | Dylan16807 wrote: | > I asked what they do for blind people and got a blank | stare. | | Probably talk to them? I'm not sure where you're going | with this because a paper menu isn't going to help with | blindness. | herbst wrote: | It's not only about having a SIM but also have one 'they' | like. I am with a small provider here in Switzerland (that | is the daughter of the biggest provider) and things like | Twitter, Twitch, .. don't even support that number for | whatever reason. | | I personally only use throwaway rental numbers on the web, | basically giving me the worst security possible for any | kind of account that falls back to SMS for security. | jandrese wrote: | I know people who have tried to save money or tried to | avoid giving money to unethical companies by only having | a virtual phone number. Turns out that virtual SMS | numbers are treated like radioactive Ebola by most | services. | herbst wrote: | It's a lot more complex than that actually. With | Signalwire for example you can rent Canadian (and US) | numbers at 0.2/m that work well with surprisingly many | services, but not all. In a similar fashion you always | find the right company to use/abuse any service that asks | for a number. You won't get around the internet with a | single cheap VOIP number tho. Plus there are providers | with more or less perfect Sims but they are expensive. | | There are also services that are specialized on providing | the right number for a one time fee. This usually works | well, but more often than not destroys future account | security (they all will give numbers out again, not | relevant what they claim) | | I could literally write a book about my life without a | 'real' phone number. | jandrese wrote: | I would buy and read that book, even though I know a lot | of it will be out of date by the time it was ready for | sale. | fasteo wrote: | We actually scrape like 30 sites offering virtual numbers | to block them all. Our customers don't like seeing their | SMS appearing in random sites. | Dylan16807 wrote: | They should stop being so nosy and looking over the | user's shoulder, then. | toomanydoubts wrote: | >Instead there is a QR code that opens up their website to | get the menu. | | This is a trend here in Brazil. And do they send you to a | lightweight, mobile-optimized web page? No way in hell, you | can be pretty damn sure they will send you to a 20MB PDF | that was designed for printing. | | It's mind boggling how insane this is. | npc12345 wrote: | Skype | Dylan16807 wrote: | > but only 30% of users have migrated from SMS to in-app | notifications, mostly because they won't even install their | app. | | You say 'even' but it's hard to make sure apps aren't able to | track me at all, and I while I trust my bank to keep my money | safe I don't trust their app to be tracker-free. | eftychis wrote: | Make a guess how fast one can SIM swap you if you are a good | target. Phone calls and SMS should not be used for any such | communication period. | | 2FA is ideally user generated to begin with, and not the | other way around. | | This is more to check the box and state to the court you | tried your best. | | P.S. Example: We had serious issues when people gave Google | their phone numbers and the corporate accounts got hijacked. | pilgrimfff wrote: | Google won't even allow you to enable app-based 2FA until | you've signed up for SMS-based 2FA. | | Unless you go back into the 2FA interface after the fact, | there's no indication that app-based is even an option for | Google accounts. | ranger_danger wrote: | That's not 100% true... the one alternative is to first | enable U2F hardware-based 2FA (which can be emulated on a PC | using softu2f), then you can enable regular app-based TOTP | codes. | moffkalast wrote: | That may be so, but the alternative approach something like | Google/KeePass/whatever Authenticator which has the issue of | not being bound to your number (unlike SMSs) so if your phone | gets destroyed you can't simply get a new phone and sim from | the operator and continue as usual, you're completely fucked | instead. | jandrese wrote: | You are only in trouble if you didn't keep a copy of your | private keys backed up. | | Unfortunately many of these apps treat the private keys like | the app owns it which is where people run into trouble. Some | will even back up to the app provider's cloud service which | is just asking for it to be stolen. | moffkalast wrote: | > if you didn't keep a copy of your private keys backed up | | Most people don't. The average person doesn't even know | that's a thing since like 1 in 100 services prompts you to | even do that. | kevin_thibedeau wrote: | They're worse than that. I had pattern lock on my phone and | it stopped working one day. After a factory reset all | authenticator apps lose your credentials. | jkepler wrote: | On Android, if you use AndOTP, the app allows you to easily | back up all your OTP secrets to an exportable file, with | optional password encryption. Trivial to then import into | another phone. | vladvasiliu wrote: | Depending on the authenticator used, you are absolutely not | fucked. It even works while waiting for your new phone / sim | (had this happened to me on a Saturday night in France. | Nothing's open Sundays). | | There's Authy that does backups and you can even run it on a | computer (even Linux!). 1Password can store OTPs, too, and is | also backed up. There are probably a bunch of others and I'd | expect KeePass to be able to do backups. | | Plus, you're usually able to get the OTP seed which you can | store on your own. This usually shows up as "can't scan this | code?" or similar when registering. | | I'm now traveling overseas, and have a local SIM in my phone. | I have an older iPhone, so no dual-SIM for me. If I had to | receive an SMS I guess it would still be better than my older | Galaxy S5 which required a reboot, but it'd still be a pain | to have to switch SIMs. | | If I lost my Phone but still had my laptop, I'd be AOK with | my current OTP setup. Except for a few sites which don't | allow me to have anything else besides an SMS, but luckily | they're not critical. | ranger_danger wrote: | Ironically the only sites that force me to use SMS for 2FA | are banks. | moffkalast wrote: | Well some do it properly I suppose, but on the other hand | Google Auth has 100M users and no ways to back up. All of | those people are royally screwed if anything happens. | ranger_danger wrote: | >no ways to back up | | not true. that QR code you scanned to add the key to your | app? well, that was your key. you could have saved it | somewhere else secure that does allow exporting. | moffkalast wrote: | Which all people of course do. Or is it more like 0%? | amichal wrote: | I have been one of those people. There must have been a | lot of them because "export" is now an option which dumps | all or selected keys and a giant non standard? QR code | that can be imported into another instance. Mine are now | on two devices. | kwhitefoot wrote: | How do the examples in the article cause any problem. You only | get sent a code when you request it. And you type it into a | website that you are familiar with. | elboru wrote: | What about the FedEx one? I cannot count the number of times | I've seen companies or even government offices using | complicated and scammy-like URL names. | | It's difficult to know if URLs are legit or not. HTTPS used to | be a good enough indication of legit URLs, but not anymore. | | You could also think on googling the company. But those ads | that look like real search results are well known to include | scam websites! | | I'm a developer and I find it difficult to distinguish some | URLs. Now imagine how difficult it can be for grandpa or really | any person out there that doesn't know about these kind of | scams. | ranger_danger wrote: | Not everyone is that smart. | orliesaurus wrote: | Request for proposal: SPF, DMARC, DKIM authenticity | authentication but for SMS | megous wrote: | Call ID is the same. Some trunks come with ability to set any | number you like, without any verification. You just provide the | number you like in a SIP INVITE message header, and that's it. | ricardbejarano wrote: | Didn't know that, jeez. | | Imagine what that could look like with voice AI getting better | and better. | bricemo wrote: | Very sad to see the United States as "No" and "No" listed next to | the protections page linked | njovin wrote: | My understanding is that US carriers don't support Sender ID at | all, so having the caller ID/sender ID spoofed is not common | (and maybe not possible?) on major US carriers. | | Whenever I get phishing SMS they always come from a random | 10-digit phone number so it's pretty clear they're scams. | Reputable companies send these types of messages with short- | codes, which are a 5 or 6-digit numbers that is very expensive | and require thorough vetting by the carriers. | saltminer wrote: | > Whenever I get phishing SMS they always come from a random | 10-digit phone number so it's pretty clear they're scams | | Sadly, Novant Health (a hospital system) uses a regular | 10-digit number for their patient portal 2FA. When I was in | college, accessing sensitive info like your SSN and W2s in | Banner also had 2FA via a 10-digit number. (This was an | entirely separate system from the login 2FA provider, Duo, | which uses shortcodes in addition to U2F tokens and their | app.) | kazz wrote: | They're not _that_ expensive (usually $500-$1k/mo) and I | wouldn't really characterize the vetting as "thorough". | | Don't get me wrong, carriers have been making strides to | lower the amount of spam that's sent through the air (A2P | requirements, toll-free number verification requirements, | etc), but a determined scammer can still exploit SMS/MMS | pretty easily. | njovin wrote: | I've provisioned several shortcodes. There's a 12-week | approval process (every carrier has to independently review | & approve) and if you get flagged/reported for spam they | _will_ come after you for it. IMO this makes it | prohibitively difficult & time-consuming for a bad actor | to use effectively. | toast0 wrote: | It also makes it difficult and time-consuming for a good | actor to use effectively. | | As far as I could tell (although I retired in 2019, so | might be out of date), you can't use one short code | through multiple aggregators, so if you want the benefits | of multiple routes, you've got to have multiple | shortcodes or live with sending from regular phone | numbers. | kazz wrote: | I think the processes are getting better each day, but it | was only a couple of years ago that you could share a | shortcode. My main point is that even with all of the | safeguards it's still a ridiculously easy system to | exploit. | | Most people will trust a toll-free number just as much as | a shortcode, and since tons of legitimate companies use | toll-free numbers for messaging it just blurs the line of | what a "reputable" number looks like. | | Even SendGrid, which is owned by Twilio, uses toll-free | numbers for their 2FA messages instead of shortcodes. | judge2020 wrote: | Regarding caller ID, stir/shaken is being used in some | situations and I know AT&T supports it within their own | network (call history will have a checkmark to indicate it | was verified). | ASalazarMX wrote: | Meanwhile countries like Congo, Bangladesh, Cambodia, etc. have | Yes | Yes. We need some of that third world SMS protections. | toast0 wrote: | I mean, we're protected from SMS from spoofed alphanumeric | sender ids. What more do you want? | | Probably no nation has protection from spoofed numeric sender | ids, but based on the sms phishing attempts I get, that's not | a big deal. Apparently people will tap on links from their | bank from any number anyway. | O__________O wrote: | Link you're referring to is: | | https://support.sms.to/support/solutions/articles/4300056265... | danschumann wrote: | This is another reason why using password managers is good. I let | it auto fill, so if I got redirected to a bad domain, it wouldn't | autofill, and I'd double-check the domain. | aero-glide2 wrote: | Was very annoying when protonmail.com became mail.proton.me | remram wrote: | _very_ annoying? | acd wrote: | I got a phone number prepaid cash card, got someone else previous | mobile phone number. Get snapchat 2fa code which is not mine. | Dont trust SMS for 2FA. | grantla wrote: | SMS really just needs to die, and we'll all be better off. | krylon wrote: | Huh. I received a text message a couple of weeks ago, informing | me the "gift" that I had "bought" had been delivered to the | "location agreed upon" by me, and to please visit this really | suspicious looking URL for details. | | The Internet, for better or worse, has taught me a healthy amount | of skepticism, plus I definitely had not bought any gifts (how is | it a gift if I buy it myself?). But I can see how it is easy to | fall for these scams if you aren't used to looking for them. | jandrese wrote: | Halfway through reading this article I got a SMS from a New | York City number saying: Your package | delivery details are incorrect and we cannot deliver. | https://usppagestrport.com/2vlv | | Obvious phishing attack, but you know some people are going to | fall for it. | krylon wrote: | Many years ago, an IT security person I was talking to | referred to humans as "the one security-critical component | that cannot be updated". It's a bit cynical, but not entirely | incorrect. | Gunax wrote: | The more I read about phones and texting, the more I realize that | they were never intended to be used as security verification. | | It just was not one of the design goals. My understanding of | caller id is that anyone can put anything there--it was made | decades ago to serve as convenience--not to verify. | | Likewise with the sender id in SMS. | | It's a good lesson on how protocols are hijacked. Someone thought | it was a good idea to send text messages. Another person decided | to leverage it for security. Et voila, we have a security | apparatus that isn't very secure. | longrod wrote: | Phones were here way before 2FA and Internet. The technology is | poorly designed for modern attack vectors but it's so widespread | it's crazy. Every single person out there has a phone number - | one of the primary reasons it is still offered as a 2FA option. | | Not to mention how widespread the coverage is. There are many | places around the world where you have cell connectivity but no | Internet. | | In short, you can't get rid of it short of throwing away the SIM. | Is it possible to have SMS v2 that's safer like we went from 2G | to 5G? | cwoolfe wrote: | "add number two to your backlog if you work on iOS or Android" I | would...but as an iOS and Android developer, how do I know if | it's a non-verified sender ID? The reason browsers can warn on | these things is because of public key infrastructure, but that | doesn't exist SMS phone numbers. Am I missing something? | daneel_w wrote: | No, you're not missing anything. The author of the article just | suffers from a naive and simplistic misunderstanding of the | SMPP protocol and the mobile grid. | bckygldstn wrote: | I believe the author means if you work at Apple or Google. So | working ON iOS or Android, rather than working ON [top of] iOS | or Android. | mikece wrote: | And yet almost every bank requires it for 2FA and only a precious | few offer TOTP or some other reasonable and secure form of 2FA. | sha256sum wrote: | FWIW, I have 4 "banking" accounts, 3 of which are major | American banks and one is a local credit union. The latter is | the ONLY one to offer 2FA via TOTP while the major banks only | allow SMS or email 2FA. | hinkley wrote: | I'm still a little salty about Blizzard handing out free TOTP | fobs at conventions and implementing an iOS app to do it, | years or even a decade before financial institutions offered | anything. | | It's a fucking game, protecting against gold farmers. How | about protecting my non-virtual gold? | Gunax wrote: | Videogames are oddly the most secure of all. | | I don't know why (maybe criminals are more likely to go for | your WoW account assuming the legal consequences are less) but | I would advise all companies to examine how Blizzard, Valve, | and others handle account security. | z3t4 wrote: | Could build your own protocol ontop of SMS. Double opt-in, | encrypted and signed. See for example MMS. | smokey_circles wrote: | Phone numbers and email: the primary identifiers that were never | meant to be used as such. | | No idea what a good alternative is though. Preferably something | federated though | jkepler wrote: | Are you familiar with https://identity.foundation/ ? Its a | group of companies and developers working on decentralizing | identity. | turrini wrote: | Maybe implement a two-way verification, for example: | | In the app/website: "You will receive an SMS with two 6-digit | numbers, one to certify that we sent it to you and another to | type bellow. Our chosen number is 887-987, type the another one" | | In the SMS: "Two-way verification. Check if it's us with number | 887-987 and confirm with number 543-621" | Gunax wrote: | Unfortunately I don't think that will work because the attacker | is in the middle. They can request the verification number, | then forward it to the victim. | | It sounds like we want identity verification, which while | solved for computers, is much harder for humans. | woobar wrote: | IBM ISAM (enterprise access manager) was doing this 5+ years | ago. The prompt for one time code will look like this [1]: | | 1234-_______, and email/sms will have two numbers 1234-554566. | | Don't think they explained the reason for the first part in the | message though. Just highlighted it in a different color. | | [1] https://philipnyecom.files.wordpress.com/2017/02/otp.jpg | alexcosan wrote: | This could work - similar to what happens in some bluetooth | pairing flows. But you could still send a text message with a | phishing link under the same Sender ID and fool someone into | opening it. You'd really need to know that the specific sender | would never a) send you a link, or b) send you anything without | the "two-way verification" flow you suggested. I don't think | any of those options are realistic at a certain scale. | remuskaos wrote: | I think one common way to "bypass" 2FA is to have the carrier | send you (the attacker) a second SIM card. If I'm not | misremembering, the text message is then delivered to both | cards, the original holder and the attacker. So sending two | numbers would not defend against this type of 2FA bypass. | Melatonic wrote: | If that happens though you are screwed no matter what they | do. The above does sound like a big improvement though and is | sort of like what Google does when you turn on advanced | protection and it occasionally will ask you to match the | number on your computer screen to the one on your phone | dspillett wrote: | You are right, a duplicate SIM will stop the two-number | method described from adding any protection. | | But it will still protect against the fake messages like the | ones being discussed here, and if someone has a duplicate SIM | you are buggered in a number of other ways too. | | Though this method, and several others that are effectively | the same, only offers any protection if the user has the | ware-with-all to bother verifying the other number. | Unfortunately that means that in many cases it won't help at | all because many would not be aware of the other number and | expect to find it when the fake messages come in - unless the | user knows to expect and require it the fact a fake message | doesn't have it makes no difference. | 37 wrote: | Maybe I'm missing something, but why would this work? Isn't it | just 12 digits going to one phone number instead of 6? (also | thinking about this is bringing me back to SYN-ACK from the old | days) | degenerate wrote: | The user chooses the second 6 numbers. For dumb users this | won't add any security, but for smart users this ring alarm | bells. | | I like it, at least, for now. It's better than the current | situation. | tuyenhx wrote: | This has been a problem for Bank in Viet Nam for a year. | | They faked Bank's message, and send the link with the same UI of | the bank. Many people got hacked. | | I got a few messages like this. The only thing I could do was | informing my friend (none-tech) to avoid these things. | rr888 wrote: | I really dont want a phone number any more, I dont need one for | any friends of family contact. Really the only reason is for 2fa | which is ironic as it seems the weakest link. | permo-w wrote: | I don't even want a (smart)phone anymore. The lack of control | you have over your user experience, especially on Apple | devices, is horrendous. you can't even really jailbreak apple | devices anymore. on your PC you can reprogram anything, | navigate around or fully prevent most malicious time-wasting | practices (infinite feeds, reels, adverts) that you're near | enough at the mercy of on a phone. the way I see it, | smartphones are made for idiots | | Ideally I'd carry round a phone-sized PC running Linux with | mobile capabilities, but as it is I settle for my laptop and a | brick phone. I appreciate that android would be better - and is | in fact a computer running linux the size of a phone, but it's | not really the same. | rockbruno wrote: | It's even worse when you think of how phone companies often | recycle dead phone numbers. I remember in Brazil you would often | hear of people accidentally stealing someone else's account in | apps where login == phone number due do this. It's an awful | verification system all over. | herbst wrote: | My contract does state nowhere that I own or have any right to | the number they gave me. | | Even thought I never saw that happen nothing is stopping them | from just giving my number some else. | | It's so stupid to depend on something like this | kayodelycaon wrote: | This is why I have a password on my Telegram account. | theginger wrote: | As far as I am aware there is no reasonable way for carriers to | verify sender IDs or to communicate a verified status with an SMS | message. So you would end up labelling all messages as not | verified, which might provide some clarity for a short time until | it just becomes noise that gets ignored. | ranger_danger wrote: | Voice calls have the same issue. Most leased lines and VoIP | providers let you set your own P-Asserted-Identity header which | can be used to spoof caller ID to anything you want. | jakear wrote: | Bottom line up front: When sending tokens via SMS, you _must_ | include a "do not share this token with anyone besides X.com" | text. Otherwise account takeovers become trivial. | | The article's attack is relatively benign - the user simply goes | to a website. Sure they _may_ end up putting info in that | website, but probably not. Plus existing systems for malicious | website filtering can kick in to prevent this. | | The more concerning attack is the social engineering one where a | third party says something like "let me 'verify' your identity, | I'll send you a number tell me what it is" then triggers an | identity verification request on the domain (this can be done | either manually or part of a sign up flow for some honeypot | service). Now the target needs only relay 6 digits to someone | they already "trust" and are in a conversation with, versus in | the article's example they needed to put their full account info | into an unknown website. | advisedwang wrote: | Securing SMS sender ID may prevent you trusting a URL from a | text, but that's not enough. We can't prevent people from _ever_ | clicking on a phony URL, so we need to ensure even if you hit a | phishing page that you can 't have credentials stolen. SMS and | TOTP can't do this, even with if they are secured, because | phishing pages can forward the credential. | | The only solid way to prevent phishing is non-forwardable | credentials, ie FIDO/U2F. We need to make this easier and more | ubiquitous. | projektfu wrote: | Clickable links also enabled people to lose control of their | WhatsApp accounts. The message was legit but the request was not. | If they had sent a code, the attacker would have to convince | people to give it to them. With the link, a lot of users assumed | they needed to click to keep using Whatsapp. Not sure what | Facebook was thinking but it was a pretty bad move. | lxgr wrote: | I wish we would just stop using phone numbers as the primary user | identifier and SMS as the primary communication channel, period. | | The amount of cruft involved in SMS delivery is unbelievable, and | phone numbers are neither particularly stable, nor particularly | well protected against takeovers. | GekkePrutser wrote: | We don't really, here in Europe. WhatsApp is the main | communication method.. I think SMS is still so popular in the | US because it's a fallback for iMessage. But here the levels of | iPhone users are much lower. | | So for me 2fa is pretty much the only thing I still use SMS | for. Which makes a suspicious sms stand out a lot more. | | I wish we'd stop using it for 2fa though because it was never | meant to be hardened for this. | herbst wrote: | > We don't really, here in Europe. WhatsApp is the main | communication method. | | This is only partially true. There are also countries like | France where WhatsApp only has a Market share of about 22%. | Switzerland is very split too, I personally know more people | using signal or telegram than 'still using' WhatsApp. | GekkePrutser wrote: | Oh really? I have many colleagues in France and they're all | on WA. What else do they use? Is there a local app? I know | France loves their local things :) | jkepler wrote: | The French government adopted Matrix for all their | internal and inter-ministerial communications, to avoid | dependence on foreign corporate products. https://archive | .fosdem.org/2019/schedule/event/matrix_french... | | Most people I know use WhatsApp (I refuse, and since I | run Lineage OS without Google services I simply tell | people my phone doesn't support it), Signal, or Telegram. | avgcorrection wrote: | Bunch of humbug. I was once away in Europe (many years ago) | and everyone used Whatsapp. But now, here in Europe (the same | place that I came from), no one uses it (or at least no one | tells me about it). | | I was of course in a different country in Europe. Since it's | a mini-continent and all that. | MomoXenosaga wrote: | I'm seeing more services using email for 2FA nowadays. | | SMS is actually easier, with email I have to go into the | outlook app. | lxgr wrote: | > We don't really, here in Europe. | | At least Germany and Austria heavily rely on SMS-OTP for all | kinds of services, banking and otherwise. I've never received | an OTP via WhatsApp. | | Austria even has an eIDAS-compatible e-signature scheme based | on SMS-OTP that allows people to create a legally binding PDF | signature using SMS-OTP and a static password... | GekkePrutser wrote: | Yes like I said for such services, yes. Here in Spain it's | used sometimes too. Though once a month would be the | maximum I'd receive one. | rr888 wrote: | Dont you need a phone number for whatsapp though? | digitallyfree wrote: | The main issue with WhatsApp you're locked to a single | provider and their service (unless SMS which works across | different carriers), as well as their privacy practices. In a | way this is similar to people moving away from email to | proprietary messaging systems instead - while you gain | security and functionality benefits, you lose in terms of | choice and compatibility. Sadly alternatives haven't really | gained traction. | GekkePrutser wrote: | I agree, I don't _like_ whatsapp. Though I do like it more | than SMS. | | One of the things I like about it is group messaging. The | seamless images/files, the encryptuon... | | And I don't think most mainstream users feel this as a | lockin. After all whatever phone they can buy they can | install whatsapp on it (and soon even import their | hitory!). | | Personally I prefer Matrix. Not a fan of Signal either due | to the ban on 3rd party apps. | digitallyfree wrote: | Yeah I personally use Matrix myself, I run a selfhosted | instance for internal family use. They're the only people | actually willing to use it - everyone else is on WhatsApp | and similar services. | ghaff wrote: | Heavy SMS usage predates iMessage in the US. But iMessage was | presumably a big contributor to making unlimited SMS messages | the norm on most phone plans. In any case, there was just | never a big incentive in the US to use anything other than | iMessage when available and fall back to SMS otherwise. And | without that incentive "no one" (who isn't texting people | overseas) bothers to use different apps. | GekkePrutser wrote: | Oh this is true here too. SMS usage was huge pre-WhatsApp. | | What happened was that the networks were capitalising on | that. SMS was historically quite expensive so it became a | big cash cow. SMS bits must have been made of gold because | they were hundreds of times more expensive than other bits. | | WhatsApp completely killed SMS usage here however. Leading | to some carriers wanting to charge extra for WhatsApp usage | to recuperate some of the 'lost' revenue. This sparked a | big discussion about net neutrality which was then | enshrined in EU law, so the discussion was finished. By | this time, SMS became practically free but it was too late. | ghaff wrote: | Interesting. It looks like WhatsApp predated iMessage in | the US but it never really took off. Maybe US text | bundles were more consumer-friendly in the US? Though I | don't really remember it that way. (I didn't do a lot of | texting though and mostly expensed the handful of work- | related texting I did do; friends didn't really text at | that time.) | BiteCode_dev wrote: | Sure, if you find something as interroperable, free, simple and | mobile, go for it. | kevincox wrote: | email? | BiteCode_dev wrote: | Not as mobile: you need internet and a smartphone. I still | have a friend with a dumb phone. I'm sometimes in zones | without internet but my mum call me and ask me to give her | some confirmation code I receive. | | Not as simple: stuff arrive in the spam folder. Some | providers just reject your valid mail (my main email tld is | exotic, it causes lots of troubles). People receive so much | junk they lose your message in 1000 of unread mails or are | afraid of checking them. | | Not as interoperable: there are new kids that just don't | have emails setup on their phone. They check them once a | month at home on the computer. Email is for old people | (although text is getting there too). | | Plus email is almost as easy to spoof and intercept, so the | gain would be minimal. | kevincox wrote: | Sometimes I'm traveling and don't want to pay exorbitant | roaming fees. Or sometimes I'm in a building or basement | without phone service. | | I'm sure there are a few people without email on their | phones but I don't think the number is dramatically | different than those without SMS right now. If I have | cell signal I have email, but I can have email without | SMS access. | BiteCode_dev wrote: | > If I have cell signal I have email, but I can have | email without SMS access. | | In the US populated area, maybe. | | In the French country side, definitely not. | lxgr wrote: | If you don't have internet, you arguably don't need to | receive OTPs either (since these are usually used to log | in to some online service or confirm a transaction in | one), no? | BiteCode_dev wrote: | Of course I do. | | E.G: last week, my brother wanted to try one of my | service account on his ipad (we set it up only on his | computer). He tried to connect with my password, but any | new device requires a 2FA. So he calls me, and I gave it | to him. | | Now, in this particular example, I was at home, so I had | access to internet. | | But I'm often traveling to places where I don't. | | In fact, I lived in Mali for 2 year where this has been a | big trouble for all administrative stuff. Nowadays, I | would assume a lot of Malian people have a phone numbers, | but no emails, anyway. | | But without going that far, the French country sides have | plenty of places where you get text but not internet. And | being in a car or train is often enough for that. | | I don't think SMS is a good 2FA. I have 3 yukikeys at | home. | | But I believe any geek should first spend a month working | in a call center before making a comment about 2FA. | | There is a looooong tail of things getting wrong, and | there is a reason corporations chose SMS: they tried all | the rest, and it was worse. | | Now thing are getting better with in app 2FA | notifications, but of course it assumes you have a | smartphone. | lxgr wrote: | > Not as mobile: you need internet and a smartphone. | | > I'm sometimes in zones without internet but my mum call | me and ask me to give her some confirmation code I | receive. | | We're talking about multifactor authentication here. | Where/how are you authenticating without internet access? | | > Email is for old people | | I guess that makes me old. Does that disqualify me from | using multifactor authentication? | | > Not as simple: stuff arrive in the spam folder. Some | providers just reject your valid mail (my main email tld | is exotic, it causes lots of troubles). | | All of this happens to me with SMS much more often than | it does with email. | | > Plus email is almost as easy to spoof and intercept, | | Agreed on spoofing, but that's not a problem for OTP | authentication. Complete disagree on interception - I | believe SMS is much easier to intercept, on average. | byteflip wrote: | As someone who's moving overseas shortly, changing/removing | your number is a nightmare. It really is the primary UID. So | many things use it for 2FA. In a lot of cases you HAVE to list | a phone number. I ported my number to Google Voice as a decent | alternative, but you kinda have to know what you're doing ahead | of time. My gf who moved first did not and deeply regrets it. | j_calvert wrote: | I ported my number from Google Voice to Google Fi and lost | all the SMS messages sent/received while using the number | with Voice. | | Mentioned this to a friend who works at Google on their | messaging products. His take: "Yup. It's a mess" | el_nahual wrote: | I did the same switch and can still access all my old SMS's | and voicemails at voice.google.com | javajosh wrote: | The hardware solution is either to have two phones, or one | phone with two sim cards (which are common in Europe, for | example). | curun1r wrote: | I tried something similar when I went overseas. In my case, I | tried to use Twilio and even got everything setup to forward | correctly to the number I got in whatever country I was in at | the time. | | But that doesn't work for 2FA. I ended up locked out of my | online banking accounts for my whole trip and it was a huge | headache. My recommendation would be to port your number over | to Google Fi and then just use that in whatever country | you're going to. It's a bit more expensive that local cell | service in many countries, but there's nothing like having | your phone just work wherever you go. | ankaAr wrote: | I Will face the same soon. | | There is a guide or something to help you with that? | | I know that is just a simple task, but it is a really long | chain of stuff to do and prevent yourself being at the other | side of your services | byteflip wrote: | It's probably trivial for the average HN reader, the key is | to do it before you move. Otherwise it can be difficult | since Google Voice is not available in most countries. | (Will need a VPN). FYI iMessage is real wonky that I've | removed my phone number. | | Should be obvious but you will lose your phone service, so | you want to time it close to when you are leaving. | herbst wrote: | I lost my SIM shortly after I moved and never got a | replacement. I advocate against phone numbers since then :) | | My best advice is to find alternatives and don't depend on | anything that depends on a phone number. Things can ALWAYS | turn wrong. | Mikeb85 wrote: | This. A bunch of Canadian government interactions also use | SMS as 2FA and I live abroad for months every year. At least | most tech companies let you switch to an authenticator app... | ihateolives wrote: | But you still get SMS when roaming? | lxgr wrote: | Not very reliably, usually. | Mikeb85 wrote: | Canadian roaming rates are so utterly shit the SIM card | comes out the second I'm on the plane. It's like $15 per | day to roam in the EU. Not per month, per day, let that | sink in... I can get a plan in Europe for 30EUR month | that puts my Canadian plan ($90/month) to shame... | | I'm not paying $450/month to roam... | gst wrote: | > Canadian roaming rates are so utterly shit the SIM card | comes out the second I'm on the plane. It's like $15 per | day to roam in the EU. Not per month, per day, let that | sink in... I can get a plan in Europe for 30EUR month | that puts my Canadian plan ($90/month) to shame... | | That's cheap. My Austrian provider charges 1 Euro per 100 | KB when roaming in Canada (no - that's not a typo). So | for 10 GB that's a cheap 100k Euros. | pkulak wrote: | And most things block Google Voice. | iLoveOncall wrote: | Wait until you move to your new country and discover that you | need a local bank account to get a local phone number, but | you need a local phone number to open a bank account. | GekkePrutser wrote: | Yes Ireland has this too. It's frustrating. They don't have | a population registry so proof of address is a 'utility | bill'. But to sign up for utilities you need a bank account | which requires proof of address. Well you get it. | | Also relying on something from a commercial entity that's | so easy to fake is weird. | ghaff wrote: | It's sometimes the case in the US as well. When I got my | RealID driver's license I had to show some sort of | utility bill as a proof of address--which, as you say, | could be pretty easily faked. | kevin_thibedeau wrote: | I recently did this and had two utility bills. But _two_ | isn 't accepted so I was given an affidavit form where I | wrote down that I was who I claimed to be. | GekkePrutser wrote: | Lol if you're going to take the user's word for it, why | even bother asking for proof :) | gorbypark wrote: | I ended up porting my (Canadian) number to a cheap pre-paid | MNVO service that was $100/yr for unlimited talk/text and no | data (within Canada), but seemingly allows me to roam forever | and receive SMS for free. Cheapest option I could find in | Canada, besides maybe some VOIP providers. | judge2020 wrote: | To add, I've experienced a few too many services that seem to | block Google Voice numbers for 2fa purposes (although, maybe | they're blocking based on area code and there wouldn't be a | problem if I ported my existing number to GV). | lxgr wrote: | This is pretty common, unfortunately (and a major factor in | choosing a service provider for me when there are multiple | options). | CamelRocketFish wrote: | I kept my old number and switched it to a provider that | offered a yearly prepaid plan with an eSIM. $20 a year and I | can keep my old number and switch to it as an active sim to | receive a 2FA whenever necessary. I agree to always using 2FA | via TOTP however. | TheCraiggers wrote: | It's also not a long-term solution. At some point, your | ported number will be updated and flagged as a "voip number" | since it's now associated to Google Voice. At that point, | you'll start having issues as many services don't like it | when people use a number they can acquire for free in a | couple minutes as the UID. | refurb wrote: | What I've seen is services will verify the number at sign | up then never again. | bityard wrote: | For whatever it's worth, that's not permanent. My current | number was originally a GV number and used to get flagged | as a voip number. But I ported it out to a mobile carrier a | year ago (which Google makes you pay for) and haven't had | an issue since. | Scoundreller wrote: | Doesn't work that way for Canadian numbers. Only original | issuer is public info. Porting info is on a need-to-know | basis (ie: telecoms need to terminate calls; but that's | it). | | This can work against you of course, so a good strategy is | to get a burner phone and port that number to your VoIP | provider. | byteflip wrote: | Great to know, so far I've been able to still receive SMS | 2FA messages but it's only been a couple of days since | porting. | dvngnt_ wrote: | discord is a big offender | delecti wrote: | I've used a google voice number as my primary number for | quite a while, and it's actually pretty rare to have | issues with it. I'd say that much less than 1/10 of | services require me to use my cell's actual number. | amichal wrote: | Google Voice needs to be linked to a valid +1 land or | mobile number to function long term. My google voice | number lasted for almost exactly 6 months after the us | cell number it was linked to was disconnected (moved | overseas for a while). It's classification as a valid | mobile lasted a bit less long and now I can not use it to | send/receive SMS at all (voice mail works but it will not | ring through and I can no longer use it to call. Before | that many banks etc stopped Sending SMS 2fa messages | through (as the are supposed according to latest NIST | guidelines). Thankfully (?) the same banks seem ok to do | voice 2fa to my overseas number. Sadly the still do not | support better mfa Authenticators. | | Would love to know how to maintain a US SMS presence | without sketchy obviously for spammers products. | kernelbugs wrote: | I've been using jmp.chat and have been pretty happy with | them. But I haven't tried using them as 2fa provider, | they may be blocked by places that block common voip | providers. | ant6n wrote: | I went abroad from Canada for two years, tried to park | two numbers to Virgin on cheap prepaid (still paying | 5-10$ just to hold a number). Well they fucked up credit | card payments on both accounts, closed them after a | couple of months and stole our numbers. So aggravating to | go through the trouble of parking the numbers, paying | perhaps 300$ and then the aggravation of trying | unsuccessfully to get those numbers back, and the | aggravation of trying to figure out which services use | those numbers for 2FA. | | Canadian telcos are basically a scam (and Virgin is now | my top hated one, assholes). | | 2FA using phone numbers is idiotic. | remram wrote: | For sure, the second factor is supposed to be "something | you own" and phone numbers are not that. | Scoundreller wrote: | Should have portes to VoIP.ms or similar. | julianlam wrote: | That's interesting, although my ISP seemed to know I was | calling from a VoIP number (my "land line", as it were). | She even knew my secondary number was a VoIP number. | | I think in the end she put one of the numbers down in the | application after a little pursuasion. | giaour wrote: | Shouldn't it be the same for the US and Canada? Both are | administered by NANPA. Last time I looked into this | (early 2020), you generally couldn't get porting info for | US numbers, though original issuer was public and easily | accessible. | Scoundreller wrote: | Since US and Can have number portability, it's managed by | a Number Portability Administrator. That's Neustar in | Canada: | | https://www.npac.com/canadian-number-portability/the- | npac-ne... | namecheapTA wrote: | Burner phone numbers in the US seem to be of a particular | range of numbers and can also be flagged. I used to use | pay as you go burners for random tasks in the past and | noticed they gave me trouble when trying to use them to | get verification codes sometimes. | remram wrote: | I'm not sure what you mean when you say "burner phone". I | know for a fact that you can get a regular prepaid plan | from T-Mobile and pay for it cash, no IDs; that fits the | "burner phone" requirements for me. Do you mean that | every prepaid plan uses that range of numbers? | Scoundreller wrote: | Prepaid plan vs post-paid, probably not, but some | discount prepaid providers are probably considered "less | trust-worthy", or less profitable when evaluating VoIP | numbers. | lxgr wrote: | SMS gateways know the destination provider too, and I | believe this is how blocking VoIP numbers is implemented | in practice. | toast0 wrote: | Before I retired (2019), I was getting emails from our | telecom providers that Canadian regulators were mandating | that they not share porting information with customers | (us), although it was generally available before, and was | still available in other countries of interest (mostly | US), for a fee. | orblivion wrote: | I think this goes to the fact that we need a new sort of UID. | Something thought through very carefully rather that | something that comes to be. There's a sort of hidden | infrastructure, hidden legacy, hidden stability that's been | built around phone numbers and email. For instance, "valid | Google email address" is a proxy for "a real person with X | likelihood". Same goes for SSN + demonstrated knowledge of | your last few residences, etc etc. It's a mess. | | Start from first principles, what do we really need to know | about a person? What could we build? On the other hand, maybe | if it's _too_ good it 'll be bad for privacy, and escaping | into the shadows, should that become necessary for someone. | aarreedd wrote: | This a problem some people are trying to solve with | blockchain technology. | | I'm not necessarily saying this is a good idea. It's just | an interesting potential solution. | orblivion wrote: | The question I think I'm getting at is about who you are | and why that matters in a given case. Blockchains are | good for keeping identities intact once established, | which is different though maybe it'll help overall. | trinsic2 wrote: | I removed all mobile based 2fa from all my sites that rely on | it and strictly use TOTP and u2f. Now I only subscribe to | services that provide this kind of authentication. There are | a few sites that I still use that rely on SMS 2factor but its | a short list now. Most of my sites that have TOTP and U2f | support have the option of using SMS auth but does not | require it. | ihateolives wrote: | What's exactly the problem? Is this something US specific? | I've been living in different countries for years and always | kept my original number in addition to getting local number | as well. Never had any trouble with 2fa. | lxgr wrote: | There are many problems with this approach (I'm using it | currently as well, out of necessity, not choice): | | - SMS delivery is not always very reliable when roaming. | | - Prepaid SIMs usually expire after a while of not topping | them up. | | - Good luck losing one of these SIMs and getting a | replacement abroad. (eSIMs make this both better and | worse.) | jdeibele wrote: | https://support.google.com/voice/answer/1065667?hl=en#zippy=. | .. | | I've paid the $20 Google charges to make a number "permanent" | once for myself and a couple of times for organizations. | | For myself, it's a highly secure phone number. I still only | use a phone number when I absolutely have to, like with | Twitter, preferring to use a hardware key or Authy. | | For organizations, it's like an answering machine. My kids' | soccer club had a cell phone that was supposed to be answered | by the VP when parents or coaches had messages. It was much | easier to port the number into Google Voice, put it into Do | Not Disturb mode permanently, and have the transcriptions | forwarded to the VP on the extremely rare occasions that | there were any. | lelandfe wrote: | Note that many services do not permit Google Voice numbers! | | Instagram and Facebook will quickly disable your account and | demand a real phone number. I recently had a delivery app | inform me at signup that it's not _even a real phone number_ | (it happily slurped up the submitted Voice number and later | sent me ads about pizza anyway) | ghaff wrote: | The dark side of the mobile number portability that we all | wanted. I wonder what would have happened in the alternate | universe where a lot of people would presumably have been | changing mobile numbers with at least some frequency. | | I also have to wonder how Google Voice has survived Google's | ax all these years. | lxgr wrote: | For Google Workspace accounts, it's a paid service (I | believe $10 or $20 per number and month). The personal | version is presumably a loss leader. | dasil003 wrote: | Probably because execs use it. | TedDoesntTalk wrote: | I've lost access to a phone number on Google Voice. After | my parents died, I ported their landline to Google Voice. | This number was in my family for more than 50 years. | | After porting a second number into Google Voice (and | involving Google Fi) I lost access to the first. A 50+ | year old phone number that everyone important to me | already had memorized. | | If you call the number now, it's answered by a Google | voice subscriber message. So I know the number is still | with Google. I just can't access it anymore. | hirundo wrote: | After ~15 years with it, starting back in the | GrandCentral days, I recently moved from Google Voice to | voip.ms, on my path to degoogling. The new service is | paid, in a competitive domain, and so needs and has | excellent customer service, and a much improved set of | features. I'm happy to be the customer instead of the | product. | asdfqwertzxcv wrote: | Are you me? Exact same story. How are you | making/receiving calls and texts now? | JacobThreeThree wrote: | Why don't you just contact Google customer service? | | I'll be here all week. | krallja wrote: | > I also have to wonder how Google Voice has survived | Google's ax all these years. | | The infinite surveillance capacity of an monitored voice | line? | | Millennia of training data for AI speech synthesis and | recognition? | honkdaddy wrote: | Companies use it as a cheap and easy way to combat spam without | any engineering on their end. It's purely out of financial | interest, nothing more. The mobile apps which require a phone | number to use are doing this because if they only required | email to sign up they'd have people sniffing their API and very | quickly overwhelming it with fake accounts, and the cat and | mouse game begins. | | By forcing the users to validate with a phone number, they're | essentially pushing their spam problems upstream and out of | their hands. More sophisticated actors know it's possible to | automate SMS verification, but it does stop a lot of spam at | the door. | lxgr wrote: | There's no reason that a service's "proof of | personhood"/anti-bot mechanism has to be the same as that | used for OTP delivery, though. | | Google does this very well: They require a phone number of | spam account creation prevention - once. After that, I can | delete the phone number from my account and use a FIDO key, | TOTP or any other 2FA method. | sdflhasjd wrote: | Let's also not forget how unreliable SMS is too. I got locked | out of an Apple account because I wasn't receiving codes. | hinkley wrote: | The problem here I think is that these sorts of failures are | bursty, and account protection algorithms are typically not | capable of tracking behaviors over time, because that would | be expensive. | reaperducer wrote: | I haven't been able to use Uber for the last four years | because I never receive its verification texts. | | Uber's screw-up has given Lyft a few thousand dollars. | reaperducer wrote: | _I wish we would just stop using phone numbers as the primary | user identifier and SMS as the primary communication channel_ | | Come up with a good alternative and make yourself a | billionaire. | | Difficulty: _Good_ alternative. | dheera wrote: | Exactly. I deprecated SMS 12 years ago in favor of e-mail. | E-mail supports encryption, >140 characters, attachments, | alphanumeric IDs, and works across country borders and SIM | cards. There is literally zero reason to use SMS. | 0xbadcafebee wrote: | E-mail seems to be the solution. It's out of bound; | authentication/authorization are required; there's standards to | flag an invalid origin; filters spam. It's not encrypted, but | neither is SMS. Most of today's dumb phones can check e-mail, | so it's almost ubiquitous. The only way it doesn't work is for | rural users who have no data but do have GSM/SMS. | lxgr wrote: | I agree, but unfortunately some regulatory bodies like the | EBA have specifically labeled it "not a factor for 2FA | purposes"... | | Ironically, my email inbox is much better protected than my | SIM/phone number. | 0xbadcafebee wrote: | We should lobby them to change the rules, as a second | e-mail account would literally be a second factor. Then | it's up to the user to hook it up to their phone. | devoutsalsa wrote: | Email based authentication is lame. If a hacker gets access | to your email, then they automatically have access to your | 2FA. Lame. | lxgr wrote: | And if they get access to my phone number they get access | to my texts and phone calls. That's why neither should | ever be the only authentication factor (nor a single- | factor recovery method for that matter). | | That said, my phone number is significantly easier to | take over than my email address and mailbox. | pkulak wrote: | So if a hacker gets access to your second factor, they | have access to your second factor? | ridgered4 wrote: | Most (but not all) free email providers now seem to require | SMS verification to sign up for them these days. | lxgr wrote: | True, but at least you need an SMS-capable number only once | (to sign up), and not every time you are trying to | authenticate to some "secure" website. | ta988 wrote: | Most companies use that because that's with credit card numbers | excellent ways to track people opinions and whereabouts. | ranger_danger wrote: | Where does it say how the actual phishing message itself is easy | to send? I see no explanation there. How does one send a message | with a different SenderID? | permo-w wrote: | in the same vein, email providers need to stop unverified email | senders setting their own identifiers. if it's not from an email | I've interacted with before, show me the email address itself and | nothing else. | | there's really no good reason for the automatic contactification | of email addresses. if I want someone's emails to be marked as | being from John Smith, I will do that myself. if amazon or x | known company is sending me an email, I do not care, identify the | sender as the email address it was sent from. | blobbers wrote: | Super interesting. I've been getting increasingly intense | phishing stuff related to citi bank credentials (my account was | hacked verify my credentials on shady citi site) as well as AT&T | bill being paid (collect my prize for paying my bill). | | They haven't managed to hijack an actual sender though, and their | domain names still look slightly shady because they're things | like citi01. | | They AT&T one is html wrapped so I can't even click the link | without seeing what it is (and don't want to because maybe there | is some exploit that launches an app that does something? Am I | too paranoid?) | chrismarlow9 wrote: | Not too paranoid. Don't click anything. ___________________________________________________________________ (page generated 2022-06-24 23:00 UTC)