[NA]Security leapfrogging[NA]

[Let'sgoflying!]

Now whenever I access my bank or even HomeDepot's site I am sent a text code to (help to) verify it's me.
I got to wondering where we are with this security tool; has it been defeated already? (ref: leapfrogging)
Are there steps consumers are advised to use, to prevent misuse of it (other than losing your phone, or leaving it unpassworded)?

 

[Challenged]

From worst to best (generally).

• No two-factor
• Two-factor using SMS
  
• Two-factor using an app, like Google Authenticator, to scan a QR code.
• Two-factor with a hardware token, like one from Yubi or Feitian

Reddit hacked via SMS intercept: https://www.wired.com/story/reddit-hacked-thanks-to-woefully-insecure-two-factor-setup/
How SMS can be compromised: http://fortune.com/2016/06/27/two-factor-authentication-sms-text/

 

[Let'sgoflying!]

as I feared; thanks

 

[Let'sgoflying!]

Hey, how are SIM cards being accessed?

 

[RJM62]

Simply adding a PIN in addition to a password would be a vast improvement that would require no additional hardware, no assumption that the user owns a smartphone (few of which are actually secure or private because of all the ****ty spyware apps people love to install on them), no reliance on cellular technology (which comes with its own set of vulnerabilities), and no dependence on having a cell signal.

Using both a strong password and a pin increases the difficulty of guessing or brute forcing by a factor of as much as 10,000, depending on which PIN combinations are forbidden. If the password and PIN are salted, hashed, and stored in separate databases, I expect that the effective protection would be superior to any TFA method other than a hardware token.

Rich

 

[RJM62]

Hey, how are SIM cards being accessed?

The most common way is by social-engineering the carrier's agent with a contrived story about the SIM card or phone having been lost or damaged. It's not too difficult for a scammer to convince the agent that they're you because all of your PII is in the wild due to the various breaches that have occurred in the past few years (especially the Equifax breach and the IRS "Get Transcript" scam).

The most common verification method used by mobile providers is the last four digits of your SSN (another practice that should be outlawed), which almost certainly is freely available on the dark web if you've ever had credit, had a security clearance, worked for the federal government, or filed a tax return.

The fact that a lot of call center work is being farmed out to third-world countries where the agent probably doesn't like you very much anyway and just wants to get you off the phone makes it that much easier to scam the agent. Once the scammer convinces the carrier that they're you, they request a "SIM swap" to the new SIM card they already have in their possession.

This is another reason why I take a dim view of TFA methods that rely on anything having to do with cell phones. It just introduces another vulnerability.

Rich

 

[Ghery]

The most common verification method used by mobile providers is the last four digits of your SSN (another practice that should be outlawed), which almost certainly is freely available on the dark web if you've ever had credit, had a security clearance, worked for the federal government, or filed a tax return.

Or all 4. Ouch!