Two-factor authentication via text messaging

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
User avatar
catdude
Posts: 1499
Joined: Mon Jul 16, 2007 8:11 pm
Location: Central Oregon

Two-factor authentication via text messaging

Post by catdude » Wed Jul 27, 2016 12:03 am

Y'all,

Slate magazine has an article about the shortcomings of two-factor authentication via text messaging. Looks like the bad guys are catching up...

http://www.slate.com/blogs/future_tense ... ation.html
Security researchers have become increasingly concerned about this system, though, as hackers find more and more ways to remotely access SMS texts. Additionally, as VoIP communication services (Google Voice, Skype etc.) have proliferated, it has become harder to assess whether an SMS message is truly being sent over the cell network or whether it is being funneled through other transmission protocols with varying levels of security. The draft guidelines say, "Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators."
catdude | | "I yield to the gentleman for a few feeble remarks." (Congressman Thaddeus Stevens)

mhalley
Posts: 5814
Joined: Tue Nov 20, 2007 6:02 am

Re: Two-factor authentication via text messaging

Post by mhalley » Wed Jul 27, 2016 10:01 am

Seems pretty unlikely. But what is the alternative? The hackers will come up with a counter to anything that is created, just a matter of time. At the moment, 2 factor is a little better than one. At what point does the security feature inconvenience outweigh the covenience of doing things over the internet? Are we going to have to start actually going to the bank, get fingerprinted, photographed, pass a lie detector test, retina scan and voice id before we can pay our bills "online"?

greensky
Posts: 118
Joined: Tue Aug 05, 2008 9:55 pm

Re: Two-factor authentication via text messaging

Post by greensky » Wed Jul 27, 2016 10:45 am

Two factor authentication is supposed to be something you have. In the case of an SMS it's being sent over a network and is vulnerable to being intercepted. If you're on a smart phone that could be through an app that has SMS read permissions. It's also not that difficult for a hacker to use social engineering tricks to gain access to your mobile phone account which would give them access to your second factor authentication.

Something like Google's Authenticator app is preferable to SMS 2 factor authentication. Once you setup it no longer needs network access and the code changes every 30 seconds. It's not perfect, but it is a step up it's something that can operate without network access.

At this point any form of 2 factor authentication is better than just having a password.

User avatar
Epsilon Delta
Posts: 7423
Joined: Thu Apr 28, 2011 7:00 pm

Re: Two-factor authentication via text messaging

Post by Epsilon Delta » Wed Jul 27, 2016 10:49 am

mhalley wrote:Seems pretty unlikely. But what is the alternative? The hackers will come up with a counter to anything that is created, just a matter of time.
This is a counsel of despair and it's not true.

The problem is the way security people do their job. They just grab the first thing laying around, even though it's not secure. SMS was never secure and was never intended to be secure, so using SMS to add a layer of security is doomed, it's just a question of the hackers doing the work we know is possible.

If security systems were built using our best knowledge maybe the hackers could still break them, but we could force the hackers to do something we don't know how to do. Instead of learning that SMS is insecure, which we knew already, we'd learn how to factor large numbers, which we don't know how to do. Then we could move on to larger numbers or discrete logarithms.

Afty
Posts: 740
Joined: Sun Sep 07, 2014 5:31 pm

Re: Two-factor authentication via text messaging

Post by Afty » Wed Jul 27, 2016 11:53 am

You have to balance security with convenience. If your authentication system is too cumbersome, people will switch to a competing service. SMS 2-factor is less secure than a dedicated authenticator app, but more secure than just using a password. And it's more convenient than having to install yet another app on your phone.

Even within the authenticator app realm, there are degrees of security. Authy can sync your secret seeds to the cloud and your other devices, which is convenient but vulnerable to a data breach of the cloud provider (the seeds are encrypted, but still). Google Authenticator specifically does not do this, so it's more secure but also a pain to transfer to a new device.

Finally, all of these 2-factor systems are vulnerable to replay attacks. I.e., if someone wants to get into your Google account, they can spoof a Google login page, request both your password and the code from your authenticator, and then use those immediately to gain access to your account. If you're really paranoid, you can use a cryptographically secure second factor like a Yubikey. Those are not vulnerable to replay, but you have to actually carry this little device around all the time and your authentication systems have to support it.

Note that the guidance to avoid SMS-based 2-factor is directed at federal agencies. For those organizations, SMS is probably not sufficiently secure. But for your typical consumer service, maybe it's good enough.

mhalley
Posts: 5814
Joined: Tue Nov 20, 2007 6:02 am

Re: Two-factor authentication via text messaging

Post by mhalley » Wed Jul 27, 2016 12:15 pm

I didn't realize google authenticator was more secure than the text message, will need to check into it.

User avatar
Doc
Posts: 8290
Joined: Sat Feb 24, 2007 1:10 pm
Location: Two left turns from Larry

Re: Two-factor authentication via text messaging

Post by Doc » Wed Jul 27, 2016 1:42 pm

We don't use phones or public WiFi for financial transactions. We are in a relatively remote area so our home WiFi is unlikely to be hacked. We have voice verification at two of our three brokers. Money can only be transferred out of our account to pre-established banks. The one broker without voice verification has no outside transfer mechanism set up except for RMD's. Have we done enough?
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.

User avatar
Phineas J. Whoopee
Posts: 7185
Joined: Sun Dec 18, 2011 6:18 pm

Re: Two-factor authentication via text messaging

Post by Phineas J. Whoopee » Wed Jul 27, 2016 2:09 pm

The article is about a public preview draft guideline from the National Institute of Standards and Technology (NIST). It does point out weaknesses in the use of SMS for two-factor authentication. The draft recommendation is that federal agencies not use SMS in any new systems, because later, as large scale interception of SMS messages becomes cheaper, it might prove to be insufficient. It also suggests new systems use a modular approach for 2FA, in such a way that one mechanism can easily be swapped out for another. It doesn't say presently deployed systems which already use SMS should change.

The body contradicts the far more lurid headline It's Official: Using Text Messages to Secure Your Passwords Is a Bad Idea.

The draft is here: Digital Authentication Guideline 800-63B.

PJW

mptfan
Posts: 4526
Joined: Mon Mar 05, 2007 9:58 am

Re: Two-factor authentication via text messaging

Post by mptfan » Wed Jul 27, 2016 2:18 pm

Afty wrote:Finally, all of these 2-factor systems are vulnerable to replay attacks. I.e., if someone wants to get into your Google account, they can spoof a Google login page, request both your password and the code from your authenticator, and then use those immediately to gain access to your account. If you're really paranoid, you can use a cryptographically secure second factor like a Yubikey. Those are not vulnerable to replay, but you have to actually carry this little device around all the time and your authentication systems have to support it.
Is it fair to conclude that if I use a Yubikey as my method of 2 factor authentication with Google, that no one could access my Google account if they did not have the device?

User avatar
Phineas J. Whoopee
Posts: 7185
Joined: Sun Dec 18, 2011 6:18 pm

Re: Two-factor authentication via text messaging

Post by Phineas J. Whoopee » Wed Jul 27, 2016 3:52 pm

mptfan wrote:...
Is it fair to conclude that if I use a Yubikey as my method of 2 factor authentication with Google, that no one could access my Google account if they did not have the device?
With respect to Google which supports Yubikey, as Epsilon Delta wrote not without computing things we don't mathematically know how to compute. It's the underlying basis of modern cryptography.
PJW

User avatar
Epsilon Delta
Posts: 7423
Joined: Thu Apr 28, 2011 7:00 pm

Re: Two-factor authentication via text messaging

Post by Epsilon Delta » Wed Jul 27, 2016 9:08 pm

Phineas J. Whoopee wrote:
mptfan wrote:...
Is it fair to conclude that if I use a Yubikey as my method of 2 factor authentication with Google, that no one could access my Google account if they did not have the device?
With respect to Google which supports Yubikey, as Epsilon Delta wrote not without computing things we don't mathematically know how to compute. It's the underlying basis of modern cryptography.
PJW
The devil is in the details.

Yubikey supports a number of different algorithms. Some of them are "shared secret" rather than "public key" based. A shared secret can be attacked at either end, so an account secured by Yubikey could be vulnerable if the server is hacked. For a public key based algorithm the server only knows the public key, so hacking the server only reveals what is already public. Google uses one of the public key modes, which is good. Other services may not, which is less good, careless even.

There are various possible attacks on the yubikey hardware that could leak private keys without having to break the mathematics. Defending against these is a hardware and software quality of implementation issue. What we would learn from a break of this sort is that Yubikey was careless (in not protecting against a known attack), or imperfect (in trying and failing to protect against an attack), or the hacker had discovered a new attack (a net increase in human knowledge, which is good in a twisted sort of way.) IMHO most of these breaks would probably require the hacker to gain control of your PC and social engineer you into press the button many times, so they would not be easy. However if I were more distinguished and more elderly I would invoke Clark's first law.
Last edited by Epsilon Delta on Wed Jul 27, 2016 11:00 pm, edited 1 time in total.

User avatar
dmcmahon
Posts: 1870
Joined: Fri Mar 21, 2008 10:29 pm

Re: Two-factor authentication via text messaging

Post by dmcmahon » Wed Jul 27, 2016 10:27 pm

mhalley wrote:Seems pretty unlikely. But what is the alternative? The hackers will come up with a counter to anything that is created, just a matter of time. At the moment, 2 factor is a little better than one. At what point does the security feature inconvenience outweigh the covenience of doing things over the internet? Are we going to have to start actually going to the bank, get fingerprinted, photographed, pass a lie detector test, retina scan and voice id before we can pay our bills "online"?
I personally like the secure keys, a dedicated device that generates an additional code you must enter.

User avatar
in_reality
Posts: 4529
Joined: Fri Jul 12, 2013 6:13 am

Re: Two-factor authentication via text messaging

Post by in_reality » Thu Jul 28, 2016 4:00 am

dmcmahon wrote:
mhalley wrote:Seems pretty unlikely. But what is the alternative? The hackers will come up with a counter to anything that is created, just a matter of time. At the moment, 2 factor is a little better than one. At what point does the security feature inconvenience outweigh the covenience of doing things over the internet? Are we going to have to start actually going to the bank, get fingerprinted, photographed, pass a lie detector test, retina scan and voice id before we can pay our bills "online"?
I personally like the secure keys, a dedicated device that generates an additional code you must enter.
Me too. My current bank requires a code from the device they sent me to start a transaction, then to finalize it, they display an eight digit code in the browser which I enter into the device to generate another code I need to enter into the browser. It's not for every transaction but rather for wiring funds overseas or a transfer to an account that hasn't previously received money from me.

gd
Posts: 1342
Joined: Sun Nov 15, 2009 8:35 am
Location: MA, USA

Re: Two-factor authentication via text messaging

Post by gd » Thu Jul 28, 2016 6:09 am

Doc wrote:... We have voice verification at two of our three brokers. ... Have we done enough?
Can anyone provide any evidence as to the robustness of voice verification? Even casual-- anyone had it fail to recognize them when their voice changed due to a cold? Given the fairly impressive skills of voice recognition and synthesis systems nowadays, I don't see any reason to think someone's voice speaking a known phrase can't be synthesized from a sampling of speech -- if not simply recorded and played back. If someone can get my SMS messages, I assume they can record a specific spoken phrase over a cell phone -- use a Stingray device, and wait for the "at vanguard, my voice is my password".

User avatar
Doc
Posts: 8290
Joined: Sat Feb 24, 2007 1:10 pm
Location: Two left turns from Larry

Re: Two-factor authentication via text messaging

Post by Doc » Thu Jul 28, 2016 6:51 am

gd wrote:"... at vanguard, my voice is my password".
Other phrase are sometimes asked. I assume they are doing something to increase security. :?:
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.

User avatar
jhfenton
Posts: 2994
Joined: Sat Feb 07, 2015 11:17 am
Location: Ohio

Re: Two-factor authentication via text messaging

Post by jhfenton » Thu Jul 28, 2016 7:48 am

Doc wrote:
gd wrote:"... at vanguard, my voice is my password".
Other phrase are sometimes asked. I assume they are doing something to increase security. :?:
Does Vanguard really use other phrases? I've probably called in 10 times, and I've only ever been asked to repeat the one phrase.

User avatar
Doc
Posts: 8290
Joined: Sat Feb 24, 2007 1:10 pm
Location: Two left turns from Larry

Re: Two-factor authentication via text messaging

Post by Doc » Thu Jul 28, 2016 8:52 am

jhfenton wrote:Does Vanguard really use other phrases? I've probably called in 10 times, and I've only ever been asked to repeat the one phrase
Yes, sometimes after the "At Vanguard ..." they ask for two or three other phrases. I assumed that they are either trying to build a data base or somehow I didn't say the "At Vanguard" phrase correctly.

FWIW Schwab uses "At Schwab ...". Also the voice recognition in my truck often can't understand me either. So perhaps it's just me. But in any case the "say other phrases" made me feel better not worse.
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.

jebmke
Posts: 8026
Joined: Thu Apr 05, 2007 2:44 pm

Re: Two-factor authentication via text messaging

Post by jebmke » Thu Jul 28, 2016 9:04 am

I have wondered about biometric authentication. I know that the facial recognition on Lenovo computers is not secure. I can access my spouse's laptop by showing it my phone with the photo she used for access.
When you discover that you are riding a dead horse, the best strategy is to dismount.

elwing
Posts: 25
Joined: Wed Mar 12, 2014 4:07 pm

Re: Two-factor authentication via text messaging

Post by elwing » Thu Jul 28, 2016 12:01 pm

I have wondered about biometric authentication. I know that the facial recognition on Lenovo computers is not secure. I can access my spouse's laptop by showing it my phone with the photo she used for access.
Biometrics alone are not considered secure and should never be used alone. Most highly secure data centers use a combo of PIN and iris or PIN and handprint.

Post Reply