this post was submitted on 16 Sep 2023
-10 points (43.6% liked)

Memes

45629 readers
1163 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
 
  • fucking annoying
  • can't believe they sold people that it's BETTER to have to get your phone out to login
  • incredibly annoying
  • if you're using this willfully you're clearly just as worried about security as before anyway
  • companies love having real phone numbers to pair with 'their' data
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 1 year ago (1 children)

Phone numbers can be spoofed and calls can be redirected. Or, even better, conditional call forwarding is supported by most carriers. It can be set up and you’ll never know. Then they get the phone call and not you

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

and smart phones can be hacked. the point of two factor is they have to control both parts.

[–] [email protected] 1 points 1 year ago (1 children)

Right but the point they're making is it's a lot easier for a third party to intercept a code that has to be sent to you than it is for them to get the code from an authenticator app since they're generated on your device. At that point you pretty much need physical access to the phone.

[–] [email protected] 1 points 1 year ago (1 children)

im osrry so a hacked device would not show the authenticator code? I really don't see the difference here. Again its not each bit being so un breachable as much as they would have to have to breach both parts. I really don't think its taht easy to redirect all the calls that are supposed to go to my phone.

[–] [email protected] 1 points 1 year ago (1 children)

One is much easier to accomplish than the other and doesn't give the target the same chance to realize something is going on.

[–] [email protected] 1 points 1 year ago (1 children)

I don't think thats necessarily true. If diverting phonecalls were so easy there are a bunch of reasons outside of two factor attacks that it would be used for.

[–] [email protected] 1 points 1 year ago (1 children)

There actually are lots of things it's been used for in addition to stealing 2FA codes. SMS based 2FA is better than no 2FA at all, but it's insecure and not recommended to be used when dedicated authenticators are available instead. The NIST has warned against their use since 2016.

[–] [email protected] 1 points 1 year ago (2 children)

you seem to be limiting it to sms. you do realize your talking to a person who mentioned microsofts option to call you and you hit pound. They actually have an app where you input a two digit number and if anything I would have liked them to expand the phone call function with that. Anyway I was not speaking about sms but I still feel the vulnerabilities are overblown when used with a good password.

[–] [email protected] 1 points 1 year ago (1 children)

That's semantics, the same insecurities apply to all telephone based methods. I personally wouldn't want my phone company's customer service to play any role in my online security. Even Microsoft wants people to stop using them.

[–] [email protected] 1 points 1 year ago (1 children)

yes microsoft was the one I was complaining about but you can't redirect phone calls in the same way as sms and sms itself is mostly vulnerable due to legacy things that they could stop using and finally that article was not just 2 factor but bringing in using sms for a password reset which is really insecure but unrelated to 2factor. 2factor will always be safer than non 2 factor because more has to be done than just the one side.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

You can, the concern here is with people, not the specifications of SMS. People can be social engineered to give control of your phone number to someone else. It's happened before, it's not a hypothetical, and it's why security experts advise against using phone based methods.

[–] [email protected] 1 points 1 year ago

Im pretty sure that you would realize something was wrong with your phone then and its useless to them 2factor wise unless they have your password.