Investors: be aware of weakness in 2FA + strengthening

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
User avatar
Nestegg_User
Posts: 1552
Joined: Wed Aug 05, 2009 1:26 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Nestegg_User »

absolute zero wrote: Sun May 24, 2020 10:26 am
FIREchief wrote: Sun May 24, 2020 12:38 am
oldfort wrote: Sun May 24, 2020 12:12 am You can make recovery via email, but in Vanguard's view, email may be less secure than SMS. For 99% of the population, the recovery to your email is via SMS. You can make recovery via snail mail. This works great for credit card companies, but you have to tolerate being without access to your account for a week or two. This wouldn't bother me, but may be unacceptable for some customers. You can use printed recovery codes, but the people who forget their passwords are the same people who won't remember where they put their recovery codes. The ideal solution would be some form of biometrics.
Isn't this just reinforcement for why you should never use "real" answers for security questions? For internet forums, retail sites, etc? Sure. Financial accounts? Not so much.... Once you get to the point of sending a password reset to email, you're on very thin ice. I think we're close to the day where we can choose to require a phone call with voice recognition and perhaps other authentication to reset a forgotten password. I look forward to that day.
This is why I disable security questions whenever possible. When they are required, I use a complex random string of characters.

There have been a couple times where I’m asked to verify by phone, which makes things somewhat interesting.

Agent: Can you verify your identify by providing the name of your childhood best friend?
Me: Sure, my childhood best friend was Pk4x19gTf99Jmb.
In my old days, when needing to set up unique passwords, I'd use high ASCII characters :shock:
Try telling the CS rep those! :twisted:
(I don't think they are recognized by systems anymore, but it certainly helped prevent some brute force attacks since hackers never included those in their character sets.)
HawkeyePierce
Posts: 1488
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Investors: be aware of weakness in 2FA + strengthening

Post by HawkeyePierce »

H-Town wrote: Sun May 24, 2020 2:39 pm
oldfort wrote: Sun May 24, 2020 2:12 pm
H-Town wrote: Sun May 24, 2020 2:08 pm
YoungSisyphus wrote: Sat May 23, 2020 10:25 pm If you do use 2FA that is reliant on your cell carrier, would advise that you look into any type of extra security available (pin codes / account strengthening that they offer). This would make it more difficult for the SIM attack. Could also look at 2FA like google Authenticator if your financial institution allows for it.

The port out rules worry me because carriers are required by law to make porting service pretty easy (due to regulations on consumers ability to keep their phone number). Not sure that there’s an easy solution there.
Does sim hack require “social hacking”? You get a call from “Verizon customer rep” telling you that your account have been compromised and that you have to provide password and secret question and answer to reactivate your account. Many gullible people lost their account that way.

What happened to never give out any personal information on the phone? I don’t even pick up the phone if I don’t recognize the number.
SIM hacks require social hacking in the reverse direction. They call the Verizon customer rep, pretend to be you, and get your phone number ported to their phone.
Wouldn’t the hacker need some sort of your information? Secret passcode, name, address, last 4 digit of your SSN? If it can be done easily, many people would already lost their number.
None of that is terribly hard to find and attackers are adept at socially-engineering agents to bypass verification steps.

You're right that these are targeted attacks but that doesn't make them necessarily difficult, just labor intensive.
User avatar
Nestegg_User
Posts: 1552
Joined: Wed Aug 05, 2009 1:26 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Nestegg_User »

H-Town wrote: Sun May 24, 2020 2:39 pm
oldfort wrote: Sun May 24, 2020 2:12 pm
H-Town wrote: Sun May 24, 2020 2:08 pm
YoungSisyphus wrote: Sat May 23, 2020 10:25 pm If you do use 2FA that is reliant on your cell carrier, would advise that you look into any type of extra security available (pin codes / account strengthening that they offer). This would make it more difficult for the SIM attack. Could also look at 2FA like google Authenticator if your financial institution allows for it.

The port out rules worry me because carriers are required by law to make porting service pretty easy (due to regulations on consumers ability to keep their phone number). Not sure that there’s an easy solution there.
Does sim hack require “social hacking”? You get a call from “Verizon customer rep” telling you that your account have been compromised and that you have to provide password and secret question and answer to reactivate your account. Many gullible people lost their account that way.

What happened to never give out any personal information on the phone? I don’t even pick up the phone if I don’t recognize the number.
SIM hacks require social hacking in the reverse direction. They call the Verizon customer rep, pretend to be you, and get your phone number ported to their phone.
Wouldn’t the hacker need some sort of your information? Secret passcode, name, address, last 4 digit of your SSN? If it can be done easily, many people would already lost their number.
Are you kidding? I know of- - at least - - six high profile leaks involving my or spouse's info, and who knows how many others that weren't reported! As noted by others above, the reps doing the resets or helping port numbers are the weak links.... social engineering.
Afty
Posts: 1412
Joined: Sun Sep 07, 2014 5:31 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Afty »

H-Town wrote: Sun May 24, 2020 2:39 pm
oldfort wrote: Sun May 24, 2020 2:12 pm
H-Town wrote: Sun May 24, 2020 2:08 pm
YoungSisyphus wrote: Sat May 23, 2020 10:25 pm If you do use 2FA that is reliant on your cell carrier, would advise that you look into any type of extra security available (pin codes / account strengthening that they offer). This would make it more difficult for the SIM attack. Could also look at 2FA like google Authenticator if your financial institution allows for it.

The port out rules worry me because carriers are required by law to make porting service pretty easy (due to regulations on consumers ability to keep their phone number). Not sure that there’s an easy solution there.
Does sim hack require “social hacking”? You get a call from “Verizon customer rep” telling you that your account have been compromised and that you have to provide password and secret question and answer to reactivate your account. Many gullible people lost their account that way.

What happened to never give out any personal information on the phone? I don’t even pick up the phone if I don’t recognize the number.
SIM hacks require social hacking in the reverse direction. They call the Verizon customer rep, pretend to be you, and get your phone number ported to their phone.
Wouldn’t the hacker need some sort of your information? Secret passcode, name, address, last 4 digit of your SSN? If it can be done easily, many people would already lost their number.
Here is an example from right here on Bogleheads: viewtopic.php?t=300252
User avatar
FrankTheViking
Posts: 105
Joined: Wed Jan 08, 2020 3:44 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FrankTheViking »

Recently started 1Password free trial. Extremely happy and will continue service after free trial ends. Any accounts that use 2FA can be linked with 1Password as opposed to your phone.
No EF. 80% Total U.S. / 20% Total International. 100% equity. Is there a gun to your head? Is there a tiger in the room? No? What's the problem?
H-Town
Posts: 2868
Joined: Sun Feb 26, 2017 2:08 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by H-Town »

Afty wrote: Sun May 24, 2020 3:53 pm
H-Town wrote: Sun May 24, 2020 2:39 pm
oldfort wrote: Sun May 24, 2020 2:12 pm
H-Town wrote: Sun May 24, 2020 2:08 pm
YoungSisyphus wrote: Sat May 23, 2020 10:25 pm If you do use 2FA that is reliant on your cell carrier, would advise that you look into any type of extra security available (pin codes / account strengthening that they offer). This would make it more difficult for the SIM attack. Could also look at 2FA like google Authenticator if your financial institution allows for it.

The port out rules worry me because carriers are required by law to make porting service pretty easy (due to regulations on consumers ability to keep their phone number). Not sure that there’s an easy solution there.
Does sim hack require “social hacking”? You get a call from “Verizon customer rep” telling you that your account have been compromised and that you have to provide password and secret question and answer to reactivate your account. Many gullible people lost their account that way.

What happened to never give out any personal information on the phone? I don’t even pick up the phone if I don’t recognize the number.
SIM hacks require social hacking in the reverse direction. They call the Verizon customer rep, pretend to be you, and get your phone number ported to their phone.
Wouldn’t the hacker need some sort of your information? Secret passcode, name, address, last 4 digit of your SSN? If it can be done easily, many people would already lost their number.
Here is an example from right here on Bogleheads: viewtopic.php?t=300252
An example of people carelessly give away information on the phone. Don’t do that.
User avatar
Vulcan
Posts: 1327
Joined: Sat Apr 05, 2014 11:43 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Vulcan »

FIREchief wrote: Sun May 24, 2020 12:38 amIsn't this just reinforcement for why you should never use "real" answers for security questions?
Institutions taking security seriously use secret questions as a mere gatekeeper to sending a password reset link to your registered email or code to your phone.

You can't reset, say, your Vanguard's password by simply answering your security questions.
Try it, you'll see.
FIREchief wrote: Sun May 24, 2020 12:38 am Once you get to the point of sending a password reset to email, you're on very thin ice.
Why?

Your email is the key to your kingdom and should be secured by 2FA.
Everything else can then just use your email address as the 2nd factor.
That includes using Google Voice for 2FA with texts forwarded to email.

And good luck porting my GV number from under me.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
stumpy
Posts: 39
Joined: Wed May 24, 2017 7:48 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by stumpy »

Would it be better for those of us that have land lines have our authentication code sent by voice on the land line?
eigenperson
Posts: 44
Joined: Mon Nov 09, 2015 7:16 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by eigenperson »

stumpy wrote: Sun May 24, 2020 7:50 pm Would it be better for those of us that have land lines have our authentication code sent by voice on the land line?
Maybe slightly better because some attackers would not be familiar with it. But my understanding is that landline numbers can be transformed into cell numbers in many cases, and this process is likely just as easy to socially engineer as the cell-to-cell number porting process. Furthermore, landline services have features like call forwarding, and if they can convince a representative to set that up for them (with a story like "halp, I'm on vacation and I really need to receive important phone calls") you are owned.

I think it would be easy enough to attack and I would not count on this as a secure solution. Whether it's better or worse than SMS, if you have the choice, I don't know.
FoolMeOnce
Posts: 983
Joined: Mon Apr 24, 2017 11:16 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FoolMeOnce »

oldfort wrote: Sun May 24, 2020 12:58 pm
FIREchief wrote: Sun May 24, 2020 12:35 pm I have no idea, because I haven't used Vanguard in years. That said, it's good to keep our accounts as secure as possible, but we don't really hear any reports of these worst case scenarios happening. Anything "could" happen, but I'm guessing most of the theft going on is caused by people not protecting their logon credentials and likely skipping 2FA all together.
I don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
I think almost every time it would go:

Customer Support: Looks at screen and sees high school was Lincoln High. Nice try, hacker.
bayview
Posts: 2266
Joined: Thu Aug 02, 2012 7:05 pm
Location: WNC

Re: Investors: be aware of weakness in 2FA + strengthening

Post by bayview »

FoolMeOnce wrote: Sun May 24, 2020 10:08 pm
oldfort wrote: Sun May 24, 2020 12:58 pm
FIREchief wrote: Sun May 24, 2020 12:35 pm I have no idea, because I haven't used Vanguard in years. That said, it's good to keep our accounts as secure as possible, but we don't really hear any reports of these worst case scenarios happening. Anything "could" happen, but I'm guessing most of the theft going on is caused by people not protecting their logon credentials and likely skipping 2FA all together.
I don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
I think almost every time it would go:

Customer Support: Looks at screen and sees high school was Lincoln High. Nice try, hacker.
How would CS know that you had gone to Lincoln High if you had never entered that? Is CS accessing Lexus Nexis now?
oldfort wrote: Sun May 24, 2020 12:58 pmI don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
Is there a way to set a reset to snail mail, if one fails the security question (or other) test?

I’d be fine with waiting a week for physical mail as a penalty for goobering up my regular log-in. This is why I have an additional B&M source for cash.
The continuous execution of a sound strategy gives you the benefit of the strategy. That's what it's all about. --Rick Ferri
oldfort
Posts: 1758
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

bayview wrote: Sun May 24, 2020 10:42 pm
oldfort wrote: Sun May 24, 2020 12:58 pmI don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
Is there a way to set a reset to snail mail, if one fails the security question (or other) test?

I’d be fine with waiting a week for physical mail as a penalty for goobering up my regular log-in. This is why I have an additional B&M source for cash.
No, I don't believe there's anyway you can force Vanguard to use snail mail for an account reset. From Vanguard's standpoint, you're not being compliant with their security policies when you submit fictitious answers to security questions.
bayview
Posts: 2266
Joined: Thu Aug 02, 2012 7:05 pm
Location: WNC

Re: Investors: be aware of weakness in 2FA + strengthening

Post by bayview »

oldfort wrote: Sun May 24, 2020 10:49 pm
bayview wrote: Sun May 24, 2020 10:42 pm
oldfort wrote: Sun May 24, 2020 12:58 pmI don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
Is there a way to set a reset to snail mail, if one fails the security question (or other) test?

I’d be fine with waiting a week for physical mail as a penalty for goobering up my regular log-in. This is why I have an additional B&M source for cash.
No, I don't believe there's anyway you can force Vanguard to use snail mail for an account reset. From Vanguard's standpoint, you're not being compliant with their security policies when you submit fictitious answers to security questions.
Good Lord.
The continuous execution of a sound strategy gives you the benefit of the strategy. That's what it's all about. --Rick Ferri
oldfort
Posts: 1758
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

bayview wrote: Sun May 24, 2020 10:50 pm
oldfort wrote: Sun May 24, 2020 10:49 pm
bayview wrote: Sun May 24, 2020 10:42 pm
oldfort wrote: Sun May 24, 2020 12:58 pmI don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
Is there a way to set a reset to snail mail, if one fails the security question (or other) test?

I’d be fine with waiting a week for physical mail as a penalty for goobering up my regular log-in. This is why I have an additional B&M source for cash.
No, I don't believe there's anyway you can force Vanguard to use snail mail for an account reset. From Vanguard's standpoint, you're not being compliant with their security policies when you submit fictitious answers to security questions.
Good Lord.
From 2017, I think we have our answer:
livesoft wrote: Fri Oct 06, 2017 8:57 pm I've forgotten my security questions, so I call them up and they reset everything for me. It is really that easy.
User avatar
FIREchief
Posts: 5331
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

bayview wrote: Sun May 24, 2020 10:50 pm
oldfort wrote: Sun May 24, 2020 10:49 pm
bayview wrote: Sun May 24, 2020 10:42 pm
oldfort wrote: Sun May 24, 2020 12:58 pmI don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
Is there a way to set a reset to snail mail, if one fails the security question (or other) test?

I’d be fine with waiting a week for physical mail as a penalty for goobering up my regular log-in. This is why I have an additional B&M source for cash.
No, I don't believe there's anyway you can force Vanguard to use snail mail for an account reset. From Vanguard's standpoint, you're not being compliant with their security policies when you submit fictitious answers to security questions.
Good Lord.
Yeah, really. This borders on the absurd.
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
User avatar
FIREchief
Posts: 5331
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

bayview wrote: Sun May 24, 2020 10:42 pm
FoolMeOnce wrote: Sun May 24, 2020 10:08 pm
oldfort wrote: Sun May 24, 2020 12:58 pm
FIREchief wrote: Sun May 24, 2020 12:35 pm I have no idea, because I haven't used Vanguard in years. That said, it's good to keep our accounts as secure as possible, but we don't really hear any reports of these worst case scenarios happening. Anything "could" happen, but I'm guessing most of the theft going on is caused by people not protecting their logon credentials and likely skipping 2FA all together.
I don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
I think almost every time it would go:

Customer Support: Looks at screen and sees high school was Lincoln High. Nice try, hacker.
How would CS know that you had gone to Lincoln High if you had never entered that? Is CS accessing Lexus Nexis now?

You miss the point. The point is that the hacker would have no way of knowing that you used "gibberish" for your security answers.
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
bayview
Posts: 2266
Joined: Thu Aug 02, 2012 7:05 pm
Location: WNC

Re: Investors: be aware of weakness in 2FA + strengthening

Post by bayview »

FIREchief wrote: Sun May 24, 2020 10:55 pm
bayview wrote: Sun May 24, 2020 10:50 pm
oldfort wrote: Sun May 24, 2020 10:49 pm
bayview wrote: Sun May 24, 2020 10:42 pm
oldfort wrote: Sun May 24, 2020 12:58 pmI don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
Is there a way to set a reset to snail mail, if one fails the security question (or other) test?

I’d be fine with waiting a week for physical mail as a penalty for goobering up my regular log-in. This is why I have an additional B&M source for cash.
No, I don't believe there's anyway you can force Vanguard to use snail mail for an account reset. From Vanguard's standpoint, you're not being compliant with their security policies when you submit fictitious answers to security questions.
Good Lord.
Yeah, really. This borders on the absurd.
My mother’s USAA accounts are migrating to Charles Schwab. I’m thinking that I will use her remaining years to get familiar with the CS platform in the context of looking for my eventual site for the inherited assets that I will manage for my children.

I love cheap, except when it harms performance, including security.
The continuous execution of a sound strategy gives you the benefit of the strategy. That's what it's all about. --Rick Ferri
bayview
Posts: 2266
Joined: Thu Aug 02, 2012 7:05 pm
Location: WNC

Re: Investors: be aware of weakness in 2FA + strengthening

Post by bayview »

FIREchief wrote: Sun May 24, 2020 10:57 pm
bayview wrote: Sun May 24, 2020 10:42 pm
FoolMeOnce wrote: Sun May 24, 2020 10:08 pm
oldfort wrote: Sun May 24, 2020 12:58 pm
FIREchief wrote: Sun May 24, 2020 12:35 pm I have no idea, because I haven't used Vanguard in years. That said, it's good to keep our accounts as secure as possible, but we don't really hear any reports of these worst case scenarios happening. Anything "could" happen, but I'm guessing most of the theft going on is caused by people not protecting their logon credentials and likely skipping 2FA all together.
I don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
I think almost every time it would go:

Customer Support: Looks at screen and sees high school was Lincoln High. Nice try, hacker.
How would CS know that you had gone to Lincoln High if you had never entered that? Is CS accessing Lexus Nexis now?

You miss the point. The point is that the hacker would have no way of knowing that you used "gibberish" for your security answers.
No, you missed MY point in replying to FoolMeOnce, who posited a scenario where CS would see the name of a high school, and as a result, challenged the caller. I was asking FoolMeOnce how CS would even have seen the name of a school.
The continuous execution of a sound strategy gives you the benefit of the strategy. That's what it's all about. --Rick Ferri
User avatar
Ged
Posts: 3923
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Ged »

Vulcan wrote: Sun May 24, 2020 2:16 pm
mhalley wrote: Sun May 24, 2020 12:29 pm I switched my 2fa to google voice secured by a google key. I feel this gives the best security aside from completely going to a key system.
+1

Or Googe Fi if you use them as your carrier.
I use Google Fi as my carrier with my Google Account secured with Yubi keys. A backup key is stored in a safe deposit box along with a few one-time codes.

Login to my brokerage account from a new computer requires a SMS code sent to my phone.

I've read that there are some potential hacks that can intercept the SMS message. Is the Authenticator better in this case? Or is it vulnerable to the same problems.
oldfort
Posts: 1758
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

FIREchief wrote: Sun May 24, 2020 10:57 pm
bayview wrote: Sun May 24, 2020 10:42 pm
FoolMeOnce wrote: Sun May 24, 2020 10:08 pm
oldfort wrote: Sun May 24, 2020 12:58 pm
FIREchief wrote: Sun May 24, 2020 12:35 pm I have no idea, because I haven't used Vanguard in years. That said, it's good to keep our accounts as secure as possible, but we don't really hear any reports of these worst case scenarios happening. Anything "could" happen, but I'm guessing most of the theft going on is caused by people not protecting their logon credentials and likely skipping 2FA all together.
I don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
I think almost every time it would go:

Customer Support: Looks at screen and sees high school was Lincoln High. Nice try, hacker.
How would CS know that you had gone to Lincoln High if you had never entered that? Is CS accessing Lexus Nexis now?

You miss the point. The point is that the hacker would have no way of knowing that you used "gibberish" for your security answers.
Then, modify the script slightly: I used fake answers and don't remember them. According to livesoft, it was very easy for him to get his account reset on the phone without knowing any security questions.
spammagnet
Posts: 1156
Joined: Wed Apr 27, 2016 9:42 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by spammagnet »

sd323232 wrote: Sun May 24, 2020 12:32 pm the only solid 2FA is when you use google authenticator. 2FA using a phone is very weak and can be hacked. So be very careful
Google Authenticator doesn't offer backup. Authy does.
User avatar
FIREchief
Posts: 5331
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

oldfort wrote: Sun May 24, 2020 11:23 pm
FIREchief wrote: Sun May 24, 2020 10:57 pm
bayview wrote: Sun May 24, 2020 10:42 pm
FoolMeOnce wrote: Sun May 24, 2020 10:08 pm
oldfort wrote: Sun May 24, 2020 12:58 pm

I don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
I think almost every time it would go:

Customer Support: Looks at screen and sees high school was Lincoln High. Nice try, hacker.
How would CS know that you had gone to Lincoln High if you had never entered that? Is CS accessing Lexus Nexis now?

You miss the point. The point is that the hacker would have no way of knowing that you used "gibberish" for your security answers.
Then, modify the script slightly: I used fake answers and don't remember them. According to livesoft, it was very easy for him to get his account reset on the phone without knowing any security questions.
Fair enough. But having a brokerage "reset the account to allow him to enter new security responses" is a whole lot different than them just blindly sending a password reset link, which is what some are suggesting would happen.
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
User avatar
FIREchief
Posts: 5331
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

bayview wrote: Sun May 24, 2020 11:03 pm
FIREchief wrote: Sun May 24, 2020 10:57 pm
bayview wrote: Sun May 24, 2020 10:42 pm
FoolMeOnce wrote: Sun May 24, 2020 10:08 pm
oldfort wrote: Sun May 24, 2020 12:58 pm

I don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
I think almost every time it would go:

Customer Support: Looks at screen and sees high school was Lincoln High. Nice try, hacker.
How would CS know that you had gone to Lincoln High if you had never entered that? Is CS accessing Lexus Nexis now?

You miss the point. The point is that the hacker would have no way of knowing that you used "gibberish" for your security answers.
No, you missed MY point in replying to FoolMeOnce, who posited a scenario where CS would see the name of a high school, and as a result, challenged the caller. I was asking FoolMeOnce how CS would even have seen the name of a school.
I don't know anything about this stuff. If you're suggesting that the CS would not have access to the security answers that were entered, that would make a whole lot of sense and further derail this silly discussion (thankfully! :sharebeer )
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
oldfort
Posts: 1758
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

FIREchief wrote: Sun May 24, 2020 11:45 pm
oldfort wrote: Sun May 24, 2020 11:23 pm
FIREchief wrote: Sun May 24, 2020 10:57 pm
bayview wrote: Sun May 24, 2020 10:42 pm
FoolMeOnce wrote: Sun May 24, 2020 10:08 pm

I think almost every time it would go:

Customer Support: Looks at screen and sees high school was Lincoln High. Nice try, hacker.
How would CS know that you had gone to Lincoln High if you had never entered that? Is CS accessing Lexus Nexis now?

You miss the point. The point is that the hacker would have no way of knowing that you used "gibberish" for your security answers.
Then, modify the script slightly: I used fake answers and don't remember them. According to livesoft, it was very easy for him to get his account reset on the phone without knowing any security questions.
Fair enough. But having a brokerage "reset the account to allow him to enter new security responses" is a whole lot different than them just blindly sending a password reset link, which is what some are suggesting would happen.
I fail to see a distinction, other than Vanguard sending SMS codes.
User avatar
Stef
Posts: 1145
Joined: Thu Oct 10, 2019 10:13 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Stef »

I use Google Authenticator for Gmail and my social media accounts and the Authenticator app for IBKR.

I don't know what to do more.
User avatar
Vulcan
Posts: 1327
Joined: Sat Apr 05, 2014 11:43 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Vulcan »

spammagnet wrote: Sun May 24, 2020 11:24 pm
sd323232 wrote: Sun May 24, 2020 12:32 pm the only solid 2FA is when you use google authenticator. 2FA using a phone is very weak and can be hacked. So be very careful
Google Authenticator doesn't offer backup. Authy does.
"Authy"? I think not.

You don't need to back up your 2FA on 3rd party servers.

Just save screenshots of barcodes as you add them to the Authenticator app and save it in a Google Doc and/or offline.

And recently, Authenticator app added the export feature.
It gives you a big barcode of all your saved accounts. It won't let you take a screenshot, but you can photograph it with another phone.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
User avatar
Vulcan
Posts: 1327
Joined: Sat Apr 05, 2014 11:43 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Vulcan »

Ged wrote: Sun May 24, 2020 11:21 pm
Vulcan wrote: Sun May 24, 2020 2:16 pm
mhalley wrote: Sun May 24, 2020 12:29 pm I switched my 2fa to google voice secured by a google key. I feel this gives the best security aside from completely going to a key system.
+1

Or Googe Fi if you use them as your carrier.
I use Google Fi as my carrier with my Google Account secured with Yubi keys. A backup key is stored in a safe deposit box along with a few one-time codes.

Login to my brokerage account from a new computer requires a SMS code sent to my phone.

I've read that there are some potential hacks that can intercept the SMS message. Is the Authenticator better in this case? Or is it vulnerable to the same problems.
It's perfectly fine either way.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
investing engineer
Posts: 115
Joined: Thu Aug 27, 2015 5:14 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by investing engineer »

jajlrajrf wrote: Sun May 24, 2020 12:02 pm
Where's a weakness ?
Since the code is being sent from a central location to your phone, it's subject to a number of attacks along the way.
Are you sure? Schwab uses Symantec VIP. Cut off your phone's internet and it still generates code.
sd323232
Posts: 653
Joined: Thu Jun 21, 2018 4:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by sd323232 »

spammagnet wrote: Sun May 24, 2020 11:24 pm
sd323232 wrote: Sun May 24, 2020 12:32 pm the only solid 2FA is when you use google authenticator. 2FA using a phone is very weak and can be hacked. So be very careful
Google Authenticator doesn't offer backup. Authy does.
Dang, i never heard of authy, but i went to their website and im switching to them, they look like superior google authentircator, thank you!
User avatar
oldcomputerguy
Moderator
Posts: 9227
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods in East Tennessee

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldcomputerguy »

mhalley wrote: Sun May 24, 2020 12:29 pm I switched my 2fa to google voice secured by a google key. I feel this gives the best security aside from completely going to a key system.
I have my Google account (including gmail) set up for two methods of 2FA: Google Authenticator is primary, Yubikey is secondary. I do not have an SMS method enabled on my Gmail account.
"I’ve come around to this: If you’re dumb, surround yourself with smart people; and if you’re smart, surround yourself with smart people who disagree with you." (Aaron Sorkin)
L82GAME
Posts: 329
Joined: Sat Dec 07, 2019 9:29 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by L82GAME »

oldcomputerguy wrote: Mon May 25, 2020 5:47 am
mhalley wrote: Sun May 24, 2020 12:29 pm I switched my 2fa to google voice secured by a google key. I feel this gives the best security aside from completely going to a key system.
I have my Google account (including gmail) set up for two methods of 2FA: Google Authenticator is primary, Yubikey is secondary. I do not have an SMS method enabled on my Gmail account.
+1, but Yubikey is my primary.
MikeG62
Posts: 3119
Joined: Tue Nov 15, 2016 3:20 pm
Location: New Jersey

Re: Investors: be aware of weakness in 2FA + strengthening

Post by MikeG62 »

bayview wrote: Sat May 23, 2020 10:52 pm
decapod10 wrote: Sat May 23, 2020 10:27 pm From what I have read, it is more difficult to SIM swap Verizon phones vs other phones. I'm not sure how true it is, but they say that the network verifies the IMEI of your phone with their records, which makes SIM swapping harder.

Source:
https://www.vice.com/en_us/article/kz43 ... d-t-mobile

Also, Verizon has a setting called "Number Lock" which locks your phone number to your line and can't be moved to another line or carrier. I learned about this recently and activated it.

Source (scroll down to #5)
https://www.verizonwireless.com/support ... safe-faqs/
Just activated Number Lock. Thanks!!
+1.

I do have a PIN set up and Verizon always asks for it anytime I call in for anything. However, this seems like an easy add-on security measure and took all of 30 seconds to do it on the four lines on my account. Thanks decapod10.
Real Knowledge Comes Only From Experience
sd323232
Posts: 653
Joined: Thu Jun 21, 2018 4:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by sd323232 »

MikeG62 wrote: Mon May 25, 2020 6:56 am
bayview wrote: Sat May 23, 2020 10:52 pm
decapod10 wrote: Sat May 23, 2020 10:27 pm From what I have read, it is more difficult to SIM swap Verizon phones vs other phones. I'm not sure how true it is, but they say that the network verifies the IMEI of your phone with their records, which makes SIM swapping harder.

Source:
https://www.vice.com/en_us/article/kz43 ... d-t-mobile

Also, Verizon has a setting called "Number Lock" which locks your phone number to your line and can't be moved to another line or carrier. I learned about this recently and activated it.

Source (scroll down to #5)
https://www.verizonwireless.com/support ... safe-faqs/
Just activated Number Lock. Thanks!!
+1.

I do have a PIN set up and Verizon always asks for it anytime I call in for anything. However, this seems like an easy add-on security measure and took all of 30 seconds to do it on the four lines on my account. Thanks decapod10.
dang, this thread is great, im learning all kinds of new stuff!
spammagnet
Posts: 1156
Joined: Wed Apr 27, 2016 9:42 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by spammagnet »

Vulcan wrote: Mon May 25, 2020 2:20 amAnd recently, Authenticator app added the export feature.
It gives you a big barcode of all your saved accounts. It won't let you take a screenshot, but you can photograph it with another phone.
Hmm... I may switch back to Google Authenticator.
FoolMeOnce
Posts: 983
Joined: Mon Apr 24, 2017 11:16 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FoolMeOnce »

bayview wrote: Sun May 24, 2020 10:42 pm
FoolMeOnce wrote: Sun May 24, 2020 10:08 pm
oldfort wrote: Sun May 24, 2020 12:58 pm
FIREchief wrote: Sun May 24, 2020 12:35 pm I have no idea, because I haven't used Vanguard in years. That said, it's good to keep our accounts as secure as possible, but we don't really hear any reports of these worst case scenarios happening. Anything "could" happen, but I'm guessing most of the theft going on is caused by people not protecting their logon credentials and likely skipping 2FA all together.
I don't know either, but my guess is the conversation would go something like this at most investment companies.

Customer: I need to reset my password but don't remember the answers to my security questions.
Customer Support: How can you not remember what high school you went to?
Customer: I put gibberish in the answers for greater security.
Customer Support: Looks at screen and sees high school was c5%aD7uI90. It looks like gibberish to me too, let me talk to a supervisor.
Supervisor: Send a reset code via SMS or link via email, which bypasses the security questions.
I think almost every time it would go:

Customer Support: Looks at screen and sees high school was Lincoln High. Nice try, hacker.
How would CS know that you had gone to Lincoln High if you had never entered that? Is CS accessing Lexus Nexis now?
My point is that most people answer the questions legitimately. A hacker doesn't know you entered gibberish. If a hacker tries to access and reset your account and says "I just entered gibberish," the hacker would fail almost every time. The customer service rep would almost always see a real school, e.g Lincoln High. They would have to try account after account until they luck upon one with gibberish.

This makes me think that your are better off using a random word than gibberish. At least with gibberish, that can try over and over until they get to an account that has a random string of text. Perhaps school: mango; best friend: corsair; pet: ice cream sandwich... is safer.
jajlrajrf
Posts: 141
Joined: Sun Feb 09, 2020 6:15 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by jajlrajrf »

xuphys wrote: Mon May 25, 2020 4:32 am
jajlrajrf wrote: Sun May 24, 2020 12:02 pm
Where's a weakness ?
Since the code is being sent from a central location to your phone, it's subject to a number of attacks along the way.
Are you sure? Schwab uses Symantec VIP. Cut off your phone's internet and it still generates code.
I'm specifically talking about using 2FA via SMS
User avatar
AAA
Posts: 1388
Joined: Sat Jan 12, 2008 8:56 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by AAA »

YoungSisyphus wrote: Sat May 23, 2020 10:18 pmThought I’d share based on news I’ve been seeing. Please be aware that hackers are attacking 2FA through telecommunication carriers.
Can someone explain to the non-initiated what the issue is here? So I go to Vanguard's website, enter my username and password and then wait for the text to my phone except someone else gets the text. They can use that to access my account? Their browser hasn't logged in to Vanguard with my credentials nor is it waiting for a pin number. Other than preventing me from accessing my account, what can happen?
Silence Dogood
Posts: 1430
Joined: Tue Feb 01, 2011 9:22 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Silence Dogood »

HawkeyePierce wrote: Sun May 24, 2020 2:16 pm
SMS 2FA is principally vulnerable to two attacks:
  • SIM swaps, in which an attacker convinces the mobile provider to transfer the number
  • Phishing, where you unknowingly enter the SMS 2FA code into an attacker's website, the attacker then uses it to log in to the real website
App-based 2FA like Google Authenticator is equally as vulnerable to phishing attacks as SMS 2FA. This attack is far more common than SIM swapping anyways.

Phishing can be automated by attackers so they can go after many victims at once.
Is app-based two-factor authentication really just as vulnerable to phishing attacks as SMS-based two-factor authentication?

Google Authenticator generates a new code every 30 seconds. Even automated, that allows a lot less time to successfully execute, whereas codes sent via SMS are usually good for at least 10 minutes (I know of at least one financial institution where the code is good for 30 minutes).
HawkeyePierce wrote: Sun May 24, 2020 2:16 pm Both app-based and SMS 2FA are inferior to physical tokens like Yubikeys, as Yubikeys are *not* vulnerable to phishing. The current consensus among security professionals is that Yubikeys are the only surefire way to prevent phishing attacks.
Hardware-based two-factor authentication is clearly more secure - the issue is widespread adoption. Most people already own a device that is capable of running an authentication app (either a smartphone or tablet).
investing engineer
Posts: 115
Joined: Thu Aug 27, 2015 5:14 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by investing engineer »

AAA wrote: Mon May 25, 2020 1:12 pm
YoungSisyphus wrote: Sat May 23, 2020 10:18 pmThought I’d share based on news I’ve been seeing. Please be aware that hackers are attacking 2FA through telecommunication carriers.
Can someone explain to the non-initiated what the issue is here? So I go to Vanguard's website, enter my username and password and then wait for the text to my phone except someone else gets the text. They can use that to access my account? Their browser hasn't logged in to Vanguard with my credentials nor is it waiting for a pin number. Other than preventing me from accessing my account, what can happen?
The fraudster stole your information, called your wireless carrier, and switch your phone number to a sim card at their hands. There they can receive the verification code that was supposed to be sent to you.
oldfort
Posts: 1758
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

Silence Dogood wrote: Mon May 25, 2020 1:16 pm
HawkeyePierce wrote: Sun May 24, 2020 2:16 pm
SMS 2FA is principally vulnerable to two attacks:
  • SIM swaps, in which an attacker convinces the mobile provider to transfer the number
  • Phishing, where you unknowingly enter the SMS 2FA code into an attacker's website, the attacker then uses it to log in to the real website
App-based 2FA like Google Authenticator is equally as vulnerable to phishing attacks as SMS 2FA. This attack is far more common than SIM swapping anyways.

Phishing can be automated by attackers so they can go after many victims at once.
Is app-based two-factor authentication really just as vulnerable to phishing attacks as SMS-based two-factor authentication?

Google Authenticator generates a new code every 30 seconds. Even automated, that allows a lot less time to successfully execute, whereas codes sent via SMS are usually good for at least 10 minutes (I know of at least one financial institution where the code is good for 30 minutes).
HawkeyePierce wrote: Sun May 24, 2020 2:16 pm Both app-based and SMS 2FA are inferior to physical tokens like Yubikeys, as Yubikeys are *not* vulnerable to phishing. The current consensus among security professionals is that Yubikeys are the only surefire way to prevent phishing attacks.
Hardware-based two-factor authentication is clearly more secure - the issue is widespread adoption. Most people already own a device that is capable of running an authentication app (either a smartphone or tablet).
If the user types in the new code, what difference does it make whether it's good for 30 seconds or 10 minutes?
Silence Dogood
Posts: 1430
Joined: Tue Feb 01, 2011 9:22 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Silence Dogood »

oldfort wrote: Mon May 25, 2020 1:25 pm If the user types in the new code, what difference does it make whether it's good for 30 seconds or 10 minutes?
  • A hacker sends you a legitimate looking email with a link to "vamguard.com" - and you click on it thinking that it's actually "vanguard.com".
  • The website is designed to look exactly the same as "vanguard.com" - so you type in your username and password.
  • The hacker has a program that automatically fills in the actual Vanguard website with the information you just provided.
  • As soon as this happens, you receive a code via SMS (a text-message).
  • You enter the code into the fake "vamguard.com" website.
  • The hacker's program automatically enters the code you just provided into the real "vanguard.com".
In practice, since the program will be working extremely fast, it probably won't make much of a difference. Having said that, technically-speaking, allowing the hacker only 30 seconds at most (15 seconds on average) to pull this off, rather than 10 minutes, makes it more difficult to successfully execute.
oldfort
Posts: 1758
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

Silence Dogood wrote: Mon May 25, 2020 1:43 pm
oldfort wrote: Mon May 25, 2020 1:25 pm If the user types in the new code, what difference does it make whether it's good for 30 seconds or 10 minutes?
  • A hacker sends you a legitimate looking email with a link to "vamguard.com" - and you click on it thinking that it's actually "vanguard.com".
  • The website is designed to look exactly the same as "vanguard.com" - so you type in your username and password.
  • The hacker has a program that automatically fills in the actual Vanguard website with the information you just provided.
  • As soon as this happens, you receive a code via SMS (a text-message).
  • You enter the code into the fake "vamguard.com" website.
  • The hacker's program automatically enters the code you just provided into the real "vanguard.com".
In practice, since the program will be working extremely fast, it probably won't make much of a difference. Having said that, technically-speaking, allowing the hacker only 30 seconds at most (15 seconds on average) to pull this off, rather than 10 minutes, makes it more difficult to successfully execute.
I'm willing to bet the time it takes the fake web site to retransmit the code is noise compared to the length of time it takes a user to go to the vip app and then type in the code.
Silence Dogood
Posts: 1430
Joined: Tue Feb 01, 2011 9:22 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Silence Dogood »

oldfort wrote: Mon May 25, 2020 1:52 pm
Silence Dogood wrote: Mon May 25, 2020 1:43 pm
oldfort wrote: Mon May 25, 2020 1:25 pm If the user types in the new code, what difference does it make whether it's good for 30 seconds or 10 minutes?
  • A hacker sends you a legitimate looking email with a link to "vamguard.com" - and you click on it thinking that it's actually "vanguard.com".
  • The website is designed to look exactly the same as "vanguard.com" - so you type in your username and password.
  • The hacker has a program that automatically fills in the actual Vanguard website with the information you just provided.
  • As soon as this happens, you receive a code via SMS (a text-message).
  • You enter the code into the fake "vamguard.com" website.
  • The hacker's program automatically enters the code you just provided into the real "vanguard.com".
In practice, since the program will be working extremely fast, it probably won't make much of a difference. Having said that, technically-speaking, allowing the hacker only 30 seconds at most (15 seconds on average) to pull this off, rather than 10 minutes, makes it more difficult to successfully execute.
I'm willing to bet the time it takes the fake web site to retransmit the code is noise compared to the length of time it takes a user to go to the vip app and then type in the code.
Well, to be clear, the app-based code is only good for 30 seconds (at most - on average 15 seconds), regardless of how long it takes the user to open the app. So the time that it takes the user to open the app is not relevant.

I do agree though, as I stated in my post, that it likely won't make much of a difference, given the speed in which the hacker's program will likely execute the attack. I am not stating that it is not vulnerable to phishing, only that it is less vulnerable to phishing than SMS.

Having said that, I suppose one could make it a habit to wait until the last moment (< 5 seconds) to enter the code, if one is particularly concerned.
oldfort
Posts: 1758
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

Silence Dogood wrote: Mon May 25, 2020 2:12 pm
oldfort wrote: Mon May 25, 2020 1:52 pm
Silence Dogood wrote: Mon May 25, 2020 1:43 pm
oldfort wrote: Mon May 25, 2020 1:25 pm If the user types in the new code, what difference does it make whether it's good for 30 seconds or 10 minutes?
  • A hacker sends you a legitimate looking email with a link to "vamguard.com" - and you click on it thinking that it's actually "vanguard.com".
  • The website is designed to look exactly the same as "vanguard.com" - so you type in your username and password.
  • The hacker has a program that automatically fills in the actual Vanguard website with the information you just provided.
  • As soon as this happens, you receive a code via SMS (a text-message).
  • You enter the code into the fake "vamguard.com" website.
  • The hacker's program automatically enters the code you just provided into the real "vanguard.com".
In practice, since the program will be working extremely fast, it probably won't make much of a difference. Having said that, technically-speaking, allowing the hacker only 30 seconds at most (15 seconds on average) to pull this off, rather than 10 minutes, makes it more difficult to successfully execute.
I'm willing to bet the time it takes the fake web site to retransmit the code is noise compared to the length of time it takes a user to go to the vip app and then type in the code.
Well, to be clear, the app-based code is only good for 30 seconds (at most - on average 15 seconds), regardless of how long it takes the user to open the app. So the time that it takes the user to open the app is not relevant.

I do agree though, as I stated in my post, that it likely won't make much of a difference, given the speed in which the hacker's program will likely execute the attack. I am not stating that it is not vulnerable to phishing, only that it is less vulnerable to phishing than SMS.

Having said that, I suppose one could make it a habit to wait until the last moment (< 5 seconds) to enter the code, if one is particularly concerned.
If it didn't work the first time, wouldn't most phished users retry and type in the next code?
JBTX
Posts: 6984
Joined: Wed Jul 26, 2017 12:46 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by JBTX »

I called ATT to verify the procedure:

1. If you set up a 4-8 digit pass code (not same as password) then you will have to give or enter that pass code any time you make changes to your account including moving cell number to different SIM
2. If moving SIM they will also send you a onetime PIN to your phone and you will have to recite or enter it

Thus hacker would have to overcome those 2 measures to complete cell phone number transfer. As long as humans are involved anything is possible but that is a pretty high bar.

In terms of Vanguard, if you have voice password, change your security questions to something not easily hackable, have a dedicated or limited use email for your most secure financial accounts, and have measures set up at ATT as above or Verizon lock, seems to me there are multiple layers of security there.
Silence Dogood
Posts: 1430
Joined: Tue Feb 01, 2011 9:22 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Silence Dogood »

oldfort wrote: Mon May 25, 2020 2:39 pm
Silence Dogood wrote: Mon May 25, 2020 2:12 pm
oldfort wrote: Mon May 25, 2020 1:52 pm
Silence Dogood wrote: Mon May 25, 2020 1:43 pm
oldfort wrote: Mon May 25, 2020 1:25 pm If the user types in the new code, what difference does it make whether it's good for 30 seconds or 10 minutes?
  • A hacker sends you a legitimate looking email with a link to "vamguard.com" - and you click on it thinking that it's actually "vanguard.com".
  • The website is designed to look exactly the same as "vanguard.com" - so you type in your username and password.
  • The hacker has a program that automatically fills in the actual Vanguard website with the information you just provided.
  • As soon as this happens, you receive a code via SMS (a text-message).
  • You enter the code into the fake "vamguard.com" website.
  • The hacker's program automatically enters the code you just provided into the real "vanguard.com".
In practice, since the program will be working extremely fast, it probably won't make much of a difference. Having said that, technically-speaking, allowing the hacker only 30 seconds at most (15 seconds on average) to pull this off, rather than 10 minutes, makes it more difficult to successfully execute.
I'm willing to bet the time it takes the fake web site to retransmit the code is noise compared to the length of time it takes a user to go to the vip app and then type in the code.
Well, to be clear, the app-based code is only good for 30 seconds (at most - on average 15 seconds), regardless of how long it takes the user to open the app. So the time that it takes the user to open the app is not relevant.

I do agree though, as I stated in my post, that it likely won't make much of a difference, given the speed in which the hacker's program will likely execute the attack. I am not stating that it is not vulnerable to phishing, only that it is less vulnerable to phishing than SMS.

Having said that, I suppose one could make it a habit to wait until the last moment (< 5 seconds) to enter the code, if one is particularly concerned.
If it didn't work the first time, wouldn't most phished users retry and type in the next code?
Well, it's a bit more complicated than that.

The fake website will likely generate a message stating some kind of iteration of: "This website is temporarily down for maintenance, please try back again later." This fake website would likely just be a "dummy" website. For example, you could enter "Mickey Mouse" as your username and "Minnie Mouse" as your password and it would still load the same pages as entering your actual username and password would.

Of course, a more advanced hacker could create a fake website/program that responds to incorrect (or expired) information. That hacker would then have an additional 30 seconds (at most - 15 seconds on average) to successfully execute the attack. Hopefully this would be a "red flag" for the user.

But again, as I've mentioned previously, I am not stating that app-based two-factor authentication is not vulnerable to phishing, only that it is less vulnerable to phishing than SMS-based two-factor authentication.

Hardware-based two-factor authentication is clearly superior. The issue is getting people to actually buy the hardware! A large majority of internet-using Americans already own either a smartphone or tablet. (Remember, the most common password in 2019 was "123456" - are a majority of people going to buy a YubiKey?) App-based two-factor authentication also solves other problems, from SIM swaps (topic of this thread) to poor cell reception.
oldfort
Posts: 1758
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

Silence Dogood wrote: Mon May 25, 2020 4:02 pm Well, it's a bit more complicated than that.

The fake website will likely generate a message stating some kind of iteration of: "This website is temporarily down for maintenance, please try back again later." This fake website would likely just be a "dummy" website. For example, you could enter "Mickey Mouse" as your username and "Minnie Mouse" as your password and it would still load the same pages as entering your actual username and password would.

Of course, a more advanced hacker could create a fake website/program that responds to incorrect (or expired) information. That hacker would then have an additional 30 seconds (at most - 15 seconds on average) to successfully execute the attack. Hopefully this would be a "red flag" for the user.

But again, as I've mentioned previously, I am not stating that app-based two-factor authentication is not vulnerable to phishing, only that it is less vulnerable to phishing than SMS-based two-factor authentication.
Real-time phishing is more sophisticated than this. They mimic the look and functionality of real Web sites.
Silence Dogood
Posts: 1430
Joined: Tue Feb 01, 2011 9:22 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Silence Dogood »

oldfort wrote: Mon May 25, 2020 4:24 pm
Silence Dogood wrote: Mon May 25, 2020 4:02 pm Well, it's a bit more complicated than that.

The fake website will likely generate a message stating some kind of iteration of: "This website is temporarily down for maintenance, please try back again later." This fake website would likely just be a "dummy" website. For example, you could enter "Mickey Mouse" as your username and "Minnie Mouse" as your password and it would still load the same pages as entering your actual username and password would.

Of course, a more advanced hacker could create a fake website/program that responds to incorrect (or expired) information. That hacker would then have an additional 30 seconds (at most - 15 seconds on average) to successfully execute the attack. Hopefully this would be a "red flag" for the user.

But again, as I've mentioned previously, I am not stating that app-based two-factor authentication is not vulnerable to phishing, only that it is less vulnerable to phishing than SMS-based two-factor authentication.
Real-time phishing is more sophisticated than this. They mimic the look and functionality of real Web sites.
Yes, I realize that an advanced hacker can set up a fake website that is advanced enough to pull this off.

As I mentioned above:
In practice, since the program will be working extremely fast, it probably won't make much of a difference. Having said that, technically-speaking, allowing the hacker only 30 seconds at most (15 seconds on average) to pull this off, rather than 10 minutes, makes it more difficult to successfully execute.
But again, as I've mentioned previously, I am not stating that app-based two-factor authentication is not vulnerable to phishing, only that it is less vulnerable to phishing than SMS-based two-factor authentication.
Of course, a more advanced hacker could create a fake website/program that responds to incorrect (or expired) information. That hacker would then have an additional 30 seconds (at most - 15 seconds on average) to successfully execute the attack. Hopefully this would be a "red flag" for the user.
My point is simple: app-based two-factor authentication is more secure than SMS-based two-factor authentication.

I also believe that app-based two-factor authentication is technically less vulnerable to phishing attacks than SMS-based two-factor authentication. After all, if time is not a factor, why should the codes expire at all?

Hardware-based two-factor authentication is even more secure than app-based two-factor authentication, but there is the problem of widespread adoption.
Kookaburra
Posts: 353
Joined: Thu Apr 02, 2020 11:14 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Kookaburra »

At this point, homing pigeons seem like a good idea for delivery of a code.
User avatar
AAA
Posts: 1388
Joined: Sat Jan 12, 2008 8:56 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by AAA »

xuphys wrote: Mon May 25, 2020 1:17 pm
AAA wrote: Mon May 25, 2020 1:12 pm
YoungSisyphus wrote: Sat May 23, 2020 10:18 pmThought I’d share based on news I’ve been seeing. Please be aware that hackers are attacking 2FA through telecommunication carriers.
Can someone explain to the non-initiated what the issue is here? So I go to Vanguard's website, enter my username and password and then wait for the text to my phone except someone else gets the text. They can use that to access my account? Their browser hasn't logged in to Vanguard with my credentials nor is it waiting for a pin number. Other than preventing me from accessing my account, what can happen?
The fraudster stole your information, called your wireless carrier, and switch your phone number to a sim card at their hands. There they can receive the verification code that was supposed to be sent to you.
By "stole your information" do you mean he has my username and password? If not, what good is the verification code to him?
Post Reply