[NA]Security leapfrogging[NA]

Discussion in 'Technical Corner' started by Let'sgoflying!, Mar 30, 2019.

  1. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    17,132
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    Now whenever I access my bank or even HomeDepot's site I am sent a text code to (help to) verify it's me.
    I got to wondering where we are with this security tool; has it been defeated already? (ref: leapfrogging)
    Are there steps consumers are advised to use, to prevent misuse of it (other than losing your phone, or leaving it unpassworded)?
     
  2. Challenged

    Challenged Pattern Altitude

    Joined:
    Apr 4, 2011
    Messages:
    1,728
    Location:
    Louisiana
    Display Name:

    Display name:
    Challenged
    Last edited: Mar 31, 2019
  3. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    17,132
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    as I feared; thanks
     
  4. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    17,132
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    Hey, how are SIM cards being accessed?
     
  5. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,799
    Display Name:

    Display name:
    Geek On The Hill
    Simply adding a PIN in addition to a password would be a vast improvement that would require no additional hardware, no assumption that the user owns a smartphone (few of which are actually secure or private because of all the ****ty spyware apps people love to install on them), no reliance on cellular technology (which comes with its own set of vulnerabilities), and no dependence on having a cell signal.

    Using both a strong password and a pin increases the difficulty of guessing or brute forcing by a factor of as much as 10,000, depending on which PIN combinations are forbidden. If the password and PIN are salted, hashed, and stored in separate databases, I expect that the effective protection would be superior to any TFA method other than a hardware token.

    Rich
     
  6. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,799
    Display Name:

    Display name:
    Geek On The Hill
    The most common way is by social-engineering the carrier's agent with a contrived story about the SIM card or phone having been lost or damaged. It's not too difficult for a scammer to convince the agent that they're you because all of your PII is in the wild due to the various breaches that have occurred in the past few years (especially the Equifax breach and the IRS "Get Transcript" scam).

    The most common verification method used by mobile providers is the last four digits of your SSN (another practice that should be outlawed), which almost certainly is freely available on the dark web if you've ever had credit, had a security clearance, worked for the federal government, or filed a tax return.

    The fact that a lot of call center work is being farmed out to third-world countries where the agent probably doesn't like you very much anyway and just wants to get you off the phone makes it that much easier to scam the agent. Once the scammer convinces the carrier that they're you, they request a "SIM swap" to the new SIM card they already have in their possession.

    This is another reason why I take a dim view of TFA methods that rely on anything having to do with cell phones. It just introduces another vulnerability.

    Rich
     
    Last edited: Apr 1, 2019
    Ghery, Stephen Poole and TCABM like this.
  7. Ghery

    Ghery Final Approach

    Joined:
    Feb 25, 2005
    Messages:
    9,814
    Location:
    Olympia, Washington
    Display Name:

    Display name:
    Ghery Pettit
    Or all 4. Ouch!
     
    RJM62 likes this.