Fidelity 2-Factor authentication fail...
Fidelity 2-Factor authentication fail...
Fidelity uses Symantec VIP Access on a cell phone for 2-factor authentication, and I've got it turned on.
I replaced my phone last month and logging in failed, apparently because a new cell phone gets a new copy of the cellphone security app. So I called Fidelity on the phone. I got access to my account using only my account userid and password, no other challenge. I explained that I had a new cell phone. The CSR changed Fidelity's 2-factor info to match my new phone, and I was able to log in.
So much for Fidelity 2-factor authentication. At Fidelity, if you have username and password, but NOT the 2nd identity device, a Fidelity rep will be happy to reset the system to let you in. Is this really how 2-factor authentication is supposed to work? It took less than 5 minutes on the phone to bypass the 2-factor login failure.
I replaced my phone last month and logging in failed, apparently because a new cell phone gets a new copy of the cellphone security app. So I called Fidelity on the phone. I got access to my account using only my account userid and password, no other challenge. I explained that I had a new cell phone. The CSR changed Fidelity's 2-factor info to match my new phone, and I was able to log in.
So much for Fidelity 2-factor authentication. At Fidelity, if you have username and password, but NOT the 2nd identity device, a Fidelity rep will be happy to reset the system to let you in. Is this really how 2-factor authentication is supposed to work? It took less than 5 minutes on the phone to bypass the 2-factor login failure.
- Phineas J. Whoopee
- Posts: 9675
- Joined: Sun Dec 18, 2011 5:18 pm
Re: Fidelity 2-Factor authentication fail...
Not too good, but if I may say so, not too surprising, either. There's always a tradeoff between security and convenience. Many service providers compromise the first to facilitate the second.
Thanks for the report.
For the record, I have the Schwab VPN token, and their instructions say that if the token fails, or is lost, to phone them. I've not tried it, but no doubt they'll rely on what I know. One factor. I'm still happier to have the token than not. It makes me more time-consuming to attack, kind of like a door lock.
PJW
Thanks for the report.
For the record, I have the Schwab VPN token, and their instructions say that if the token fails, or is lost, to phone them. I've not tried it, but no doubt they'll rely on what I know. One factor. I'm still happier to have the token than not. It makes me more time-consuming to attack, kind of like a door lock.
PJW
Re: Fidelity 2-Factor authentication fail...
Interesting. I bet you actually provided the CSR authentication info other than your userid and password. When the rep answered the phone, did he/she really ask immediately for your web userid and password, but not your name, address, etc.? Also, the CSR can tell what phone number you're calling from. If it's the home phone in your records, that's a powerful piece of authentication info.Z9yajAg wrote:Fidelity uses Symantec VIP Access on a cell phone for 2-factor authentication, and I've got it turned on.
I replaced my phone last month and logging in failed, apparently because a new cell phone gets a new copy of the cellphone security app. So I called Fidelity on the phone. I got access to my account using only my account userid and password, no other challenge. I explained that I had a new cell phone. The CSR changed Fidelity's 2-factor info to match my new phone, and I was able to log in.
So much for Fidelity 2-factor authentication. At Fidelity, if you have username and password, but NOT the 2nd identity device, a Fidelity rep will be happy to reset the system to let you in. Is this really how 2-factor authentication is supposed to work? It took less than 5 minutes on the phone to bypass the 2-factor login failure.
- Archie Sinclair
- Posts: 413
- Joined: Sun Mar 06, 2011 1:03 am
Re: Fidelity 2-Factor authentication fail...
I suspect that thieves who steal lots of electronic login information are not interested in calling Fidelity separately for each account and pretending to be that individual. If you're a Russian hacker, how many fake American voices can you mimic, and how soon would Fidelity catch on? Once you break into the account, what exactly can you do to steal money? Fidelity probably looks at its internal data on security breaches and knows that this is rare.
- Phineas J. Whoopee
- Posts: 9675
- Joined: Sun Dec 18, 2011 5:18 pm
Re: Fidelity 2-Factor authentication fail...
Although I agree with your main point, I suspect "Russian hacker"s are perfectly capable of recruiting willing native US English speakers if their business models favor paying money to do so. Their own accents are irrelevant to security.Archie Sinclair wrote:... If you're a Russian hacker, how many fake American voices can you mimic, and how soon would Fidelity catch on? Once you break into the account, what exactly can you do to steal money? Fidelity probably looks at its internal data on security breaches and knows that this is rare.
PJW
- bogleblitz
- Posts: 506
- Joined: Mon Oct 01, 2012 2:51 pm
Re: Fidelity 2-Factor authentication fail...
I may be wrong but a phone call is very safe in my opinion. All phone calls are recorded and logged. phone numbers can not be spoofed and the police can trace a phone number back to a home address.
So a hacker will not call fidelity because the phone call will be traced back to the hacker's home address.
So a hacker will not call fidelity because the phone call will be traced back to the hacker's home address.
- Phineas J. Whoopee
- Posts: 9675
- Joined: Sun Dec 18, 2011 5:18 pm
Re: Fidelity 2-Factor authentication fail...
Using VOIP it is trivially easy to spoof phone numbers.bogleblitz wrote:I may be wrong but a phone call is very safe in my opinion. All phone calls are recorded and logged. phone numbers can not be spoofed and the police can trace a phone number back to a home address.
So a hacker will not call fidelity because the phone call will be traced back to the hacker's home address.
PJW
Re: Fidelity 2-Factor authentication fail...
I'm curious what people *want* Fidelity to do in this case?
10 or 12 years ago I had lost my VG password and had to wait for them to snail me a new one. That is one approach.
10 or 12 years ago I had lost my VG password and had to wait for them to snail me a new one. That is one approach.
Re: Fidelity 2-Factor authentication fail...
Phone numbers should never be used as security. As PJW stated - it's now trivial, unfortunately.Phineas J. Whoopee wrote:Using VOIP it is trivially easy to spoof phone numbers.bogleblitz wrote:I may be wrong but a phone call is very safe in my opinion. All phone calls are recorded and logged. phone numbers can not be spoofed and the police can trace a phone number back to a home address.
So a hacker will not call fidelity because the phone call will be traced back to the hacker's home address.
PJW
Using voice as verification I have not yet investigated how safe, but Vanguard does use that.
- tuningfork
- Posts: 885
- Joined: Wed Oct 30, 2013 8:30 pm
Re: Fidelity 2-Factor authentication fail...
Indeed. If police could reliably trace a phone number to an address, "Rachel" and her credit card services scam would have been shut down years ago.Phineas J. Whoopee wrote:Using VOIP it is trivially easy to spoof phone numbers.bogleblitz wrote:I may be wrong but a phone call is very safe in my opinion. All phone calls are recorded and logged. phone numbers can not be spoofed and the police can trace a phone number back to a home address.
So a hacker will not call fidelity because the phone call will be traced back to the hacker's home address.
PJW
- Epsilon Delta
- Posts: 8090
- Joined: Thu Apr 28, 2011 7:00 pm
Re: Fidelity 2-Factor authentication fail...
Are you talking ANI or Caller ID? I thought ANI was still secure, because the phone companies used it for billing and they don't want to lose money.Phineas J. Whoopee wrote:Using VOIP it is trivially easy to spoof phone numbers.bogleblitz wrote:I may be wrong but a phone call is very safe in my opinion. All phone calls are recorded and logged. phone numbers can not be spoofed and the police can trace a phone number back to a home address.
So a hacker will not call fidelity because the phone call will be traced back to the hacker's home address.
PJW
In any case caller ID spoofing can be dealt with by hanging up and calling back, Unless the whole phone system has been subverted. OTOH a crook can just plug his phone into the network interface outside your house, but he can't do that from Russia.
Re: Fidelity 2-Factor authentication fail...
Yeah, that's how it's supposed to work. If you lose/change the physical device, they have to be able to tie it to a new device somehow. The Fidelity rep should have verified your identity using information other than just your username/password, though. Did they not at least ask for the last 4 digits of your social, your birthday, and some other form of security question before letting you in?
Re: Fidelity 2-Factor authentication fail...
OP here. Fidelity asked for only the account username and password. I was calling Fidelity's toll-free number from my home landline, so perhaps Fidelity matched my home phone using ANI? I guess that's enough to get validated, and once validated, to change the 2-factor device ID. It sure felt weird to get login access working again only a few minutes after realizing I had messed up the original 2-factor device.KyleAAA wrote:Yeah, that's how it's supposed to work. If you lose/change the physical device, they have to be able to tie it to a new device somehow. The Fidelity rep should have verified your identity using information other than just your username/password, though. Did they not at least ask for the last 4 digits of your social, your birthday, and some other form of security question before letting you in?
Re: Fidelity 2-Factor authentication fail...
I want options on the security vs easy scale.stlutz wrote:I'm curious what people *want* Fidelity to do in this case?
10 or 12 years ago I had lost my VG password and had to wait for them to snail me a new one. That is one approach.
I'd like to choose the option so that it is impossible to ever phone anyone about my account without using my password. If the password is lost, it can only be reset by mail with a Medallion signature guarantee from me.
Others might be happy with simple snail mail. That's what I'd probably pick for a 2FA device failure.
Default could be like what usually happens, phone call and verify address and ssn.