Investors: be aware of weakness in 2FA + strengthening

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Topic Author
YoungSisyphus
Posts: 54
Joined: Mon Sep 24, 2018 7:35 am

Investors: be aware of weakness in 2FA + strengthening

Post by YoungSisyphus »

Thought I’d share based on news I’ve been seeing. Please be aware that hackers are attacking 2FA through telecommunication carriers.

They are using weak port out rules and SIM swaps to circumvent traditional 2FA security. Basically, if you are with Verizon, they could port your phone number to a third party / prepaid service and hijack your number without you being aware. This could also happen by someone swapping a “SIM” so that the SIM active in the fraudsters device is assigned your phone number.

You can find an increase in news articles on this particularly related to cryptocurrency accounts, where they get access to an email / reset password / hijack your number to get access to your 2FA before you even realize what’s happened.

Would advise investors to strengthen their 2FA / telecommunication account security if you rely on it.

This forum has always been so helpful and wanted to share. Thanks!
Scatterbrain
Posts: 35
Joined: Tue Jun 04, 2019 1:58 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Scatterbrain »

What would be an ideal way to achieve this? Google Voice type # for all 2FA?
crinkles2
Posts: 69
Joined: Fri Nov 28, 2014 8:18 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by crinkles2 »

This is very true and does concern me.

We had the opposite problem - I bought a new sim card for our daughter, and needed to port out the old (prepaid) number. The old provider wouldn't let us! Extremely frustrating.

Some services use Secret Code generators. A credit union we used used Symantec 2FA to generate codes local to your phone, independent of mobile number. Similar to Microsoft or Google authenticator apps.
Topic Author
YoungSisyphus
Posts: 54
Joined: Mon Sep 24, 2018 7:35 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by YoungSisyphus »

If you do use 2FA that is reliant on your cell carrier, would advise that you look into any type of extra security available (pin codes / account strengthening that they offer). This would make it more difficult for the SIM attack. Could also look at 2FA like google Authenticator if your financial institution allows for it.

The port out rules worry me because carriers are required by law to make porting service pretty easy (due to regulations on consumers ability to keep their phone number). Not sure that there’s an easy solution there.
decapod10
Posts: 663
Joined: Thu Dec 28, 2017 6:46 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by decapod10 »

From what I have read, it is more difficult to SIM swap Verizon phones vs other phones. I'm not sure how true it is, but they say that the network verifies the IMEI of your phone with their records, which makes SIM swapping harder.

Source:
https://www.vice.com/en_us/article/kz43 ... d-t-mobile

Also, Verizon has a setting called "Number Lock" which locks your phone number to your line and can't be moved to another line or carrier. I learned about this recently and activated it.

Source (scroll down to #5)
https://www.verizonwireless.com/support ... safe-faqs/
oldfort
Posts: 1735
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

Is there any data on how common this is? Most of the examples I've seen in the news are high profile crypto-currency holders.
Topic Author
YoungSisyphus
Posts: 54
Joined: Mon Sep 24, 2018 7:35 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by YoungSisyphus »

Yes there may be differences across the carriers. No doubt that prepaid services most likely offer the least security. Verizon May be better due to the underlying technology actually needing IMEIs. GSM services like T-Mobile or Att are not so lucky.

The problem with the port out issue is you are reliant on the receiving telecommunications provider to follow the “rules” that the sending provider has for extra security.

On data: only that it is ‘on the rise’. And probably not a huge issue for folks that don’t have crypto - my assumption is that if they did access a fidelity or vanguard account that any type of transfer would be stopped. But then again, if they send fraud alerts to your phone... doesn’t do you much good.
rascott
Posts: 2347
Joined: Wed Apr 15, 2015 10:53 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by rascott »

Your supposed to have a PIN # with your wireless provider.... which must be used when changing SIMs for your number when porting. Obviously your phone would immediately stop working as well, so that would be a big red flag.
User avatar
FIREchief
Posts: 5315
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

Does this apply in any way to 2FA that uses semantic VIP, such as at Fidelity?
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
HEDGEFUNDIE
Posts: 4801
Joined: Sun Oct 22, 2017 2:06 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by HEDGEFUNDIE »

Use Twilio Authy whereever possible.
bayview
Posts: 2266
Joined: Thu Aug 02, 2012 7:05 pm
Location: WNC

Re: Investors: be aware of weakness in 2FA + strengthening

Post by bayview »

decapod10 wrote: Sat May 23, 2020 10:27 pm From what I have read, it is more difficult to SIM swap Verizon phones vs other phones. I'm not sure how true it is, but they say that the network verifies the IMEI of your phone with their records, which makes SIM swapping harder.

Source:
https://www.vice.com/en_us/article/kz43 ... d-t-mobile

Also, Verizon has a setting called "Number Lock" which locks your phone number to your line and can't be moved to another line or carrier. I learned about this recently and activated it.

Source (scroll down to #5)
https://www.verizonwireless.com/support ... safe-faqs/
Just activated Number Lock. Thanks!!
The continuous execution of a sound strategy gives you the benefit of the strategy. That's what it's all about. --Rick Ferri
HawkeyePierce
Posts: 1482
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Investors: be aware of weakness in 2FA + strengthening

Post by HawkeyePierce »

FIREchief wrote: Sat May 23, 2020 10:45 pm Does this apply in any way to 2FA that uses semantic VIP, such as at Fidelity?
No.
absolute zero
Posts: 498
Joined: Thu Dec 29, 2016 4:59 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by absolute zero »

Saying that something is “on the rise” is somewhat meaningless to me. Unless it’s backed by data or is a statement made by a reliable source (e.g. a person/organization of authority in the cyber-security world) then it doesn’t mean much, in my opinion.

Also, SMS status as a highly vulnerable 2FA method has been well known for years. Even if it’s the only option offered by your financial institute, that doesn’t stop you from using a bulletproof password (16-20 character random string of numbers/letters, unique to that site). And the reset-password option is not a vulnerability if you secure your email account. This can be done by using a legitimate form of 2FA for your email account. Gmail, as an example, allows the use of authenticator apps, which are of course a very secure 2FA method.
oldfort
Posts: 1735
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

The weakness is usually in the recovery procedure. Vanguard needs some recovery procedure for people who lose their Yubikeys and forget their passwords. From Vanguard's perspective, there aren't a lot of great ways to handle it. You can make recovery via email, but in Vanguard's view, email may be less secure than SMS. For 99% of the population, the recovery to your email is via SMS. You can make recovery via snail mail. This works great for credit card companies, but you have to tolerate being without access to your account for a week or two. This wouldn't bother me, but may be unacceptable for some customers. You can use printed recovery codes, but the people who forget their passwords are the same people who won't remember where they put their recovery codes. The ideal solution would be some form of biometrics.
lawman3966
Posts: 1211
Joined: Sun Aug 10, 2008 12:09 pm
Location: Tacoma WA

Re: Investors: be aware of weakness in 2FA + strengthening

Post by lawman3966 »

I have ordered a Yubikey and hope to add this security feature to accounts at Schwab, Vanguard, and Fidelity.

Can anyone provide any feedback regarding the method for adding Yubikey to accounts at these companies and how it has worked for you.
User avatar
FIREchief
Posts: 5315
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

oldfort wrote: Sun May 24, 2020 12:12 am You can make recovery via email, but in Vanguard's view, email may be less secure than SMS. For 99% of the population, the recovery to your email is via SMS. You can make recovery via snail mail. This works great for credit card companies, but you have to tolerate being without access to your account for a week or two. This wouldn't bother me, but may be unacceptable for some customers. You can use printed recovery codes, but the people who forget their passwords are the same people who won't remember where they put their recovery codes. The ideal solution would be some form of biometrics.
Isn't this just reinforcement for why you should never use "real" answers for security questions? For internet forums, retail sites, etc? Sure. Financial accounts? Not so much.... Once you get to the point of sending a password reset to email, you're on very thin ice. I think we're close to the day where we can choose to require a phone call with voice recognition and perhaps other authentication to reset a forgotten password. I look forward to that day.
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
User avatar
FIREchief
Posts: 5315
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

HawkeyePierce wrote: Sat May 23, 2020 11:11 pm
FIREchief wrote: Sat May 23, 2020 10:45 pm Does this apply in any way to 2FA that uses semantic VIP, such as at Fidelity?
No.
Thanks. I thought so. One more reason to prefer Fidelity.
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
HawkeyePierce
Posts: 1482
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Investors: be aware of weakness in 2FA + strengthening

Post by HawkeyePierce »

lawman3966 wrote: Sun May 24, 2020 12:23 am I have ordered a Yubikey and hope to add this security feature to accounts at Schwab, Vanguard, and Fidelity.

Can anyone provide any feedback regarding the method for adding Yubikey to accounts at these companies and how it has worked for you.
Schwab doesn't support Yubikeys.
increment
Posts: 362
Joined: Tue May 15, 2018 2:20 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by increment »

lawman3966 wrote: Sun May 24, 2020 12:23 am Can anyone provide any feedback regarding the method for adding Yubikey to accounts at these companies and how it has worked for you.
As far as I know, neither Schwab nor Fidelity allows use of the U2F functionality of the Yubikey.

At Vanguard, use of the Yubikey is a convenience, if you don't like getting the phone call/text message, but one cannot require authentication with it as it is trivial to make them contact you over the phone.
HawkeyePierce
Posts: 1482
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Investors: be aware of weakness in 2FA + strengthening

Post by HawkeyePierce »

FIREchief wrote: Sun May 24, 2020 12:38 am
oldfort wrote: Sun May 24, 2020 12:12 am You can make recovery via email, but in Vanguard's view, email may be less secure than SMS. For 99% of the population, the recovery to your email is via SMS. You can make recovery via snail mail. This works great for credit card companies, but you have to tolerate being without access to your account for a week or two. This wouldn't bother me, but may be unacceptable for some customers. You can use printed recovery codes, but the people who forget their passwords are the same people who won't remember where they put their recovery codes. The ideal solution would be some form of biometrics.
Isn't this just reinforcement for why you should never use "real" answers for security questions? For internet forums, retail sites, etc? Sure. Financial accounts? Not so much.... Once you get to the point of sending a password reset to email, you're on very thin ice. I think we're close to the day where we can choose to require a phone call with voice recognition and perhaps other authentication to reset a forgotten password. I look forward to that day.
Scammer: "Hi I forgot my password"
Customer Service Agent: "Okay, can you answer this security question?"
Scammer: "Oh I just put nonsense in for those, I don't know what I wrote"

Security questions are only as strong as the company's most incompetent agent.
Topic Author
YoungSisyphus
Posts: 54
Joined: Mon Sep 24, 2018 7:35 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by YoungSisyphus »

Two themes here to take away:

1. that security is reliant on the weakest link in your chain. Many services have hitched on to the assumption that your cellular number is the most secure option. So then you are actually reliant on your carrier protecting your account. And the people that support servicing that account.

2.Realize that when “on the rise” comments are made that there is friction with providers because there could be litigation challenging their culpability in this. So the data you want to see will not be provided.

Will just leave it at that. If you have bulletproof credentials at every access point and your provider is well secured and any type of other carrier honors your port out requirements, you are good. I find that many people take the carrier part for granted and just wanted to share. Hope it’s helpful for some. Thanks!
jajlrajrf
Posts: 139
Joined: Sun Feb 09, 2020 6:15 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by jajlrajrf »

There are basically two types of 2FA:

-Code generators (token apps like Authy or Symantec VIP) that are good.
-"We will send you a code by SMS".

The latter is garbage and insecure, and we should all be very concerned that most of our banks only use that one.

(Vanguard offers use of the Yubikey, which is IMO better than SMS but inferior to a code generator app because I don't need another device to lose. I'm not going to lose my phone, and if I do I can remotely wipe it; let me use an app to do this! Does anyone know if the Yubico Authenticator app will work with Vanguard?)
Hockey10
Posts: 838
Joined: Wed Aug 24, 2016 12:20 pm
Location: Philadelphia suburbs

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Hockey10 »

decapod10 wrote: Sat May 23, 2020 10:27 pm Also, Verizon has a setting called "Number Lock" which locks your phone number to your line and can't be moved to another line or carrier. I learned about this recently and activated it.

Source (scroll down to #5)
https://www.verizonwireless.com/support ... safe-faqs/
Thanks for this tip Decapod!

As a Verizon Wireless customer, I was not aware of this. When I first set up my account, I went through all of the security options and don't remember seeing this one. I suspect it is something fairly new.
eigenperson
Posts: 44
Joined: Mon Nov 09, 2015 7:16 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by eigenperson »

Please, please, please use a U2F security key if that option is available. It has the huge advantage (compared to code generation apps like Authy/Google Authenticator) of not being phishable. You can register multiple U2F keys with a single account, so you can have backups if you are worried about losing the key.

If SMS is the only option, use a Google Voice account and enable advanced protection on the Google account. Good luck to anyone attempting to port that! You can still be phished so it is still not as good as U2F. Worse, you can lose Google Voice numbers due to inactivity, locking you out. And now there are two potential points of failure in the security chain -- your Google account, and your bank account -- rather than just one. Google + Advanced Protection is a tough nut to crack for an attacker, but it's still better to have just one point of failure rather than two.

In my opinion voice recognition should be considered completely insecure, as an attacker could easily obtain a sample of your voice knowing only your phone number, and generative speech models are extremely good these days.
absolute zero
Posts: 498
Joined: Thu Dec 29, 2016 4:59 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by absolute zero »

FIREchief wrote: Sun May 24, 2020 12:38 am
oldfort wrote: Sun May 24, 2020 12:12 am You can make recovery via email, but in Vanguard's view, email may be less secure than SMS. For 99% of the population, the recovery to your email is via SMS. You can make recovery via snail mail. This works great for credit card companies, but you have to tolerate being without access to your account for a week or two. This wouldn't bother me, but may be unacceptable for some customers. You can use printed recovery codes, but the people who forget their passwords are the same people who won't remember where they put their recovery codes. The ideal solution would be some form of biometrics.
Isn't this just reinforcement for why you should never use "real" answers for security questions? For internet forums, retail sites, etc? Sure. Financial accounts? Not so much.... Once you get to the point of sending a password reset to email, you're on very thin ice. I think we're close to the day where we can choose to require a phone call with voice recognition and perhaps other authentication to reset a forgotten password. I look forward to that day.
This is why I disable security questions whenever possible. When they are required, I use a complex random string of characters.

There have been a couple times where I’m asked to verify by phone, which makes things somewhat interesting.

Agent: Can you verify your identify by providing the name of your childhood best friend?
Me: Sure, my childhood best friend was Pk4x19gTf99Jmb.
oldfort
Posts: 1735
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

FIREchief wrote: Sun May 24, 2020 12:38 am
oldfort wrote: Sun May 24, 2020 12:12 am You can make recovery via email, but in Vanguard's view, email may be less secure than SMS. For 99% of the population, the recovery to your email is via SMS. You can make recovery via snail mail. This works great for credit card companies, but you have to tolerate being without access to your account for a week or two. This wouldn't bother me, but may be unacceptable for some customers. You can use printed recovery codes, but the people who forget their passwords are the same people who won't remember where they put their recovery codes. The ideal solution would be some form of biometrics.
Isn't this just reinforcement for why you should never use "real" answers for security questions? For internet forums, retail sites, etc? Sure. Financial accounts? Not so much.... Once you get to the point of sending a password reset to email, you're on very thin ice. I think we're close to the day where we can choose to require a phone call with voice recognition and perhaps other authentication to reset a forgotten password. I look forward to that day.
This is marginally more secure, but what does Vanguard customer service do if you tell them the answers to your security questions are gibberish and you have no idea what they are?
HawkeyePierce
Posts: 1482
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Investors: be aware of weakness in 2FA + strengthening

Post by HawkeyePierce »

jajlrajrf wrote: Sun May 24, 2020 8:09 am There are basically two types of 2FA:

-Code generators (token apps like Authy or Symantec VIP) that are good.
-"We will send you a code by SMS".

The latter is garbage and insecure, and we should all be very concerned that most of our banks only use that one.

(Vanguard offers use of the Yubikey, which is IMO better than SMS but inferior to a code generator app because I don't need another device to lose. I'm not going to lose my phone, and if I do I can remotely wipe it; let me use an app to do this! Does anyone know if the Yubico Authenticator app will work with Vanguard?)
Code generators are vulnerable to phishing. Physical security keys are not.
absolute zero
Posts: 498
Joined: Thu Dec 29, 2016 4:59 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by absolute zero »

eigenperson wrote: Sun May 24, 2020 9:46 am Please, please, please use a U2F security key if that option is available. It has the huge advantage (compared to code generation apps like Authy/Google Authenticator) of not being phishable. You can register multiple U2F keys with a single account, so you can have backups if you are worried about losing the key.

If SMS is the only option, use a Google Voice account and enable advanced protection on the Google account. Good luck to anyone attempting to port that! You can still be phished so it is still not as good as U2F. Worse, you can lose Google Voice numbers due to inactivity, locking you out. And now there are two potential points of failure in the security chain -- your Google account, and your bank account -- rather than just one. Google + Advanced Protection is a tough nut to crack for an attacker, but it's still better to have just one point of failure rather than two.

In my opinion voice recognition should be considered completely insecure, as an attacker could easily obtain a sample of your voice knowing only your phone number, and generative speech models are extremely good these days.
Hmm that is interesting - the part about authenticator apps being phishable. I immediately thought “the codes are only good for 30 seconds” but then did a google search and found an article describing how it can be done. The hacker just has to access the account immediately once the code is successfully phished.
L82GAME
Posts: 326
Joined: Sat Dec 07, 2019 9:29 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by L82GAME »

decapod10 wrote: Sat May 23, 2020 10:27 pm From what I have read, it is more difficult to SIM swap Verizon phones vs other phones. I'm not sure how true it is, but they say that the network verifies the IMEI of your phone with their records, which makes SIM swapping harder.

Source:
https://www.vice.com/en_us/article/kz43 ... d-t-mobile

Also, Verizon has a setting called "Number Lock" which locks your phone number to your line and can't be moved to another line or carrier. I learned about this recently and activated it.

Source (scroll down to #5)
https://www.verizonwireless.com/support ... safe-faqs/
Thank you! I just updated the PIN and locked all of our numbers. Also, I don’t use TXT for 2FA for reasons cited herein.
User avatar
patrick013
Posts: 3015
Joined: Mon Jul 13, 2015 7:49 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by patrick013 »

Have been using a token at Schwab for years. Surprised the battery
hasn't worn out. If phished I think it would have to be fished by
Schwab. The token and the Schwab database are the only 2 sources
of the 6 digit code to use.

All these other fancy devices don't seem quite as good or better. SMS
codes look good as long as the phone number can't be duplicated. Passwords
are still there and marking the account to "remember me" adds a strong
cookie for machine ID. Even mark the account to use that machine only,
the one with the cookie on it. Then get the SMS code.

Where's a weakness ?
age in bonds, buy-and-hold, 10 year business cycle
jajlrajrf
Posts: 139
Joined: Sun Feb 09, 2020 6:15 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by jajlrajrf »

Where's a weakness ?
Since the code is being sent from a central location to your phone, it's subject to a number of attacks along the way.

The points others raise about authenticator apps being phishable is true, but it still eliminates the man-in-the-middle attack from someone listening for the SMS message on its way to you.
User avatar
patrick013
Posts: 3015
Joined: Mon Jul 13, 2015 7:49 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by patrick013 »

jajlrajrf wrote: Sun May 24, 2020 12:02 pm
Where's a weakness ?
Since the code is being sent from a central location to your phone, it's subject to a number of attacks along the way.

The points others raise about authenticator apps being phishable is true, but it still eliminates the man-in-the-middle attack from someone listening for the SMS message on its way to you.
They may be able to get part of what is req'd but the cookie for machine ID,
the password, and the one time SMS code would all have to be acquired to
get into the account. All 3 things. Apart from phishing. It looks pretty safe
to me.
age in bonds, buy-and-hold, 10 year business cycle
mhalley
Posts: 8417
Joined: Tue Nov 20, 2007 6:02 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by mhalley »

I switched my 2fa to google voice secured by a google key. I feel this gives the best security aside from completely going to a key system.
jajlrajrf
Posts: 139
Joined: Sun Feb 09, 2020 6:15 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by jajlrajrf »

patrick013 wrote: Sun May 24, 2020 12:15 pm They may be able to get part of what is req'd but the cookie for machine ID,
the password, and the one time SMS code would all have to be acquired to
get into the account. All 3 things. Apart from phishing. It looks pretty safe
to me.
Sure, we all should pick our own level of comfort.

Here's an article running down some of the risks of SMS 2FA specifically:

https://blog.sucuri.net/2020/01/why-2fa ... -idea.html
User avatar
FIREchief
Posts: 5315
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

How would somebody "phish" my Symantec VIP? Are they going to call me and ask me for the current code? :confused
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
sd323232
Posts: 630
Joined: Thu Jun 21, 2018 4:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by sd323232 »

the only solid 2FA is when you use google authenticator. 2FA using a phone is very weak and can be hacked. So be very careful
User avatar
FIREchief
Posts: 5315
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

oldfort wrote: Sun May 24, 2020 10:35 am
FIREchief wrote: Sun May 24, 2020 12:38 am
oldfort wrote: Sun May 24, 2020 12:12 am You can make recovery via email, but in Vanguard's view, email may be less secure than SMS. For 99% of the population, the recovery to your email is via SMS. You can make recovery via snail mail. This works great for credit card companies, but you have to tolerate being without access to your account for a week or two. This wouldn't bother me, but may be unacceptable for some customers. You can use printed recovery codes, but the people who forget their passwords are the same people who won't remember where they put their recovery codes. The ideal solution would be some form of biometrics.
Isn't this just reinforcement for why you should never use "real" answers for security questions? For internet forums, retail sites, etc? Sure. Financial accounts? Not so much.... Once you get to the point of sending a password reset to email, you're on very thin ice. I think we're close to the day where we can choose to require a phone call with voice recognition and perhaps other authentication to reset a forgotten password. I look forward to that day.
This is marginally more secure, but what does Vanguard customer service do if you tell them the answers to your security questions are gibberish and you have no idea what they are?
I have no idea, because I haven't used Vanguard in years. That said, it's good to keep our accounts as secure as possible, but we don't really hear any reports of these worst case scenarios happening. Anything "could" happen, but I'm guessing most of the theft going on is caused by people not protecting their logon credentials and likely skipping 2FA all together.
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
stan1
Posts: 8891
Joined: Mon Oct 08, 2007 4:35 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by stan1 »

oldfort wrote: Sat May 23, 2020 10:34 pm Is there any data on how common this is? Most of the examples I've seen in the news are high profile crypto-currency holders.
RIght, that's an important question, and if you are a high profile, targeted individual you're in trouble no matter what. If SIM swaps get locked down the bad guys will move to whatever's the next easiest exploit for these people.

Best not to be a high profile, targeted individual.
Broken Man 1999
Posts: 5017
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, inland on high ground!

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Broken Man 1999 »

How secure is a VoIP?

My VoIP phone never gets out of the house, unlike my cell phone.

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go. " -Mark Twain
oldfort
Posts: 1735
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

FIREchief wrote: Sun May 24, 2020 12:35 pm I have no idea, because I haven't used Vanguard in years. That said, it's good to keep our accounts as secure as possible, but we don't really hear any reports of these worst case scenarios happening. Anything "could" happen, but I'm guessing most of the theft going on is caused by people not protecting their logon credentials and likely skipping 2FA all together.
I don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
Last edited by oldfort on Sun May 24, 2020 1:04 pm, edited 1 time in total.
User avatar
patrick013
Posts: 3015
Joined: Mon Jul 13, 2015 7:49 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by patrick013 »

Several companies have started using 2 passwords. One for login
and the other for trading. When you make a trade or transaction
you assign it a password. Probably active for just a few days. Then
when finished assign the account a new "trading password". That
would be used for future transactions or trading.

No phone company to worry about just a secure 2nd password.
So any change there would alert to phishing, hacking, and the
start of an unauthorized trade or transaction as any password
change would indicate if not done by the account holder.
age in bonds, buy-and-hold, 10 year business cycle
MarkBarb
Posts: 492
Joined: Mon Aug 03, 2009 11:59 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by MarkBarb »

absolute zero wrote: Sun May 24, 2020 10:26 am
FIREchief wrote: Sun May 24, 2020 12:38 am
oldfort wrote: Sun May 24, 2020 12:12 am You can make recovery via email, but in Vanguard's view, email may be less secure than SMS. For 99% of the population, the recovery to your email is via SMS. You can make recovery via snail mail. This works great for credit card companies, but you have to tolerate being without access to your account for a week or two. This wouldn't bother me, but may be unacceptable for some customers. You can use printed recovery codes, but the people who forget their passwords are the same people who won't remember where they put their recovery codes. The ideal solution would be some form of biometrics.
Isn't this just reinforcement for why you should never use "real" answers for security questions? For internet forums, retail sites, etc? Sure. Financial accounts? Not so much.... Once you get to the point of sending a password reset to email, you're on very thin ice. I think we're close to the day where we can choose to require a phone call with voice recognition and perhaps other authentication to reset a forgotten password. I look forward to that day.
This is why I disable security questions whenever possible. When they are required, I use a complex random string of characters.

There have been a couple times where I’m asked to verify by phone, which makes things somewhat interesting.

Agent: Can you verify your identify by providing the name of your childhood best friend?
Me: Sure, my childhood best friend was Pk4x19gTf99Jmb.
This is an actual conversation between me and a Vanguard agent:
Agent: Can you tell me the name of your favorite athlete?
Me: adj32haf7o hq324au.
Agent: Oh yeah, didn't he used to play for the Phillies?
stan1
Posts: 8891
Joined: Mon Oct 08, 2007 4:35 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by stan1 »

I use fake data but use a unique set of three random English words that do not relate to the question:

First girlfriend:
crunchy apple shower

Easier to read off when needed and I'm not seeing how random characters would improve security in this case.
H-Town
Posts: 2868
Joined: Sun Feb 26, 2017 2:08 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by H-Town »

YoungSisyphus wrote: Sat May 23, 2020 10:25 pm If you do use 2FA that is reliant on your cell carrier, would advise that you look into any type of extra security available (pin codes / account strengthening that they offer). This would make it more difficult for the SIM attack. Could also look at 2FA like google Authenticator if your financial institution allows for it.

The port out rules worry me because carriers are required by law to make porting service pretty easy (due to regulations on consumers ability to keep their phone number). Not sure that there’s an easy solution there.
Does sim hack require “social hacking”? You get a call from “Verizon customer rep” telling you that your account have been compromised and that you have to provide password and secret question and answer to reactivate your account. Many gullible people lost their account that way.

What happened to never give out any personal information on the phone? I don’t even pick up the phone if I don’t recognize the number.
oldfort
Posts: 1735
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

H-Town wrote: Sun May 24, 2020 2:08 pm
YoungSisyphus wrote: Sat May 23, 2020 10:25 pm If you do use 2FA that is reliant on your cell carrier, would advise that you look into any type of extra security available (pin codes / account strengthening that they offer). This would make it more difficult for the SIM attack. Could also look at 2FA like google Authenticator if your financial institution allows for it.

The port out rules worry me because carriers are required by law to make porting service pretty easy (due to regulations on consumers ability to keep their phone number). Not sure that there’s an easy solution there.
Does sim hack require “social hacking”? You get a call from “Verizon customer rep” telling you that your account have been compromised and that you have to provide password and secret question and answer to reactivate your account. Many gullible people lost their account that way.

What happened to never give out any personal information on the phone? I don’t even pick up the phone if I don’t recognize the number.
SIM hacks require social hacking in the reverse direction. They call the Verizon customer rep, pretend to be you, and get your phone number ported to their phone.
User avatar
Vulcan
Posts: 1315
Joined: Sat Apr 05, 2014 11:43 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Vulcan »

mhalley wrote: Sun May 24, 2020 12:29 pm I switched my 2fa to google voice secured by a google key. I feel this gives the best security aside from completely going to a key system.
+1

Or Googe Fi if you use them as your carrier.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
HawkeyePierce
Posts: 1482
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Investors: be aware of weakness in 2FA + strengthening

Post by HawkeyePierce »

patrick013 wrote: Sun May 24, 2020 1:03 pm Several companies have started using 2 passwords. One for login
and the other for trading. When you make a trade or transaction
you assign it a password. Probably active for just a few days. Then
when finished assign the account a new "trading password". That
would be used for future transactions or trading.

No phone company to worry about just a secure 2nd password.
So any change there would alert to phishing, hacking, and the
start of an unauthorized trade or transaction as any password
change would indicate if not done by the account holder.
A second password doesn't add any security. It's still only one of three possible factors.
  • Something you know (passwords)
  • Something you have (physical tokens, phones)
  • Something you are (biometrics)
Having a second password for trading is still one-factor authentication. It's not an improvement.
Broken Man 1999 wrote: Sun May 24, 2020 12:53 pm How secure is a VoIP?

My VoIP phone never gets out of the house, unlike my cell phone.

Broken Man 1999
SIM swap hacks have nothing to do with taking your phone out with you. If your VoIP provider accepts SMS and also allows attackers to port your number, it's just as susceptible to this attack as a cell phone.
sd323232 wrote: Sun May 24, 2020 12:32 pm the only solid 2FA is when you use google authenticator. 2FA using a phone is very weak and can be hacked. So be very careful
2FA using a phone isn't "very weak", that's an overstatement. It's orders of magnitude more secure than just using a password as it prevents credential-stuffing attacks in which an attacker tries to brute-force their way into thousands or millions of accounts using credentials leaked/stolen from other websites, on the assumption that some non-negligible portion of users reused a password.

SMS 2FA is principally vulnerable to two attacks:
  • SIM swaps, in which an attacker convinces the mobile provider to transfer the number
  • Phishing, where you unknowingly enter the SMS 2FA code into an attacker's website, the attacker then uses it to log in to the real website
App-based 2FA like Google Authenticator is equally as vulnerable to phishing attacks as SMS 2FA. This attack is far more common than SIM swapping anyways.

Phishing can be automated by attackers so they can go after many victims at once. SIM swapping is much more labor intensive. It's rare enough that you still hear about instances of that attack in mainstream news.

Both app-based and SMS 2FA are inferior to physical tokens like Yubikeys, as Yubikeys are *not* vulnerable to phishing. The current consensus among security professionals is that Yubikeys are the only surefire way to prevent phishing attacks.
FIREchief wrote: Sun May 24, 2020 12:31 pm How would somebody "phish" my Symantec VIP? Are they going to call me and ask me for the current code? :confused
Yes. Or you'll click on an email to log into a fake Fidelity website, entering your valid credentials and code from Symantec VIP which the attacker then uses to log into the real Fidelity website.

Never assume you'll be smart enough to always spot a phishing attack.
User avatar
tuningfork
Posts: 532
Joined: Wed Oct 30, 2013 8:30 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by tuningfork »

FIREchief wrote: Sun May 24, 2020 12:31 pm How would somebody "phish" my Symantec VIP? Are they going to call me and ask me for the current code? :confused
Actually, that's one way. You get a call from your bank (not really your bank, it's a fraudster pretending to be your bank). The person you talk to asks you some questions to confirm your identity before they will reverse the (fake) fraudulent withdrawal. One of those questions is to read back the number on your authenticator app (or an SMS code they (allegedly) text you). Meanwhile, they are attempting to login to your account. Your real bank needs the code, which you read to the fraudster over the phone, they type it in, get access to your account, and then you have a really bad day. Of course, for this to work they must already have your password (which they might get if you reuse passwords) and their initial pitch must be convincing enough to catch you off guard.

Or a phishing email convinces you to click through to a fake version of your bank's website's login page. You enter your login and password and Symantec VIP or authenticator app code, which the phishing website uses to login to the actual bank's website, and then you have a really bad day.
User avatar
FIREchief
Posts: 5315
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

HawkeyePierce wrote: Sun May 24, 2020 2:16 pm
FIREchief wrote: Sun May 24, 2020 12:31 pm How would somebody "phish" my Symantec VIP? Are they going to call me and ask me for the current code? :confused
Yes. Or you'll click on an email to log into a fake Fidelity website, entering your valid credentials and code from Symantec VIP which the attacker then uses to log into the real Fidelity website.

Never assume you'll be smart enough to always spot a phishing attack.
Thank you. That makes sense. I always access financial accounts by typing in the URL (or using a bookmark on my own computer). I would never use an email link, but I can certainly see how that could fool people.

This is probably a good point to remind folks to turn on transfer alerts so that they receive a text at any time that a transfer is initiated out of their financial accounts. Also, I would be more nervous if I had assets at "that major brokerage" that still doesn't have 24/7 phone support.
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
H-Town
Posts: 2868
Joined: Sun Feb 26, 2017 2:08 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by H-Town »

oldfort wrote: Sun May 24, 2020 2:12 pm
H-Town wrote: Sun May 24, 2020 2:08 pm
YoungSisyphus wrote: Sat May 23, 2020 10:25 pm If you do use 2FA that is reliant on your cell carrier, would advise that you look into any type of extra security available (pin codes / account strengthening that they offer). This would make it more difficult for the SIM attack. Could also look at 2FA like google Authenticator if your financial institution allows for it.

The port out rules worry me because carriers are required by law to make porting service pretty easy (due to regulations on consumers ability to keep their phone number). Not sure that there’s an easy solution there.
Does sim hack require “social hacking”? You get a call from “Verizon customer rep” telling you that your account have been compromised and that you have to provide password and secret question and answer to reactivate your account. Many gullible people lost their account that way.

What happened to never give out any personal information on the phone? I don’t even pick up the phone if I don’t recognize the number.
SIM hacks require social hacking in the reverse direction. They call the Verizon customer rep, pretend to be you, and get your phone number ported to their phone.
Wouldn’t the hacker need some sort of your information? Secret passcode, name, address, last 4 digit of your SSN? If it can be done easily, many people would already lost their number.
Post Reply