Big problems using two-factor cellphone authentication.

Archived From: Finance
  • Text Only
Voting History
rated:
Keep checking your smartphone to make sure nobody ported away your number. Can you tell your cellphone carrier not to accept any port request to prevent this?

Link: http://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-st...

Member Summary
Most Recent Posts
I prefer to use my own domain for email.  That way I can move it to whatever host I want.  I also like to encrypt any se... (more)

giqcass (Dec. 23, 2016 @ 12:45a) |

Just a kneejerk reaction. You're not liable for any fraud on a Paypal account. And good luck doing any business on eBay ... (more)

atikovi (Dec. 23, 2016 @ 8:39a) |

I stopped selling on eBay after bogus claims from buyers and don't buy much on eBay these days.
But if I need to can alwa... (more)

marcopolomle (Dec. 23, 2016 @ 10:27a) |

Staff Summary
Thanks for visiting FatWallet.com. Join for free to remove this ad.

You sure can, just call them and put a "note" on your account not to port. You can also have a password added to your account to prevent this from happening!

Nothing is 100%. I had 2FA on one of my CC account and the the thieve who stole my personal info was still able to convince the operator to change my online ID/PW. Still, having 2FA is better than not having it.

Where possible for 2FA that uses SMS, I register my google voice number and not my cell number.  Much more convenient since I can have the SMS sent to email as well as get the SMS on my phone, for the times my cell phone is all the way on the other side of the room on the charger and I am on my laptop .

I know GV works with Vanguard, Ally, Chase, etc just fine for SMS 2FA.

That's why it's also important to have a strong password too.

Most sites offer an authenticator app and Google Authenticator works with many of them or invest in a security key.

But maybe it's time for a 3FA.

AverageGuy09 said:   Where possible for 2FA that uses SMS, I register my google voice number and not my cell number.  Much more convenient since I can have the SMS sent to email as well as get the SMS on my phone, for the times my cell phone is all the way on the other side of the room on the charger and I am on my laptop .

I know GV works with Vanguard, Ally, Chase, etc just fine for SMS 2FA.

  I think that's a recipe for disaster since it's much easier to hack an email account unless you are also protecting it with a 2FA.

pinballbob said:   You sure can, just call them and put a "note" on your account not to port. You can also have a password added to your account to prevent this from happening!
Exactly, T-Mobile will not port your number unless you have answered the security Qs and the PIN associated with that number.

marcopolomle said:   
pinballbob said:   You sure can, just call them and put a "note" on your account not to port. You can also have a password added to your account to prevent this from happening!
Exactly, T-Mobile will not port your number unless you have answered the security Qs and the PIN associated with that number.

  I thought the article said that the person from Columbia had their T-Mo number ported over to some other co ?

What are you guys talking about? Adblock-friendly link?

If you are going to use SMS 2FA you need to be smart about it:

1. Do not use the number that you had out to people as the SMS authetication number. If someone *knows* that your phone number is used for 2FA then it is possible for them to mount an attack on you.
2. Put account lock on your account at phone carrier. AT&T has it. I would be highly surprised if VZ, TMO and Sprint did not have it.

3. Consider using 2FA authenticators instead of SMS, however, should you do that you have to make sure to either use services that support multiple 2FA authenticators or provider you ability to download one time recovery codes. Of course you would need to put a backup authenticator or recovery codes into places that you have access to. Otherwise should you lose your phone you won't have ability to regain access to your account.

marcopolomle said:   
AverageGuy09 said:   Where possible for 2FA that uses SMS, I register my google voice number and not my cell number.  Much more convenient since I can have the SMS sent to email as well as get the SMS on my phone, for the times my cell phone is all the way on the other side of the room on the charger and I am on my laptop .

I know GV works with Vanguard, Ally, Chase, etc just fine for SMS 2FA.

  I think that's a recipe for disaster since it's much easier to hack an email account unless you are also protecting it with a 2FA.

  Agreed - the cell phone port is such a corner-case extreme vs. the email hack that you're being silly.  I've had issues with some company SMS NOT working with GV as well.

https://www.authy.com/blog/do-not-use-your-google-voice-number-f...

 

ZenNUTS said:   Nothing is 100%. I had 2FA on one of my CC account and the the thieve who stole my personal info was still able to convince the operator to change my online ID/PW. Still, having 2FA is better than not having it.
Most Likely the Thief had all your personal info.

that's the backup plan when 2FA has failed or the phone is broken or something else.
 

marcopolomle said:   
AverageGuy09 said:   Where possible for 2FA that uses SMS, I register my google voice number and not my cell number.  Much more convenient since I can have the SMS sent to email as well as get the SMS on my phone, for the times my cell phone is all the way on the other side of the room on the charger and I am on my laptop .

I know GV works with Vanguard, Ally, Chase, etc just fine for SMS 2FA.

  I think that's a recipe for disaster since it's much easier to hack an email account unless you are also protecting it with a 2FA.
 

My email account is controlled with a 25+ character password and Google Authenticator.
 

juliox said:   
marcopolomle said:   
AverageGuy09 said:   Where possible for 2FA that uses SMS, I register my google voice number and not my cell number.  Much more convenient since I can have the SMS sent to email as well as get the SMS on my phone, for the times my cell phone is all the way on the other side of the room on the charger and I am on my laptop .

I know GV works with Vanguard, Ally, Chase, etc just fine for SMS 2FA.

  I think that's a recipe for disaster since it's much easier to hack an email account unless you are also protecting it with a 2FA.

  Agreed - the cell phone port is such a corner-case extreme vs. the email hack that you're being silly.  I've had issues with some company SMS NOT working with GV as well.

https://www.authy.com/blog/do-not-use-your-google-voice-number-for-two-factor-authentication

 

  Uh, sure if you're going to install non trusted browser extensions you get what you deserve.  It's like I tell my 70 year old mother-in-law, if you keep clicking on every pop up on Facebook, you're going to keep getting viruses and adware on your computer.

    I've been using GV since it was Grand Central, both my email and Google accounts have supported 2FA for quite a while and I use very complicated to guess but easy for me to remember passwords.  I am about as worried someone will hack my email and/or Google account as I am they will try and port my number from my provider to get my SMS codes.  Both are possible, but there are a lot easier suckers to fleece then me.  Either way, using GV as my registered SMS point is a lot more convenient and just as (if not more) secure, if you set things up correctly.

If you're really worried about your email getting hacked and your cell phone number ported out from under you, then set up a dedicated GV number with Google Authenticator that doesn't in anyway forward to either your cell phone or email.  Then you can log into the Google web site in an incognito tab to view the SMS message.

I've always worried about that. Especially when you have cross-device messaging where you receive texts on iPad, phone, etc.

AverageGuy09 said:   
juliox said:   
marcopolomle said:   
AverageGuy09 said:   Where possible for 2FA that uses SMS, I register my google voice number and not my cell number.  Much more convenient since I can have the SMS sent to email as well as get the SMS on my phone, for the times my cell phone is all the way on the other side of the room on the charger and I am on my laptop .

I know GV works with Vanguard, Ally, Chase, etc just fine for SMS 2FA.

  I think that's a recipe for disaster since it's much easier to hack an email account unless you are also protecting it with a 2FA.

  Agreed - the cell phone port is such a corner-case extreme vs. the email hack that you're being silly.  I've had issues with some company SMS NOT working with GV as well.

https://www.authy.com/blog/do-not-use-your-google-voice-number-for-two-factor-authentication 

 

  Uh, sure if you're going to install non trusted browser extensions you get what you deserve.  It's like I tell my 70 year old mother-in-law, if you keep clicking on every pop up on Facebook, you're going to keep getting viruses and adware on your computer.

    I've been using GV since it was Grand Central, both my email and Google accounts have supported 2FA for quite a while and I use very complicated to guess but easy for me to remember passwords.  I am about as worried someone will hack my email and/or Google account as I am they will try and port my number from my provider to get my SMS codes.  Both are possible, but there are a lot easier suckers to fleece then me.  Either way, using GV as my registered SMS point is a lot more convenient and just as (if not more) secure, if you set things up correctly.

If you're really worried about your email getting hacked and your cell phone number ported out from under you, then set up a dedicated GV number with Google Authenticator that doesn't in anyway forward to either your cell phone or email.  Then you can log into the Google web site in an incognito tab to view the SMS message.

  
While you consider yourself quite technically savvy and may have taken all precautions to make it as safe as possible for YOU to use your google voice account as a 2FA number safely, anyone recommending the general non-technical public to do so is being irresponsible without mentioning all of the additionally required authentication measures to at least bring it back to par with having it sent to their cell phone.

Ecuadorgr said:   What are you guys talking about? Adblock-friendly link?
  
Wait 3 seconds, hit continue, close forbes window, reopen forbes window from original link - boom a forbes article that's adblockplus friendly.

-

Question: If my wireless carrier protects changes to information/porting and whatnot with a pin, I should be good right? And from what I read in the article, looks like they compromised his email address first thing after they ported the number; so if I have authenticator protecting the email, even if my number was ported away, I should be ok.

 For millions of dollars worth of  bitcoins-he probably should've gone to extraordinary measures. 

juliox said:   
AverageGuy09 said:   
juliox said:   
marcopolomle said:   
AverageGuy09 said:   Where possible for 2FA that uses SMS, I register my google voice number and not my cell number.  Much more convenient since I can have the SMS sent to email as well as get the SMS on my phone, for the times my cell phone is all the way on the other side of the room on the charger and I am on my laptop .

I know GV works with Vanguard, Ally, Chase, etc just fine for SMS 2FA.

  I think that's a recipe for disaster since it's much easier to hack an email account unless you are also protecting it with a 2FA.

  Agreed - the cell phone port is such a corner-case extreme vs. the email hack that you're being silly.  I've had issues with some company SMS NOT working with GV as well.

https://www.authy.com/blog/do-not-use-your-google-voice-number-for-two-factor-authentication 

 

  Uh, sure if you're going to install non trusted browser extensions you get what you deserve.  It's like I tell my 70 year old mother-in-law, if you keep clicking on every pop up on Facebook, you're going to keep getting viruses and adware on your computer.

    I've been using GV since it was Grand Central, both my email and Google accounts have supported 2FA for quite a while and I use very complicated to guess but easy for me to remember passwords.  I am about as worried someone will hack my email and/or Google account as I am they will try and port my number from my provider to get my SMS codes.  Both are possible, but there are a lot easier suckers to fleece then me.  Either way, using GV as my registered SMS point is a lot more convenient and just as (if not more) secure, if you set things up correctly.

If you're really worried about your email getting hacked and your cell phone number ported out from under you, then set up a dedicated GV number with Google Authenticator that doesn't in anyway forward to either your cell phone or email.  Then you can log into the Google web site in an incognito tab to view the SMS message.

  
While you consider yourself quite technically savvy and may have taken all precautions to make it as safe as possible for YOU to use your google voice account as a 2FA number safely, anyone recommending the general non-technical public to do so is being irresponsible without mentioning all of the additionally required authentication measures to at least bring it back to par with having it sent to their cell phone.

Considering that Google recently blocked all gmail accounts that were related to accounts that violated TOS on *buying* Google Pixel, including if such account was used as an alternative account for an account in a first sweep and kept them in that state until the public pressure on Google by the *press* forced them to unblock them I find anyone that uses Google X service as the key for recovery to be rather naive.

Don't ever use sms as 2fa, use an app. If hacker ported your number using social engineering, they won't get the key through sms without some work.

AverageGuy09 said:   My email account is controlled with a 25+ character password
 

  I hate using an 11 character PW. A 25 character one would drive me insane every time I have to log on to my email. Why can't they develop an alternative to passwords already? Iris recognition, finger print detection, voice scan, dna sample, would be better.

atikovi said:   AverageGuy09 said:   My email account is controlled with a 25+ character password
 

  I hate using an 11 character PW. A 25 character one would drive me insane every time I have to log on to my email. Why can't they develop an alternative to passwords already? Iris recognition, finger print detection, voice scan, dna sample, would be better.

None of those prove you are who you say you are. Voice can be recorded and played back, you leave fingerprints and DNA everywhere you go, and in general there's no point going anywhere if your eyes are closed (and when open, photos can be taken of face/ eyes). All of those are constantly available. That's why they only work as a secondary factor for authentication. A password (at least with current technology) cannot be externally read from outside your head. It CAN be observed or intercepted when you enter it -- but that's where 2 factor with a cryptographic device comes in.

With any real 2 factor, one must obtain both your password AND gain physical possession of the secondary device. "Security questions" (which is really just a secondary, much weaker password, so it's still the same first-factor) and SMS messages are mainly not there for any security purposes, they're there to reduce customer service overhead when people forget their passwords and to provide the appearance of enhanced security. (SMS still provides some marginal fraud deterrent currently in some cases, even with the inherent drawbacks like ported numbers or cloned SIM cards. But there's so many holes even before going into "stolen cellphone" scenario where even a dumb criminal will immediately see all the stored text messages likelu revealing which banks/accounts are setup with the phone and can have credentials reset by SMS without having to randomly try. )

Bend3r said:   and in general there's no point going anywhere if your eyes are closed (and when open, photos can be taken of face/ eyes).
 


Don't some of the most secure government installations use eye scans to get you through the door? If it's good enough for them...

atikovi said:   AverageGuy09 said:   My email account is controlled with a 25+ character password
 

  I hate using an 11 character PW. A 25 character one would drive me insane every time I have to log on to my email. Why can't they develop an alternative to passwords already? Iris recognition, finger print detection, voice scan, dna sample, would be better.


Iris recognition: The bad guys will gouge out your eyes and use them.

Finger print recognition: The bad guys will cut off your fingers and use them.

Voice scan: The bad guys will strangle you and then remove your vocal cords.

DNA recognition: You might survive the bad guys without crippling injury if all they want is a drop of blood.

100FA: People will go back to snail mail and using bank tellers.

I will though call my cell provider tomorrow and tell them not to accept port outs. With that factor being the keys to the kingdom with many providers, banks, etc., it needs to really be secure.

But what if they want a stool sample?

atikovi said:   Bend3r said:   and in general there's no point going anywhere if your eyes are closed (and when open, photos can be taken of face/ eyes).
 


Don't some of the most secure government installations use eye scans to get you through the door? If it's good enough for them...

Yes each personal PC and cell phone will now have a $100k iris scanner.... great solution.(yes, i just arbitrarily picked the number here) And distributing to consumers won't make them easier to study/hack/defeat either.

Example is also not very reasonable. No secure government installation has a biometric scan as the ONLY method of security. If there's armed guards or cameras watching you so you don't break into the device or hold a photo/3d print of fingerprint/etc, that should be obviously recognized as not the same as a smartphone or PC in a nefarious party's location of their own choosing. The discussion here is not about presenting yourself to a security guard to enter a building, it's about securely accessing accounts over the public Internet.

If there's biometric PLUS a badge scan (the badge has a chip in it and likely a challenge/response so it should not be duplicable), that's using it as part of two factor (or multi factor) authentication. Biometrics do work as a supplement to passwords or possession of an additional security device.

You seem to know an awful lot about the subject. Did you work for KAOS?

burgerwars said:   
atikovi said:   
AverageGuy09 said:   My email account is controlled with a 25+ character password
  I hate using an 11 character PW. A 25 character one would drive me insane every time I have to log on to my email. Why can't they develop an alternative to passwords already? Iris recognition, finger print detection, voice scan, dna sample, would be better.


Iris recognition: The bad guys will gouge out your eyes and use them.

Finger print recognition: The bad guys will cut off your fingers and use them.

Voice scan: The bad guys will strangle you and then remove your vocal cords.

DNA recognition: You might survive the bad guys without crippling injury if all they want is a drop of blood.

100FA: People will go back to snail mail and using bank tellers.

I will though call my cell provider tomorrow and tell them not to accept port outs. With that factor being the keys to the kingdom with many providers, banks, etc., it needs to really be secure.

  They're also not something you can change once compromised. Bruce Schneir has written a lot about it.

atikovi said:   But what if they want a stool sample?

If they pull that crap, I'm switching banks.

burgerwars said:   
Finger print recognition: The bad guys will cut off your fingers and use them.

Voice scan: The bad guys will strangle you and then remove your vocal cords.

DNA recognition: You might survive the bad guys without crippling injury if all they want is a drop of blood.

100FA: People will go back to snail mail and using bank tellers.

you don't need a finger for finger scanners. You just need a capture of the print from any surface, then print it on paper or 3d print on rubber and wet.

Voice is just audio... no need for vocal cords.

Dna is not just in blood.

wtf are you all talking about,,will this work on Ringplus ?

I use a land line for 2FA, is that less susceptible to porting? Is there a way to lock down my number?

tenben said:   I use a land line for 2FA, is that less susceptible to porting? Is there a way to lock down my number?

Good question. Entering a number from an audio message I also use. Porting home numbers to cellphones can usually be done. Bro recently ported his to a T-Mobile prepaid cellphone, just for the purpose of saving it when he moved. Cellphone to cellphone company ports are usually quick. Less than an hour. Landline to cellphone can take several days.

Even on sites where I used Google Authenticator, when my phone died and I was setting up GA on a new phone, I think the sites (at least some of them) used SMS as a backup.  (Though, that might've required my password, vs. maybe if someone was only using SMS, the password could be reset using SMS.)

The part of the story about hackers taking bitcoin from his encrypted hard drive seems weird to me; how is that related to online service 2FA being hacked?  It sounds like someone hacked into his local computer.  Does Windows 10 let someone access your desktop remotely if they know your Windows Live password?  Or maybe his computer was hacked already, but the hacker was able to decrypt the hard drive somehow after accessing his Microsoft 2FA.
And I'm surprised that he would plug a hard drive containing millions of dollars of bitcoin on it to an internet-connected computer (vs. using an air-gapped computer to sign a transaction).  But maybe it's just his "lost it in a boating accident" story.

juliox said:    
While you consider yourself quite technically savvy and may have taken all precautions to make it as safe as possible for YOU to use your google voice account as a 2FA number safely, anyone recommending the general non-technical public to do so is being irresponsible without mentioning all of the additionally required authentication measures to at least bring it back to par with having it sent to their cell phone.


I'm not recommending the non-technical public do anything.  This is FWF right?  Not some random Yahoo groups board or reddit forum.

Let's face it.  If FWF members reading this thread have financial accounts and internet access to them and are not learning about and doing EVERYTHING they can to secure said accounts, then well...

I stand behind my statement.  If you're truly worried about someone social engineering your Cell Phone number out from under you by going into a local store or calling the support center and telling them a nice story about how your phone was crushed by an elephant on your recent trip to the zoo (or some other sob story) and you need to get it moved to a new SIM card, then use Google Voice or use a financial services firm that uses a full 2FA app or physical token (Like Fidelity does with Symantec VIP) and not one that uses SMS (like Vanguard, Ally, etc do).

Every decision we make as humans is a trade off between security and convenience, even if we don't think about or understand the ramifications of that decision when we make it.  I don't see why Internet security would be any different.  If you just follow the advice of an AverageGuy you saw posted online, without fully understanding what you're doing, well, you can't fix stupid.

atikovi said:   
Bend3r said:   and in general there's no point going anywhere if your eyes are closed (and when open, photos can be taken of face/ eyes).

Don't some of the most secure government installations use eye scans to get you through the door? If it's good enough for them...

  Haha, right.  No.  It's not like you see in the movies.  Most government installations, even "secret" ones just use a PIV (Civilian) or CAC (Military) card.  Which is basically a smart card with an embedded SSL certificate, along with a copy of your finger print, each card is programmed with a 8-12 digit PIN that only the card user knows.  If the PIN is entered incorrectly 5 times, the card bricks and can only be reset at specific federal site locations.  The cards also have physical security fail-safes to prevent forceably (cutting open the card and soldering on your own connections) removing the SSL certificate private key from the card.  That is the NIST 800 guidelines used by most Federal Employees and Contractors for facility, system and VPN access.

atikovi said:   
AverageGuy09 said:   My email account is controlled with a 25+ character password
  I hate using an 11 character PW. A 25 character one would drive me insane every time I have to log on to my email.
 

Security or convenience, take you pick.

AverageGuy09 said:   atikovi said:   
AverageGuy09 said:   My email account is controlled with a 25+ character password
  I hate using an 11 character PW. A 25 character one would drive me insane every time I have to log on to my email.
 

Security or convenience, take you pick.

Actually the more characters can offer both. Some people prefer constructing passwords with a few English words rather than 11 gibberish letters/symbols/numbers. You can't really fit three or more words into 11 characters very easily.

EvilCapitalist said:   Considering that Google recently blocked all gmail accounts that were related to accounts that violated TOS on *buying* Google Pixel, including if such account was used as an alternative account for an account in a first sweep and kept them in that state until the public pressure on Google by the *press* forced them to unblock them I find anyone that uses Google X service as the key for recovery to be rather naive.
 

Then use some service other then Google.  Most sites that support Google Authenticator also support YubiKey, Duo or some other 2FA token based solution that is commercially (i.e. not free to the end user) available.  Google Authenticator is just the easiest because the app/program is free on all major devices and you can set it up on multiple systems (Phone, Tablet, Computer) with the same shared key.  Security vs. Convenience.

Me, personally, I have no intentions of directly violating Google's T&Cs like the Pixel sellers you reference did, so I am not too worried about Google just shutting off my account for no reason.  Even so, I don't 100% rely on Google.  My Drive data is automatically replicated to Dropbox, my email is not at Gmail and I keep a set of one time passwords for all the major services I use on a hard copy printout in my fire safe just in case that EMP device my neighbour keeps talking about building from the plans he saw on the Internet comes to fruition .

Skipping 12 Messages...
atikovi said:   
marcopolomle said:   
ZenNUTS said:   Kreb's PP account got compromised despite having a physical 2FA token:

https://krebsonsecurity.com/2015/12/2016-reality-lazy-authentication-still-the-norm/ 

Sometime I feel like living in the wild west of the digital age.

What an eyeopener.
I'm closing my PayPal account(s) after knowing this. 

  Just a kneejerk reaction. You're not liable for any fraud on a Paypal account. And good luck doing any business on eBay without it.

I stopped selling on eBay after bogus claims from buyers and don't buy much on eBay these days.
But if I need to can always use my credit card.
I don't want Feds knocking down my door at 3 AM because my PayPal account was hacked and used for money laundering to fund IS.



Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2017