Investors: be aware of weakness in 2FA + strengthening

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
investing engineer
Posts: 115
Joined: Thu Aug 27, 2015 5:14 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by investing engineer »

AAA wrote: Mon May 25, 2020 9:46 pm
xuphys wrote: Mon May 25, 2020 1:17 pm
AAA wrote: Mon May 25, 2020 1:12 pm
YoungSisyphus wrote: Sat May 23, 2020 10:18 pmThought I’d share based on news I’ve been seeing. Please be aware that hackers are attacking 2FA through telecommunication carriers.
Can someone explain to the non-initiated what the issue is here? So I go to Vanguard's website, enter my username and password and then wait for the text to my phone except someone else gets the text. They can use that to access my account? Their browser hasn't logged in to Vanguard with my credentials nor is it waiting for a pin number. Other than preventing me from accessing my account, what can happen?
The fraudster stole your information, called your wireless carrier, and switch your phone number to a sim card at their hands. There they can receive the verification code that was supposed to be sent to you.
By "stole your information" do you mean he has my username and password? If not, what good is the verification code to him?
They can steal your SSN, answers to security questions, etc. so as to port your number out. They can then use the phone number to reset your password. See the Fidelity password reset procedure for a live example: https://www.fidelity.com/customer-servi ... e-password
Ferdinand2014
Posts: 1689
Joined: Mon Dec 17, 2018 6:49 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Ferdinand2014 »

FIREchief wrote: Sun May 24, 2020 12:39 am
HawkeyePierce wrote: Sat May 23, 2020 11:11 pm
FIREchief wrote: Sat May 23, 2020 10:45 pm Does this apply in any way to 2FA that uses semantic VIP, such as at Fidelity?
No.
Thanks. I thought so. One more reason to prefer Fidelity.
Fidelity also does voice recognition and allows transfer lockdowns.
“You only find out who is swimming naked when the tide goes out.“ — Warren Buffett
Silence Dogood
Posts: 1430
Joined: Tue Feb 01, 2011 9:22 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Silence Dogood »

Kookaburra wrote: Mon May 25, 2020 9:44 pm At this point, homing pigeons seem like a good idea for delivery of a code.
Don't get me started on pigeon-based two-factor authentication... :P
User avatar
FIREchief
Posts: 5316
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

Ferdinand2014 wrote: Mon May 25, 2020 10:00 pm
FIREchief wrote: Sun May 24, 2020 12:39 am
HawkeyePierce wrote: Sat May 23, 2020 11:11 pm
FIREchief wrote: Sat May 23, 2020 10:45 pm Does this apply in any way to 2FA that uses semantic VIP, such as at Fidelity?
No.
Thanks. I thought so. One more reason to prefer Fidelity.
Fidelity also does voice recognition and allows transfer lockdowns.
Yep. They also provide immediate text notifications of transfers and tend to subject mine to "review" prior to execution. I'm not sure if this is true for every account, but it does introduce a (much welcomed) delay while an actual human reviews it. Have you used the transfer lockdown feature?
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
Ferdinand2014
Posts: 1689
Joined: Mon Dec 17, 2018 6:49 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Ferdinand2014 »

FIREchief wrote: Mon May 25, 2020 11:17 pm
Ferdinand2014 wrote: Mon May 25, 2020 10:00 pm
FIREchief wrote: Sun May 24, 2020 12:39 am
HawkeyePierce wrote: Sat May 23, 2020 11:11 pm
FIREchief wrote: Sat May 23, 2020 10:45 pm Does this apply in any way to 2FA that uses semantic VIP, such as at Fidelity?
No.
Thanks. I thought so. One more reason to prefer Fidelity.
Fidelity also does voice recognition and allows transfer lockdowns.
Yep. They also provide immediate text notifications of transfers and tend to subject mine to "review" prior to execution. I'm not sure if this is true for every account, but it does introduce a (much welcomed) delay while an actual human reviews it. Have you used the transfer lockdown feature?
I use transfer lockdown, VIP and voice recognition.
“You only find out who is swimming naked when the tide goes out.“ — Warren Buffett
User avatar
abuss368
Posts: 21593
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
Contact:

Re: Investors: be aware of weakness in 2FA + strengthening

Post by abuss368 »

Vanguard has voice verification and you can setup an enhanced password to identify yourself.

I want to check with Vanguard if they have transfer lockdown available. Not entirely sure what that means however as I am not with Fidelity. Can someone explain in more detail?
John C. Bogle: “Simplicity is the master key to financial success."
bayview
Posts: 2266
Joined: Thu Aug 02, 2012 7:05 pm
Location: WNC

Re: Investors: be aware of weakness in 2FA + strengthening

Post by bayview »

Silence Dogood wrote: Mon May 25, 2020 10:45 pm
Kookaburra wrote: Mon May 25, 2020 9:44 pm At this point, homing pigeons seem like a good idea for delivery of a code.
Don't get me started on pigeon-based two-factor authentication... :P
I immediately flashed on the flock of message-carrying ravens on Game of Thrones being brought down by a rain of arrows. :D
The continuous execution of a sound strategy gives you the benefit of the strategy. That's what it's all about. --Rick Ferri
User avatar
FIREchief
Posts: 5316
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

Ferdinand2014 wrote: Tue May 26, 2020 6:25 am
FIREchief wrote: Mon May 25, 2020 11:17 pm
Ferdinand2014 wrote: Mon May 25, 2020 10:00 pm
FIREchief wrote: Sun May 24, 2020 12:39 am
HawkeyePierce wrote: Sat May 23, 2020 11:11 pm

No.
Thanks. I thought so. One more reason to prefer Fidelity.
Fidelity also does voice recognition and allows transfer lockdowns.
Yep. They also provide immediate text notifications of transfers and tend to subject mine to "review" prior to execution. I'm not sure if this is true for every account, but it does introduce a (much welcomed) delay while an actual human reviews it. Have you used the transfer lockdown feature?
I use transfer lockdown, VIP and voice recognition.
Thanks. Can you give us a brief primer on how transfer lockdown works from a user perspective?
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
Ferdinand2014
Posts: 1689
Joined: Mon Dec 17, 2018 6:49 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Ferdinand2014 »

FIREchief wrote: Tue May 26, 2020 11:39 am
Ferdinand2014 wrote: Tue May 26, 2020 6:25 am
FIREchief wrote: Mon May 25, 2020 11:17 pm
Ferdinand2014 wrote: Mon May 25, 2020 10:00 pm
FIREchief wrote: Sun May 24, 2020 12:39 am

Thanks. I thought so. One more reason to prefer Fidelity.
Fidelity also does voice recognition and allows transfer lockdowns.
Yep. They also provide immediate text notifications of transfers and tend to subject mine to "review" prior to execution. I'm not sure if this is true for every account, but it does introduce a (much welcomed) delay while an actual human reviews it. Have you used the transfer lockdown feature?
I use transfer lockdown, VIP and voice recognition.
Thanks. Can you give us a brief primer on how transfer lockdown works from a user perspective?
Go under security settings, click lockdown, chooses which accounts to block any outgoing transfers. Does not effect bill pay, but any EFT. You will need VIP, username, password to unlock.
“You only find out who is swimming naked when the tide goes out.“ — Warren Buffett
User avatar
AAA
Posts: 1387
Joined: Sat Jan 12, 2008 8:56 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by AAA »

xuphys wrote: Mon May 25, 2020 9:55 pm
AAA wrote: Mon May 25, 2020 9:46 pm
xuphys wrote: Mon May 25, 2020 1:17 pm
AAA wrote: Mon May 25, 2020 1:12 pm
YoungSisyphus wrote: Sat May 23, 2020 10:18 pmThought I’d share based on news I’ve been seeing. Please be aware that hackers are attacking 2FA through telecommunication carriers.
Can someone explain to the non-initiated what the issue is here? So I go to Vanguard's website, enter my username and password and then wait for the text to my phone except someone else gets the text. They can use that to access my account? Their browser hasn't logged in to Vanguard with my credentials nor is it waiting for a pin number. Other than preventing me from accessing my account, what can happen?
The fraudster stole your information, called your wireless carrier, and switch your phone number to a sim card at their hands. There they can receive the verification code that was supposed to be sent to you.
By "stole your information" do you mean he has my username and password? If not, what good is the verification code to him?
They can steal your SSN, answers to security questions, etc. so as to port your number out. They can then use the phone number to reset your password. See the Fidelity password reset procedure for a live example: https://www.fidelity.com/customer-servi ... e-password
I'm still not getting it. I don't like easy to reset passwords such as in your Fidelity example, but even there they would have needed to know your username to even get to that step. Also the answer to a secret question. How do they get all this, let alone your SSN, just by intercepting a text message PIN e.g. 123456?
User avatar
FIREchief
Posts: 5316
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

Ferdinand2014 wrote: Tue May 26, 2020 12:41 pm
FIREchief wrote: Tue May 26, 2020 11:39 am
Ferdinand2014 wrote: Tue May 26, 2020 6:25 am
FIREchief wrote: Mon May 25, 2020 11:17 pm
Ferdinand2014 wrote: Mon May 25, 2020 10:00 pm

Fidelity also does voice recognition and allows transfer lockdowns.
Yep. They also provide immediate text notifications of transfers and tend to subject mine to "review" prior to execution. I'm not sure if this is true for every account, but it does introduce a (much welcomed) delay while an actual human reviews it. Have you used the transfer lockdown feature?
I use transfer lockdown, VIP and voice recognition.
Thanks. Can you give us a brief primer on how transfer lockdown works from a user perspective?
Go under security settings, click lockdown, chooses which accounts to block any outgoing transfers. Does not effect bill pay, but any EFT. You will need VIP, username, password to unlock.
Thanks. I just looked into this. It appears that the only real protection it provides is from external pulls. If anybody is able to login to my account, then it looks like they could just toggle the lockdown off and proceed with their theft. I'm not saying this transfer lockdown is a bad thing, but it's not the ultimate answer either. I believe my Fidelity rep once told me that a customer can request a more permanent locking of accounts so that any transfer out would require a phone call (I assume with voice recognition and some other forms of identification). I haven't read any reports here on the forum of anybody pursuing that.
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
oldfort
Posts: 1739
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

AAA wrote: Tue May 26, 2020 12:56 pm
xuphys wrote: Mon May 25, 2020 9:55 pm
AAA wrote: Mon May 25, 2020 9:46 pm
xuphys wrote: Mon May 25, 2020 1:17 pm
AAA wrote: Mon May 25, 2020 1:12 pm

Can someone explain to the non-initiated what the issue is here? So I go to Vanguard's website, enter my username and password and then wait for the text to my phone except someone else gets the text. They can use that to access my account? Their browser hasn't logged in to Vanguard with my credentials nor is it waiting for a pin number. Other than preventing me from accessing my account, what can happen?
The fraudster stole your information, called your wireless carrier, and switch your phone number to a sim card at their hands. There they can receive the verification code that was supposed to be sent to you.
By "stole your information" do you mean he has my username and password? If not, what good is the verification code to him?
They can steal your SSN, answers to security questions, etc. so as to port your number out. They can then use the phone number to reset your password. See the Fidelity password reset procedure for a live example: https://www.fidelity.com/customer-servi ... e-password
I'm still not getting it. I don't like easy to reset passwords such as in your Fidelity example, but even there they would have needed to know your username to even get to that step. Also the answer to a secret question. How do they get all this, let alone your SSN, just by intercepting a text message PIN e.g. 123456?
Assume your SSN is available for sale on the dark web.
SpaethCo
Posts: 235
Joined: Thu Jan 14, 2016 12:58 am
Location: Minneapolis

Re: Investors: be aware of weakness in 2FA + strengthening

Post by SpaethCo »

Silence Dogood wrote: Mon May 25, 2020 5:14 pmI also believe that app-based two-factor authentication is technically less vulnerable to phishing attacks than SMS-based two-factor authentication. After all, if time is not a factor, why should the codes expire at all?
TOTP doesn't provide security because of the rolling codes. It provides security because it forces people to have at least one aspect of identity be unique to that site. That people use the same user/pass combo across multiple sites is the primary reason that 2FA provides any kind of protection - people set themselves up to be vulnerable to credential stuffing.

In terms of phishing, everything except U2F is fully phishable. Solutions like Google Prompt, where you get a pop-up in Gmail on a trusted device, or commercial solutions like Duo non-intuitively make people more susceptible to clever phishing strategies. I work on "red team" exercises where we exploit other employees in the company to test our security posture. You could have a user on a Windows machine in Arizona get sent a phishing link, they'd start to log in, get a Duo notification to accept a login from "an iPhone in London, UK" and they'd authorize it. Conversion rates on these attacks were pushing 80% if we did it first thing in the morning or towards the end of the working day when people are paying even less attention. In surveys after we successfully exploit them, the common response is "If the link I clicked didn't send me to a valid site, then why did I get a notification in Duo?"

The best security for the average person is a password manager that will autofill your credentials only into a matching domain. The password manager allows you to have unique passwords for each site, preventing credential stuffing, and it allows for validation of the domain for which credentials are being entered. If the password manager isn't filling in your credentials, that's your cue to start looking very closely at the site you ended up on.
lstone19
Posts: 875
Joined: Fri Nov 03, 2017 3:33 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by lstone19 »

FIREchief wrote: Tue May 26, 2020 1:13 pm Thanks. I just looked into this. It appears that the only real protection it provides is from external pulls. If anybody is able to login to my account, then it looks like they could just toggle the lockdown off and proceed with their theft.
Yes they could but I'm going to get both a text message and an email if they do turn it off. Could they first turn off those alerts? Unfortunately, it appears that yes, at least text alerts can be turned off without any notice.
investing engineer
Posts: 115
Joined: Thu Aug 27, 2015 5:14 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by investing engineer »

AAA wrote: Tue May 26, 2020 12:56 pm
xuphys wrote: Mon May 25, 2020 9:55 pm
AAA wrote: Mon May 25, 2020 9:46 pm
xuphys wrote: Mon May 25, 2020 1:17 pm
AAA wrote: Mon May 25, 2020 1:12 pm

Can someone explain to the non-initiated what the issue is here? So I go to Vanguard's website, enter my username and password and then wait for the text to my phone except someone else gets the text. They can use that to access my account? Their browser hasn't logged in to Vanguard with my credentials nor is it waiting for a pin number. Other than preventing me from accessing my account, what can happen?
The fraudster stole your information, called your wireless carrier, and switch your phone number to a sim card at their hands. There they can receive the verification code that was supposed to be sent to you.
By "stole your information" do you mean he has my username and password? If not, what good is the verification code to him?
They can steal your SSN, answers to security questions, etc. so as to port your number out. They can then use the phone number to reset your password. See the Fidelity password reset procedure for a live example: https://www.fidelity.com/customer-servi ... e-password
I'm still not getting it. I don't like easy to reset passwords such as in your Fidelity example, but even there they would have needed to know your username to even get to that step. Also the answer to a secret question. How do they get all this, let alone your SSN, just by intercepting a text message PIN e.g. 123456?
Of course, it's not that so long as one can do SIM swap then they can access your account. Fraudsters do not access your account by solving the puzzle "if I only have access to your phone number, how can I access your brokerage account?" They probably have got some other information (otherwise how could they swap SIM?). Information such as username and security questions are surely less guarded than SMS verification code. The bottleneck here is to swap SIM; if one can successfully swap SIM cards, there is a reasonable possibility that they already have access to some less guarded information. We the good people don't know what might be circulating in the black market, how insecure some websites are, and how imprudent some customer service representatives can be.

To your specific questions: You can also reset/recover username (Google "[Brokerage name] recover username"). Answers to secret questions can also be part of the stealth (which SIM swap usually requires), maybe even usernames (which aren't guarded as tightly as passwords). They can get these by hacking some less secure website (e.g., insurance companies), purchasing from the black market, etc. Of course, you can use completely different answers to secret questions for your brokerage, but I doubt how practical this can be (e.g., can you remember the answers without using them frequently and do not write them down?).
User avatar
Vulcan
Posts: 1315
Joined: Sat Apr 05, 2014 11:43 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Vulcan »

Silence Dogood wrote: Mon May 25, 2020 1:43 pm
oldfort wrote: Mon May 25, 2020 1:25 pm If the user types in the new code, what difference does it make whether it's good for 30 seconds or 10 minutes?
  • A hacker sends you a legitimate looking email with a link to "vamguard.com" - and you click on it thinking that it's actually "vanguard.com".
  • The website is designed to look exactly the same as "vanguard.com" - so you type in your username and password.
Never enter any passwords manually. Never even know your passwords. Use password manager. Chrome's built-in one is fine.

When you arrive to vamguard.com, the password manager will not enter your password, and that will be your red flag.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
User avatar
FIREchief
Posts: 5316
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

lstone19 wrote: Tue May 26, 2020 1:28 pm
FIREchief wrote: Tue May 26, 2020 1:13 pm Thanks. I just looked into this. It appears that the only real protection it provides is from external pulls. If anybody is able to login to my account, then it looks like they could just toggle the lockdown off and proceed with their theft.
Yes they could but I'm going to get both a text message and an email if they do turn it off. Could they first turn off those alerts? Unfortunately, it appears that yes, at least text alerts can be turned off without any notice.
Yep, I just confirmed that I can turn off text alerts and not receive a notice. That's a really crappy approach. :annoyed
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
lstone19
Posts: 875
Joined: Fri Nov 03, 2017 3:33 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by lstone19 »

FIREchief wrote: Tue May 26, 2020 1:57 pm
lstone19 wrote: Tue May 26, 2020 1:28 pm Yes they could but I'm going to get both a text message and an email if they do turn it off. Could they first turn off those alerts? Unfortunately, it appears that yes, at least text alerts can be turned off without any notice.
Yep, I just confirmed that I can turn off text alerts and not receive a notice. That's a really crappy approach. :annoyed
Ive already sent them a note about it expressing my view that any change to security settings, including the phone number and email they go to, should trigger a security alert delivered in accordance with the pre-change settings. So if you want to turn off text security alerts, you still have to get one more letting you know.
User avatar
FIREchief
Posts: 5316
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

lstone19 wrote: Tue May 26, 2020 3:47 pm
FIREchief wrote: Tue May 26, 2020 1:57 pm
lstone19 wrote: Tue May 26, 2020 1:28 pm Yes they could but I'm going to get both a text message and an email if they do turn it off. Could they first turn off those alerts? Unfortunately, it appears that yes, at least text alerts can be turned off without any notice.
Yep, I just confirmed that I can turn off text alerts and not receive a notice. That's a really crappy approach. :annoyed
Ive already sent them a note about it expressing my view that any change to security settings, including the phone number and email they go to, should trigger a security alert delivered in accordance with the pre-change settings. So if you want to turn off text security alerts, you still have to get one more letting you know.
Thanks. That's a great idea. I just sent them a message as well. Hopefully they will act on this quickly.
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
Silence Dogood
Posts: 1430
Joined: Tue Feb 01, 2011 9:22 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Silence Dogood »

SpaethCo wrote: Tue May 26, 2020 1:22 pm The best security for the average person is a password manager that will autofill your credentials only into a matching domain. The password manager allows you to have unique passwords for each site, preventing credential stuffing, and it allows for validation of the domain for which credentials are being entered. If the password manager isn't filling in your credentials, that's your cue to start looking very closely at the site you ended up on.
Vulcan wrote: Tue May 26, 2020 1:42 pm
Silence Dogood wrote: Mon May 25, 2020 1:43 pm
  • A hacker sends you a legitimate looking email with a link to "vamguard.com" - and you click on it thinking that it's actually "vanguard.com".
  • The website is designed to look exactly the same as "vanguard.com" - so you type in your username and password.
Never enter any passwords manually. Never even know your passwords. Use password manager.

When you arrive to vamguard.com, the password manager will not enter your password, and that will be your red flag.
Yes, to be clear, I completely agree regarding the importance of using a password manager.

I use a password manager; I recommend that everyone use a password manager.

Please note that my example was "for demonstration purposes only" (to demonstrate a successful phishing attack), focusing specifically on two-factor authentication. I agree that proper use of a password manager would have prevented a successful attack.
L82GAME
Posts: 326
Joined: Sat Dec 07, 2019 9:29 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by L82GAME »

Silence Dogood wrote: Tue May 26, 2020 5:05 pm
SpaethCo wrote: Tue May 26, 2020 1:22 pm The best security for the average person is a password manager that will autofill your credentials only into a matching domain. The password manager allows you to have unique passwords for each site, preventing credential stuffing, and it allows for validation of the domain for which credentials are being entered. If the password manager isn't filling in your credentials, that's your cue to start looking very closely at the site you ended up on.
Vulcan wrote: Tue May 26, 2020 1:42 pm
Silence Dogood wrote: Mon May 25, 2020 1:43 pm
  • A hacker sends you a legitimate looking email with a link to "vamguard.com" - and you click on it thinking that it's actually "vanguard.com".
  • The website is designed to look exactly the same as "vanguard.com" - so you type in your username and password.
Never enter any passwords manually. Never even know your passwords. Use password manager.

When you arrive to vamguard.com, the password manager will not enter your password, and that will be your red flag.
Yes, to be clear, I completely agree regarding the importance of using a password manager.

I use a password manager; I recommend that everyone use a password manager.

Please note that my example was "for demonstration purposes only" (to demonstrate a successful phishing attack), focusing specifically on two-factor authentication. I agree that proper use of a password manager would have prevented a successful attack.
Doesn’t a physical token eliminate the risk associated with phishing attacks?
SpaethCo
Posts: 235
Joined: Thu Jan 14, 2016 12:58 am
Location: Minneapolis

Re: Investors: be aware of weakness in 2FA + strengthening

Post by SpaethCo »

L82GAME wrote: Tue May 26, 2020 7:20 pm Doesn’t a physical token eliminate the risk associated with phishing attacks?
Only U2F security keys, because those provide 2-way validation.

If it's just a physical token that spits out codes like an RSA token, then no.
L82GAME
Posts: 326
Joined: Sat Dec 07, 2019 9:29 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by L82GAME »

SpaethCo wrote: Tue May 26, 2020 7:33 pm
L82GAME wrote: Tue May 26, 2020 7:20 pm Doesn’t a physical token eliminate the risk associated with phishing attacks?
Only U2F security keys, because those provide 2-way validation.

If it's just a physical token that spits out codes like an RSA token, then no.
Thanks for presenting the distinction; I was referring to Yubikey which I believe is U2F. That’s what I use for Vanguard, and for my 2FA for Google voice, which is the 2FA backup number for Vanguard.
increment
Posts: 362
Joined: Tue May 15, 2018 2:20 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by increment »

L82GAME wrote: Tue May 26, 2020 7:37 pm
Thanks for presenting the distinction; I was referring to Yubikey which I believe is U2F. That’s what I use for Vanguard, and for my 2FA for Google voice, which is the 2FA backup number for Vanguard.
Some older Yubikeys don't do U2F. But you can't use this older hardware with Vanguard (and almost certainly not with Google).
Silence Dogood
Posts: 1430
Joined: Tue Feb 01, 2011 9:22 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Silence Dogood »

L82GAME wrote: Tue May 26, 2020 7:20 pm
Silence Dogood wrote: Tue May 26, 2020 5:05 pm
SpaethCo wrote: Tue May 26, 2020 1:22 pm The best security for the average person is a password manager that will autofill your credentials only into a matching domain. The password manager allows you to have unique passwords for each site, preventing credential stuffing, and it allows for validation of the domain for which credentials are being entered. If the password manager isn't filling in your credentials, that's your cue to start looking very closely at the site you ended up on.
Vulcan wrote: Tue May 26, 2020 1:42 pm
Silence Dogood wrote: Mon May 25, 2020 1:43 pm
  • A hacker sends you a legitimate looking email with a link to "vamguard.com" - and you click on it thinking that it's actually "vanguard.com".
  • The website is designed to look exactly the same as "vanguard.com" - so you type in your username and password.
Never enter any passwords manually. Never even know your passwords. Use password manager.

When you arrive to vamguard.com, the password manager will not enter your password, and that will be your red flag.
Yes, to be clear, I completely agree regarding the importance of using a password manager.

I use a password manager; I recommend that everyone use a password manager.

Please note that my example was "for demonstration purposes only" (to demonstrate a successful phishing attack), focusing specifically on two-factor authentication. I agree that proper use of a password manager would have prevented a successful attack.
Doesn’t a physical token eliminate the risk associated with phishing attacks?
Yes (assuming up-to-date YubiKey or similar device), please see my earlier posts.

Hardware-based two-factor authentication is more secure than app-based two-factor authentication. App-based two-factor authentication is more secure than SMS-based two-factor authentication.

Unfortunately, the issue with hardware-based two-factor authentication is one of widespread adoption. I'm guessing that less than 1% of internet-using Americans own a YubiKey (or similar device), whereas something like 90% of internet-using Americans own a device capable of running an authentication app (either a smartphone or tablet). I'm highly doubtful that a large percentage of Americans are going to go out and buy a YubiKey (or similar device) anytime soon. Remember, the most common password in 2019 was "123456".

App-based two-factor authentication is simple to use and people already own (and carry around) the device they need to implement it.

In particular, combining an authentication app with a password manager is extremely secure.

Of course, I certainly think that hardware-based two-factor authentication should be an option as well, for those who want even better security.
SteadyOne
Posts: 201
Joined: Fri Mar 22, 2019 5:26 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by SteadyOne »

Silence Dogood wrote: Tue May 26, 2020 8:40 pm
L82GAME wrote: Tue May 26, 2020 7:20 pm
Silence Dogood wrote: Tue May 26, 2020 5:05 pm
SpaethCo wrote: Tue May 26, 2020 1:22 pm The best security for the average person is a password manager that will autofill your credentials only into a matching domain. The password manager allows you to have unique passwords for each site, preventing credential stuffing, and it allows for validation of the domain for which credentials are being entered. If the password manager isn't filling in your credentials, that's your cue to start looking very closely at the site you ended up on.
Vulcan wrote: Tue May 26, 2020 1:42 pm
Silence Dogood wrote: Mon May 25, 2020 1:43 pm
  • A hacker sends you a legitimate looking email with a link to "vamguard.com" - and you click on it thinking that it's actually "vanguard.com".
  • The website is designed to look exactly the same as "vanguard.com" - so you type in your username and password.
Never enter any passwords manually. Never even know your passwords. Use password manager.

When you arrive to vamguard.com, the password manager will not enter your password, and that will be your red flag.
Yes, to be clear, I completely agree regarding the importance of using a password manager.

I use a password manager; I recommend that everyone use a password manager.

Please note that my example was "for demonstration purposes only" (to demonstrate a successful phishing attack), focusing specifically on two-factor authentication. I agree that proper use of a password manager would have prevented a successful attack.
Doesn’t a physical token eliminate the risk associated with phishing attacks?
Yes (assuming up-to-date YubiKey or similar device), please see my earlier posts.

Hardware-based two-factor authentication is more secure than app-based two-factor authentication. App-based two-factor authentication is more secure than SMS-based two-factor authentication.

Unfortunately, the issue with hardware-based two-factor authentication is one of widespread adoption. I'm guessing that less than 1% of internet-using Americans own a YubiKey (or similar device), whereas something like 90% of internet-using Americans own a device capable of running an authentication app (either a smartphone or tablet). I'm highly doubtful that a large percentage of Americans are going to go out and buy a YubiKey (or similar device) anytime soon. Remember, the most common password in 2019 was "123456".

App-based two-factor authentication is simple to use and people already own (and carry around) the device they need to implement it.

In particular, combining an authentication app with a password manager is extremely secure.

Of course, I certainly think that hardware-based two-factor authentication should be an option as well, for those who want even better security.
If one is not specifically targeted for an attack and using anything better than ‘1233456’ as a password what are the chances of becoming a victim? Is this similar to having a Mac and not needing an antivirus programs, since hackers did not want to waste time going after a small sliver of users? My takeaway is that even SMS based Authenticator with a reasonable password is good enough for most people.
“Every de­duc­tion is al­lowed as a mat­ter of leg­isla­tive grace.” US Federal Court
HawkeyePierce
Posts: 1486
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Investors: be aware of weakness in 2FA + strengthening

Post by HawkeyePierce »

SteadyOne wrote: Tue May 26, 2020 8:53 pm
Silence Dogood wrote: Tue May 26, 2020 8:40 pm
L82GAME wrote: Tue May 26, 2020 7:20 pm
Silence Dogood wrote: Tue May 26, 2020 5:05 pm
SpaethCo wrote: Tue May 26, 2020 1:22 pm The best security for the average person is a password manager that will autofill your credentials only into a matching domain. The password manager allows you to have unique passwords for each site, preventing credential stuffing, and it allows for validation of the domain for which credentials are being entered. If the password manager isn't filling in your credentials, that's your cue to start looking very closely at the site you ended up on.
Vulcan wrote: Tue May 26, 2020 1:42 pm
Never enter any passwords manually. Never even know your passwords. Use password manager.

When you arrive to vamguard.com, the password manager will not enter your password, and that will be your red flag.
Yes, to be clear, I completely agree regarding the importance of using a password manager.

I use a password manager; I recommend that everyone use a password manager.

Please note that my example was "for demonstration purposes only" (to demonstrate a successful phishing attack), focusing specifically on two-factor authentication. I agree that proper use of a password manager would have prevented a successful attack.
Doesn’t a physical token eliminate the risk associated with phishing attacks?
Yes (assuming up-to-date YubiKey or similar device), please see my earlier posts.

Hardware-based two-factor authentication is more secure than app-based two-factor authentication. App-based two-factor authentication is more secure than SMS-based two-factor authentication.

Unfortunately, the issue with hardware-based two-factor authentication is one of widespread adoption. I'm guessing that less than 1% of internet-using Americans own a YubiKey (or similar device), whereas something like 90% of internet-using Americans own a device capable of running an authentication app (either a smartphone or tablet). I'm highly doubtful that a large percentage of Americans are going to go out and buy a YubiKey (or similar device) anytime soon. Remember, the most common password in 2019 was "123456".

App-based two-factor authentication is simple to use and people already own (and carry around) the device they need to implement it.

In particular, combining an authentication app with a password manager is extremely secure.

Of course, I certainly think that hardware-based two-factor authentication should be an option as well, for those who want even better security.
If one is not specifically targeted for an attack and using anything better than ‘1233456’ as a password what are the chances of becoming a victim? Is this similar to having a Mac and not needing an antivirus programs, since hackers did not want to waste time going after a small sliver of users? My takeaway is that even SMS based Authenticator with a reasonable password is good enough for most people.
If you use a password manager, never reuse passwords and use any form of 2FA, your chances of falling victim are low, assuming you aren't specifically targeted.

One of my coworkers fell victim to a SIM swap attack in order to steal his *Instagram* account. You never know.
investing engineer
Posts: 115
Joined: Thu Aug 27, 2015 5:14 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by investing engineer »

SteadyOne wrote: Tue May 26, 2020 8:53 pm
Silence Dogood wrote: Tue May 26, 2020 8:40 pm
L82GAME wrote: Tue May 26, 2020 7:20 pm
Silence Dogood wrote: Tue May 26, 2020 5:05 pm
SpaethCo wrote: Tue May 26, 2020 1:22 pm The best security for the average person is a password manager that will autofill your credentials only into a matching domain. The password manager allows you to have unique passwords for each site, preventing credential stuffing, and it allows for validation of the domain for which credentials are being entered. If the password manager isn't filling in your credentials, that's your cue to start looking very closely at the site you ended up on.
Vulcan wrote: Tue May 26, 2020 1:42 pm
Never enter any passwords manually. Never even know your passwords. Use password manager.

When you arrive to vamguard.com, the password manager will not enter your password, and that will be your red flag.
Yes, to be clear, I completely agree regarding the importance of using a password manager.

I use a password manager; I recommend that everyone use a password manager.

Please note that my example was "for demonstration purposes only" (to demonstrate a successful phishing attack), focusing specifically on two-factor authentication. I agree that proper use of a password manager would have prevented a successful attack.
Doesn’t a physical token eliminate the risk associated with phishing attacks?
Yes (assuming up-to-date YubiKey or similar device), please see my earlier posts.

Hardware-based two-factor authentication is more secure than app-based two-factor authentication. App-based two-factor authentication is more secure than SMS-based two-factor authentication.

Unfortunately, the issue with hardware-based two-factor authentication is one of widespread adoption. I'm guessing that less than 1% of internet-using Americans own a YubiKey (or similar device), whereas something like 90% of internet-using Americans own a device capable of running an authentication app (either a smartphone or tablet). I'm highly doubtful that a large percentage of Americans are going to go out and buy a YubiKey (or similar device) anytime soon. Remember, the most common password in 2019 was "123456".

App-based two-factor authentication is simple to use and people already own (and carry around) the device they need to implement it.

In particular, combining an authentication app with a password manager is extremely secure.

Of course, I certainly think that hardware-based two-factor authentication should be an option as well, for those who want even better security.
If one is not specifically targeted for an attack and using anything better than ‘1233456’ as a password what are the chances of becoming a victim? Is this similar to having a Mac and not needing an antivirus programs, since hackers did not want to waste time going after a small sliver of users? My takeaway is that even SMS based Authenticator with a reasonable password is good enough for most people.
I agree with you for most people SMS is probably fine. People with high account value need to be more cautious.
itgeek
Posts: 42
Joined: Sun Dec 08, 2013 11:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by itgeek »

From what I understand, there is no way to force vanguard to use only hardware authentication such as YubiKey. E.g. if YubiKey is not present, Vanguard will use SMS code as back-up 2FA option. Doesn't that defeat the whole purpose of moving away from SMS codes as 2FA. Seems like vanguard also does not support app based authentication. Also, for mobile access, SMS code is the default option.

If this is all true, what can be done to make Vanguard account more secure?
oldfort
Posts: 1739
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

Silence Dogood wrote: Mon May 25, 2020 5:14 pm
oldfort wrote: Mon May 25, 2020 4:24 pm
Silence Dogood wrote: Mon May 25, 2020 4:02 pm Well, it's a bit more complicated than that.

The fake website will likely generate a message stating some kind of iteration of: "This website is temporarily down for maintenance, please try back again later." This fake website would likely just be a "dummy" website. For example, you could enter "Mickey Mouse" as your username and "Minnie Mouse" as your password and it would still load the same pages as entering your actual username and password would.

Of course, a more advanced hacker could create a fake website/program that responds to incorrect (or expired) information. That hacker would then have an additional 30 seconds (at most - 15 seconds on average) to successfully execute the attack. Hopefully this would be a "red flag" for the user.

But again, as I've mentioned previously, I am not stating that app-based two-factor authentication is not vulnerable to phishing, only that it is less vulnerable to phishing than SMS-based two-factor authentication.
Real-time phishing is more sophisticated than this. They mimic the look and functionality of real Web sites.
Yes, I realize that an advanced hacker can set up a fake website that is advanced enough to pull this off.

As I mentioned above:
In practice, since the program will be working extremely fast, it probably won't make much of a difference. Having said that, technically-speaking, allowing the hacker only 30 seconds at most (15 seconds on average) to pull this off, rather than 10 minutes, makes it more difficult to successfully execute.
But again, as I've mentioned previously, I am not stating that app-based two-factor authentication is not vulnerable to phishing, only that it is less vulnerable to phishing than SMS-based two-factor authentication.
Of course, a more advanced hacker could create a fake website/program that responds to incorrect (or expired) information. That hacker would then have an additional 30 seconds (at most - 15 seconds on average) to successfully execute the attack. Hopefully this would be a "red flag" for the user.
My point is simple: app-based two-factor authentication is more secure than SMS-based two-factor authentication.

I also believe that app-based two-factor authentication is technically less vulnerable to phishing attacks than SMS-based two-factor authentication. After all, if time is not a factor, why should the codes expire at all?

Hardware-based two-factor authentication is even more secure than app-based two-factor authentication, but there is the problem of widespread adoption.
If the code never expired, you would have vulnerabilities to replay attacks if the channel between the user and the server was compromised or you would be able to brute force the one time pad, if the system didn't have appropriate rate limiting. There's nothing fundamental about SMS vs. apps, where SMS couldn't be set to expire after 30 seconds. For the type of Mickey Mouse scenario you're worried about, you could always enter a wrong username, password, or SMS the first time, and get the same theoretical advantage against phishing.
oldfort
Posts: 1739
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

itgeek wrote: Tue May 26, 2020 10:02 pm From what I understand, there is no way to force vanguard to use only hardware authentication such as YubiKey. E.g. if YubiKey is not present, Vanguard will use SMS code as back-up 2FA option. Doesn't that defeat the whole purpose of moving away from SMS codes as 2FA. Seems like vanguard also does not support app based authentication. Also, for mobile access, SMS code is the default option.

If this is all true, what can be done to make Vanguard account more secure?


Landlines are potentially more secure. In some cases, it's not possible to port a landline number. Google Voice is a common suggestion. If you want to go full tin foil hat, you can have a separate burner phone for each financial account.
User avatar
FIREchief
Posts: 5316
Joined: Fri Aug 19, 2016 6:40 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by FIREchief »

itgeek wrote: Tue May 26, 2020 10:02 pm From what I understand, there is no way to force vanguard to use only hardware authentication such as YubiKey. E.g. if YubiKey is not present, Vanguard will use SMS code as back-up 2FA option. Doesn't that defeat the whole purpose of moving away from SMS codes as 2FA. Seems like vanguard also does not support app based authentication. Also, for mobile access, SMS code is the default option.

If this is all true, what can be done to make Vanguard account more secure?


Move it to Fidelity!!! :P
I am not a lawyer, accountant or financial advisor. Any advice or suggestions that I may provide shall be considered for entertainment purposes only.
fatcoffeedrinker
Posts: 265
Joined: Mon Mar 23, 2020 2:03 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by fatcoffeedrinker »

xuphys wrote: Tue May 26, 2020 1:37 pm
AAA wrote: Tue May 26, 2020 12:56 pm
xuphys wrote: Mon May 25, 2020 9:55 pm
AAA wrote: Mon May 25, 2020 9:46 pm
xuphys wrote: Mon May 25, 2020 1:17 pm

The fraudster stole your information, called your wireless carrier, and switch your phone number to a sim card at their hands. There they can receive the verification code that was supposed to be sent to you.
By "stole your information" do you mean he has my username and password? If not, what good is the verification code to him?
They can steal your SSN, answers to security questions, etc. so as to port your number out. They can then use the phone number to reset your password. See the Fidelity password reset procedure for a live example: https://www.fidelity.com/customer-servi ... e-password
I'm still not getting it. I don't like easy to reset passwords such as in your Fidelity example, but even there they would have needed to know your username to even get to that step. Also the answer to a secret question. How do they get all this, let alone your SSN, just by intercepting a text message PIN e.g. 123456?
Of course, it's not that so long as one can do SIM swap then they can access your account. Fraudsters do not access your account by solving the puzzle "if I only have access to your phone number, how can I access your brokerage account?" They probably have got some other information (otherwise how could they swap SIM?). Information such as username and security questions are surely less guarded than SMS verification code. The bottleneck here is to swap SIM; if one can successfully swap SIM cards, there is a reasonable possibility that they already have access to some less guarded information. We the good people don't know what might be circulating in the black market, how insecure some websites are, and how imprudent some customer service representatives can be.

To your specific questions: You can also reset/recover username (Google "[Brokerage name] recover username"). Answers to secret questions can also be part of the stealth (which SIM swap usually requires), maybe even usernames (which aren't guarded as tightly as passwords). They can get these by hacking some less secure website (e.g., insurance companies), purchasing from the black market, etc. Of course, you can use completely different answers to secret questions for your brokerage, but I doubt how practical this can be (e.g., can you remember the answers without using them frequently and do not write them down?).
So if I turn on Number Lock on all my Verizon phones (which I just did yesterday), does that solve the SIM swap risk? I assume that if someone got into my Verizon account to turn off Number Lock, then I would get a notification of that on my phone before they could actually do a SIM swap, correct?
HawkeyePierce
Posts: 1486
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Investors: be aware of weakness in 2FA + strengthening

Post by HawkeyePierce »

fatcoffeedrinker wrote: Tue May 26, 2020 10:37 pm
xuphys wrote: Tue May 26, 2020 1:37 pm
AAA wrote: Tue May 26, 2020 12:56 pm
xuphys wrote: Mon May 25, 2020 9:55 pm
AAA wrote: Mon May 25, 2020 9:46 pm

By "stole your information" do you mean he has my username and password? If not, what good is the verification code to him?
They can steal your SSN, answers to security questions, etc. so as to port your number out. They can then use the phone number to reset your password. See the Fidelity password reset procedure for a live example: https://www.fidelity.com/customer-servi ... e-password
I'm still not getting it. I don't like easy to reset passwords such as in your Fidelity example, but even there they would have needed to know your username to even get to that step. Also the answer to a secret question. How do they get all this, let alone your SSN, just by intercepting a text message PIN e.g. 123456?
Of course, it's not that so long as one can do SIM swap then they can access your account. Fraudsters do not access your account by solving the puzzle "if I only have access to your phone number, how can I access your brokerage account?" They probably have got some other information (otherwise how could they swap SIM?). Information such as username and security questions are surely less guarded than SMS verification code. The bottleneck here is to swap SIM; if one can successfully swap SIM cards, there is a reasonable possibility that they already have access to some less guarded information. We the good people don't know what might be circulating in the black market, how insecure some websites are, and how imprudent some customer service representatives can be.

To your specific questions: You can also reset/recover username (Google "[Brokerage name] recover username"). Answers to secret questions can also be part of the stealth (which SIM swap usually requires), maybe even usernames (which aren't guarded as tightly as passwords). They can get these by hacking some less secure website (e.g., insurance companies), purchasing from the black market, etc. Of course, you can use completely different answers to secret questions for your brokerage, but I doubt how practical this can be (e.g., can you remember the answers without using them frequently and do not write them down?).
So if I turn on Number Lock on all my Verizon phones (which I just did yesterday), does that solve the SIM swap risk? I assume that if someone got into my Verizon account to turn off Number Lock, then I would get a notification of that on my phone before they could actually do a SIM swap, correct?
No. The lock can be bypassed by a Verizon customer service agent. Just takes a corrupt or incompetent agent who bypasses the lock for an attacker.

The *only* secure form of SMS 2FA is Google Voice with a Google account enrolled in Google's Advanced Protection Program.
fatcoffeedrinker
Posts: 265
Joined: Mon Mar 23, 2020 2:03 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by fatcoffeedrinker »

HawkeyePierce wrote: Tue May 26, 2020 10:46 pm
fatcoffeedrinker wrote: Tue May 26, 2020 10:37 pm
xuphys wrote: Tue May 26, 2020 1:37 pm
AAA wrote: Tue May 26, 2020 12:56 pm
xuphys wrote: Mon May 25, 2020 9:55 pm

They can steal your SSN, answers to security questions, etc. so as to port your number out. They can then use the phone number to reset your password. See the Fidelity password reset procedure for a live example: https://www.fidelity.com/customer-servi ... e-password
I'm still not getting it. I don't like easy to reset passwords such as in your Fidelity example, but even there they would have needed to know your username to even get to that step. Also the answer to a secret question. How do they get all this, let alone your SSN, just by intercepting a text message PIN e.g. 123456?
Of course, it's not that so long as one can do SIM swap then they can access your account. Fraudsters do not access your account by solving the puzzle "if I only have access to your phone number, how can I access your brokerage account?" They probably have got some other information (otherwise how could they swap SIM?). Information such as username and security questions are surely less guarded than SMS verification code. The bottleneck here is to swap SIM; if one can successfully swap SIM cards, there is a reasonable possibility that they already have access to some less guarded information. We the good people don't know what might be circulating in the black market, how insecure some websites are, and how imprudent some customer service representatives can be.

To your specific questions: You can also reset/recover username (Google "[Brokerage name] recover username"). Answers to secret questions can also be part of the stealth (which SIM swap usually requires), maybe even usernames (which aren't guarded as tightly as passwords). They can get these by hacking some less secure website (e.g., insurance companies), purchasing from the black market, etc. Of course, you can use completely different answers to secret questions for your brokerage, but I doubt how practical this can be (e.g., can you remember the answers without using them frequently and do not write them down?).
So if I turn on Number Lock on all my Verizon phones (which I just did yesterday), does that solve the SIM swap risk? I assume that if someone got into my Verizon account to turn off Number Lock, then I would get a notification of that on my phone before they could actually do a SIM swap, correct?
No. The lock can be bypassed by a Verizon customer service agent. Just takes a corrupt or incompetent agent who bypasses the lock for an attacker.

The *only* secure form of SMS 2FA is Google Voice with a Google account enrolled in Google's Advanced Protection Program.
Would I get a phone notification when Number Lock was turned off?
Silence Dogood
Posts: 1430
Joined: Tue Feb 01, 2011 9:22 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Silence Dogood »

oldfort wrote: Tue May 26, 2020 10:05 pm If the code never expired, you would have vulnerabilities to replay attacks if the channel between the user and the server was compromised or you would be able to brute force the one time pad, if the system didn't have appropriate rate limiting.
That was actually meant to be a rhetorical question.

But yes, there are good reasons for the code to have a time limit. I thought that you were arguing otherwise.
oldfort wrote: Tue May 26, 2020 10:05 pm There's nothing fundamental about SMS vs. apps, where SMS couldn't be set to expire after 30 seconds.
There is something fundamental about SMS-based versus app-based (namely, synchronization). It would be incredibly difficult (and not at all user-friendly) to implement a 30 second expiration for a code sent via SMS. It would probably make for a good comedy sketch though.

Besides, at that point, why not just use an app, which also solves the SIM-swap issue, the topic of this thread?
oldfort
Posts: 1739
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

Silence Dogood wrote: Tue May 26, 2020 11:32 pm It would be incredibly difficult (and not at all user-friendly) to implement a 30 second expiration for a code sent via SMS. It would probably make for a good comedy sketch though.
Not really, transit time for SMS should be on the order of a couple of seconds.
HawkeyePierce
Posts: 1486
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Investors: be aware of weakness in 2FA + strengthening

Post by HawkeyePierce »

oldfort wrote: Tue May 26, 2020 11:46 pm
Silence Dogood wrote: Tue May 26, 2020 11:32 pm It would be incredibly difficult (and not at all user-friendly) to implement a 30 second expiration for a code sent via SMS. It would probably make for a good comedy sketch though.
Not really, transit time for SMS should be on the order of a couple of seconds.
"Should"

That is surprisingly often not the case.

(I work for the world's largest sender of SMS messages)
Silence Dogood
Posts: 1430
Joined: Tue Feb 01, 2011 9:22 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by Silence Dogood »

HawkeyePierce wrote: Tue May 26, 2020 11:53 pm
oldfort wrote: Tue May 26, 2020 11:46 pm
Silence Dogood wrote: Tue May 26, 2020 11:32 pm It would be incredibly difficult (and not at all user-friendly) to implement a 30 second expiration for a code sent via SMS. It would probably make for a good comedy sketch though.
Not really, transit time for SMS should be on the order of a couple of seconds.
"Should"

That is surprisingly often not the case.

(I work for the world's largest sender of SMS messages)
There is also the issue of how long it takes the user to actually enter the code, which is also not an issue with an authentication app.
investing engineer
Posts: 115
Joined: Thu Aug 27, 2015 5:14 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by investing engineer »

fatcoffeedrinker wrote: Tue May 26, 2020 11:21 pm
HawkeyePierce wrote: Tue May 26, 2020 10:46 pm
fatcoffeedrinker wrote: Tue May 26, 2020 10:37 pm
xuphys wrote: Tue May 26, 2020 1:37 pm
AAA wrote: Tue May 26, 2020 12:56 pm

I'm still not getting it. I don't like easy to reset passwords such as in your Fidelity example, but even there they would have needed to know your username to even get to that step. Also the answer to a secret question. How do they get all this, let alone your SSN, just by intercepting a text message PIN e.g. 123456?
Of course, it's not that so long as one can do SIM swap then they can access your account. Fraudsters do not access your account by solving the puzzle "if I only have access to your phone number, how can I access your brokerage account?" They probably have got some other information (otherwise how could they swap SIM?). Information such as username and security questions are surely less guarded than SMS verification code. The bottleneck here is to swap SIM; if one can successfully swap SIM cards, there is a reasonable possibility that they already have access to some less guarded information. We the good people don't know what might be circulating in the black market, how insecure some websites are, and how imprudent some customer service representatives can be.

To your specific questions: You can also reset/recover username (Google "[Brokerage name] recover username"). Answers to secret questions can also be part of the stealth (which SIM swap usually requires), maybe even usernames (which aren't guarded as tightly as passwords). They can get these by hacking some less secure website (e.g., insurance companies), purchasing from the black market, etc. Of course, you can use completely different answers to secret questions for your brokerage, but I doubt how practical this can be (e.g., can you remember the answers without using them frequently and do not write them down?).
So if I turn on Number Lock on all my Verizon phones (which I just did yesterday), does that solve the SIM swap risk? I assume that if someone got into my Verizon account to turn off Number Lock, then I would get a notification of that on my phone before they could actually do a SIM swap, correct?
No. The lock can be bypassed by a Verizon customer service agent. Just takes a corrupt or incompetent agent who bypasses the lock for an attacker.

The *only* secure form of SMS 2FA is Google Voice with a Google account enrolled in Google's Advanced Protection Program.
Would I get a phone notification when Number Lock was turned off?
The reason to request unlock may well be that "I have lost my phone". Let's assume that there will be a phone notification, but you may be in the middle of a long meeting (or synonymically "taking a nap") or on a plane, during which your asset is already gone.
Topic Author
YoungSisyphus
Posts: 54
Joined: Mon Sep 24, 2018 7:35 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by YoungSisyphus »

xuphys wrote: Wed May 27, 2020 12:42 am
fatcoffeedrinker wrote: Tue May 26, 2020 11:21 pm
HawkeyePierce wrote: Tue May 26, 2020 10:46 pm
fatcoffeedrinker wrote: Tue May 26, 2020 10:37 pm
xuphys wrote: Tue May 26, 2020 1:37 pm

Of course, it's not that so long as one can do SIM swap then they can access your account. Fraudsters do not access your account by solving the puzzle "if I only have access to your phone number, how can I access your brokerage account?" They probably have got some other information (otherwise how could they swap SIM?). Information such as username and security questions are surely less guarded than SMS verification code. The bottleneck here is to swap SIM; if one can successfully swap SIM cards, there is a reasonable possibility that they already have access to some less guarded information. We the good people don't know what might be circulating in the black market, how insecure some websites are, and how imprudent some customer service representatives can be.

To your specific questions: You can also reset/recover username (Google "[Brokerage name] recover username"). Answers to secret questions can also be part of the stealth (which SIM swap usually requires), maybe even usernames (which aren't guarded as tightly as passwords). They can get these by hacking some less secure website (e.g., insurance companies), purchasing from the black market, etc. Of course, you can use completely different answers to secret questions for your brokerage, but I doubt how practical this can be (e.g., can you remember the answers without using them frequently and do not write them down?).
So if I turn on Number Lock on all my Verizon phones (which I just did yesterday), does that solve the SIM swap risk? I assume that if someone got into my Verizon account to turn off Number Lock, then I would get a notification of that on my phone before they could actually do a SIM swap, correct?
No. The lock can be bypassed by a Verizon customer service agent. Just takes a corrupt or incompetent agent who bypasses the lock for an attacker.

The *only* secure form of SMS 2FA is Google Voice with a Google account enrolled in Google's Advanced Protection Program.
Would I get a phone notification when Number Lock was turned off?
The reason to request unlock may well be that "I have lost my phone". Let's assume that there will be a phone notification, but you may be in the middle of a long meeting (or synonymically "taking a nap") or on a plane, during which your asset is already gone.
Yes, this is correct. Also realize that once an account is hijacked the person doing the hijacking will typically disable notifications to avoid notification. The most you might see is that your phone is out of service because the SIM card is no longer active or your line has been ported to a different provider. I would say that adding friction (in this case, Number Lock) still helps, regardless of the potential of employee abuse (where hackers are either paying employees, using hijacked credentials, etc). It creates a whole other hurdle that a hacker would have to jump through. It would be easier to social engineer or focus on an account without extra forms of security. Not saying it would stop 100% of the potential issue...... but certainly is better than an unsecured account.

I'm happy that I could help draw out some discussion. Xuphys' is correct in that the bottleneck in many cases is the 2FA SMS that we've relied on as being secure - not so much your personal information, which is most likely available somewhere. So all the solutions discussed here that add automatic friction to the process are a good thing (additional PIN security, NumberLock, etc.).
Topic Author
YoungSisyphus
Posts: 54
Joined: Mon Sep 24, 2018 7:35 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by YoungSisyphus »

AAA wrote: Tue May 26, 2020 12:56 pm
xuphys wrote: Mon May 25, 2020 9:55 pm
AAA wrote: Mon May 25, 2020 9:46 pm
xuphys wrote: Mon May 25, 2020 1:17 pm
AAA wrote: Mon May 25, 2020 1:12 pm

Can someone explain to the non-initiated what the issue is here? So I go to Vanguard's website, enter my username and password and then wait for the text to my phone except someone else gets the text. They can use that to access my account? Their browser hasn't logged in to Vanguard with my credentials nor is it waiting for a pin number. Other than preventing me from accessing my account, what can happen?
The fraudster stole your information, called your wireless carrier, and switch your phone number to a sim card at their hands. There they can receive the verification code that was supposed to be sent to you.
By "stole your information" do you mean he has my username and password? If not, what good is the verification code to him?
They can steal your SSN, answers to security questions, etc. so as to port your number out. They can then use the phone number to reset your password. See the Fidelity password reset procedure for a live example: https://www.fidelity.com/customer-servi ... e-password
I'm still not getting it. I don't like easy to reset passwords such as in your Fidelity example, but even there they would have needed to know your username to even get to that step. Also the answer to a secret question. How do they get all this, let alone your SSN, just by intercepting a text message PIN e.g. 123456?
Not being one of these hackers, I would be speculating in 'how' they do it. I know only that they 'do'. And that typically the hardest part of it is the 2FA validation we've relied on. And now that is what is under attack.

If I had to guess on the other stuff:
1. You could probably find / buy SSN's fairly easily
2. Assuming you tie that SSN to other general information (name, etc)
3. Maybe I use Google and find out your profession or what you've done through social media, LinkedIn. Hey I would guess now that you've probably made some money
4. They probably could find e-mail information used across common accounts

So now I have enough general information to be able to at least know what e-mail you typically tie to your accounts. So let's play this out. Suppose I wanted to get into your Fidelity account. Of course I am a social engineer and I'm a "forgetful user". I go to fidelity.com, and see what it needs to reset your password, and retrieve your username (I am actually checking this as a thought experiment now...)...

and it actually only asks you for some basic information:
This was a fun little experiment. Here's the screeenshots of Fidelity's username retrieval steps. Pretty simple. https://imgur.com/a/7YO475L

Name / Birthday / Last 4 of SSN

It then lets you select "username" or password reset. The STOP here before it shares your username, or lets you reset your password, is 2FA! If you can get past 2FA, then I now have your username.

Now let's do password reset. So it sends the reset request to your e-mail (which I know because that's easy). Maybe I also have to reset your e-mail password. Does your e-mail let you reset passwords? How does it let you? Does any of it depend on 2FA? If it does, then I could know your username, and reset your password, in under 30 seconds once I have access to your wireless phone number.

In this experiment - all I needed to know was the last 4 of your social, your name, your birthdate, and have access to your cell phone. I don't think the information part of this is a huge hurdle considering how many data breaches there are with companies.

Edit: All of this to say, if I were to put myself in a hacker's shoes. I'd probably focus first on easily recognizable people that I know deal in cryptocurrency because it would be the easiest to get away with. I assume even if I could reset your username / password, that even transferring money would add time, and complications around what account it goes to. But I don't know... maybe that isn't so hard either. All good things to be aware of though for folks that have enough $ for it to matter.
ErRyTour
Posts: 5
Joined: Tue Apr 23, 2019 10:56 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by ErRyTour »

There are a few things I have not seen mentioned:

1) If using U2F keys (e.g. Yubikey or something like it), you really should have more than one and disable other forms of 2FA. For example, we have four - one for me, one for my spouse, one backup in the house, and one off-site backup at the bank. All four are hooked into our services that support U2F and may be used interchangeably.

2) You can use one U2F key to register multiple accounts to the same service. It will generate a different key pair at each credential registration.

3) The QR code typically includes some extra data like the domain name and your email address, so if you scan the QR code, this is embedded in the service's entry in your TOTP app (and the last time I checked couple years ago, I could not change this data). I prefer to manually enter the string instead of scanning the QR code and then assign some junk name, for example, "Cactus" to GMail, so nobody else knows what service it is for.

4) I don't think you should generate the one-time recovery codes when the option is presented to you during registration. Just write down the original string and store it in a safe or safe deposit box. If you need to replace your phone, just enter the original string into your new TOTP app and you are back in business.
oldfort
Posts: 1739
Joined: Mon Mar 02, 2020 8:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by oldfort »

ErRyTour wrote: Wed May 27, 2020 9:55 am There are a few things I have not seen mentioned:

1) If using U2F keys (e.g. Yubikey or something like it), you really should have more than one and disable other forms of 2FA. For example, we have four - one for me, one for my spouse, one backup in the house, and one off-site backup at the bank. All four are hooked into our services that support U2F and may be used interchangeably.
I don't believe Vanguard allows you to disable SMS.
mptfan
Posts: 6205
Joined: Mon Mar 05, 2007 9:58 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by mptfan »

oldfort wrote: Wed May 27, 2020 9:59 am
ErRyTour wrote: Wed May 27, 2020 9:55 am There are a few things I have not seen mentioned:

1) If using U2F keys (e.g. Yubikey or something like it), you really should have more than one and disable other forms of 2FA. For example, we have four - one for me, one for my spouse, one backup in the house, and one off-site backup at the bank. All four are hooked into our services that support U2F and may be used interchangeably.
I don't believe Vanguard allows you to disable SMS.
That is correct. Vanguard has the option of using security keys but you cannot disable the option of using SMS as a backup.
User avatar
BrandonBogle
Posts: 3290
Joined: Mon Jan 28, 2013 11:19 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by BrandonBogle »

YoungSisyphus wrote: Wed May 27, 2020 7:28 am In this experiment - all I needed to know was the last 4 of your social, your name, your birthdate, and have access to your cell phone. I don't think the information part of this is a huge hurdle considering how many data breaches there are with companies.
And social, name, birthdate, and phone number are commonly all that a social engineering hacker would need in advance to then get a SIM swap. So the data needed in the Fidelity example, the hacker would already have before targeting this experimental person.
decapod10
Posts: 663
Joined: Thu Dec 28, 2017 6:46 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by decapod10 »

AAA wrote: Tue May 26, 2020 12:56 pm
xuphys wrote: Mon May 25, 2020 9:55 pm
AAA wrote: Mon May 25, 2020 9:46 pm
xuphys wrote: Mon May 25, 2020 1:17 pm
AAA wrote: Mon May 25, 2020 1:12 pm

Can someone explain to the non-initiated what the issue is here? So I go to Vanguard's website, enter my username and password and then wait for the text to my phone except someone else gets the text. They can use that to access my account? Their browser hasn't logged in to Vanguard with my credentials nor is it waiting for a pin number. Other than preventing me from accessing my account, what can happen?
The fraudster stole your information, called your wireless carrier, and switch your phone number to a sim card at their hands. There they can receive the verification code that was supposed to be sent to you.
By "stole your information" do you mean he has my username and password? If not, what good is the verification code to him?
They can steal your SSN, answers to security questions, etc. so as to port your number out. They can then use the phone number to reset your password. See the Fidelity password reset procedure for a live example: https://www.fidelity.com/customer-servi ... e-password
I'm still not getting it. I don't like easy to reset passwords such as in your Fidelity example, but even there they would have needed to know your username to even get to that step. Also the answer to a secret question. How do they get all this, let alone your SSN, just by intercepting a text message PIN e.g. 123456?
Secret question answers can be found more easily these days due to the internet. Your mother's maiden name, your birthday, your birthplace, what school you went to, things like that for many people can be easily located with a google search or tracking down your profile on Facebook. It's one reason why some recommend that you don't actually answer secret questions with the right answer, you use some sort of non-sensical answer (that you can remember of course). What is your mother's maiden name? Peanut butter.

Usually the weakest link is customer service, if there's some information you're missing, often having the phone number and SSN can be enough to get other info and get through somehow. The problem is that people sometimes lose access to their e-mail, they forget their passwords, they forget the answers to their secret questions, so if you have the phone, along with some other information, sometimes that's enough to get by. Sometimes not, but then they just steal a different person's phone and try again.
itgeek
Posts: 42
Joined: Sun Dec 08, 2013 11:45 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by itgeek »

This thread got me concerned. I don't really want to use hardware keys unless there is no other option. Primarily for the need to carry the key everywhere and need to keep backup of the key incase key is lost etc.

After looking at various options, I am coming to following conclusion:

1) 1st step is to secure Google Account. For this, I am taking following steps:
--Chang Google password it to a complex password randomly generated from password application (I use 1Password).
--Remove ALL google account recovery options.
--Print Backup codes and saved it in 1Password as well as a printout in safe.
--Use 1Password as 2FA code generator as opposed to Google Authenticator.

2) Continue to use 1Password as 2FA code generator for all other accounts.
3) If code generator is not an option, use GV for SMS code delivery option.

So far, above approach seems very very secure to me and w/o a need for hardware key. Should work well on laptops as well as mobile access. Only weak link here is this approach assumes 1Password is not hack-able. If 1Password account gets hacked as it has both account password as well as associated 2FA code generator, its game over. I can further secure 1Password with a hardware key but that would be like going back to square one. Thoughts?
mptfan
Posts: 6205
Joined: Mon Mar 05, 2007 9:58 am

Re: Investors: be aware of weakness in 2FA + strengthening

Post by mptfan »

itgeek wrote: Wed May 27, 2020 11:47 am 1) 1st step is to secure Google Account. For this, I am taking following steps:
--Chang Google password it to a complex password randomly generated from password application (I use 1Password).
--Remove ALL google account recovery options.
--Print Backup codes and saved it in 1Password as well as a printout in safe.
--Use 1Password as 2FA code generator as opposed to Google Authenticator.
I don't think you understand... printing backup codes IS a recovery option. I don't think it's possible to remove ALL google account recovery options, I think Google requires you to have at least one, i.e. if you enroll in the Advanced Protection Program you would only be able to use physical security keys, otherwise, I think you have to have at least two recovery options, and one of them is always your backup codes.

Also, while I agree your proposal is very secure, you are still vulnerable to man-in-the-middle attacks, or social engineering. Using a security key eliminates the man in the middle risk and reduces the social engineering risks to near zero.

Also, I don't understand why 1Password as a code generator would be safer than Google Authenticator.
H-Town
Posts: 2868
Joined: Sun Feb 26, 2017 2:08 pm

Re: Investors: be aware of weakness in 2FA + strengthening

Post by H-Town »

YoungSisyphus wrote: Wed May 27, 2020 7:28 am Not being one of these hackers, I would be speculating in 'how' they do it. I know only that they 'do'. And that typically the hardest part of it is the 2FA validation we've relied on. And now that is what is under attack.

If I had to guess on the other stuff:
1. You could probably find / buy SSN's fairly easily
2. Assuming you tie that SSN to other general information (name, etc)
3. Maybe I use Google and find out your profession or what you've done through social media, LinkedIn. Hey I would guess now that you've probably made some money
4. They probably could find e-mail information used across common accounts

So now I have enough general information to be able to at least know what e-mail you typically tie to your accounts. So let's play this out. Suppose I wanted to get into your Fidelity account. Of course I am a social engineer and I'm a "forgetful user". I go to fidelity.com, and see what it needs to reset your password, and retrieve your username (I am actually checking this as a thought experiment now...)...

and it actually only asks you for some basic information:
This was a fun little experiment. Here's the screeenshots of Fidelity's username retrieval steps. Pretty simple. https://imgur.com/a/7YO475L

Name / Birthday / Last 4 of SSN

It then lets you select "username" or password reset. The STOP here before it shares your username, or lets you reset your password, is 2FA! If you can get past 2FA, then I now have your username.

Now let's do password reset. So it sends the reset request to your e-mail (which I know because that's easy). Maybe I also have to reset your e-mail password. Does your e-mail let you reset passwords? How does it let you? Does any of it depend on 2FA? If it does, then I could know your username, and reset your password, in under 30 seconds once I have access to your wireless phone number.

In this experiment - all I needed to know was the last 4 of your social, your name, your birthdate, and have access to your cell phone. I don't think the information part of this is a huge hurdle considering how many data breaches there are with companies.

Edit: All of this to say, if I were to put myself in a hacker's shoes. I'd probably focus first on easily recognizable people that I know deal in cryptocurrency because it would be the easiest to get away with. I assume even if I could reset your username / password, that even transferring money would add time, and complications around what account it goes to. But I don't know... maybe that isn't so hard either. All good things to be aware of though for folks that have enough $ for it to matter.
In real life, it's much harder than you thought to complete the takeover and empty the brokerage account. Why don't you test this in real life? Set up a testing case, i.e. your family member's brokerage account, and document your steps in the process. You have to know pretty much everything, and somehow find a walk around the ACH matching names mechanism. Major brokerage houses limit the ability to ACH out only to the original account where the money came from. You should try to ACH out your family member's account to your check account.

Anyways, I encourage people to use common sense:
1) Don't flaunt your wealth on social media when strangers can easily pick you as a target. It's like walking down a dark valley flaunting jewelries and inviting muggers to come at you.

2) Majority of the hacking is from someone close to you, who can have access to your computer, emails, mailbox, etc. It includes maids, relatives, friends, service providers, etc. Be sure to set up security measures to prevent the opportunities from people who are close to you. Exception maybe your spouse.

3) Educate yourself new ways of phishing, security attacks, etc. so that you can revise your security plans accordingly.

4) Set up one checking account and/or one credit card to pay bill. Review transaction history at least weekly. Review your credit report at least monthly.

5) Many "new" and "hot" devices such as Yubikey won't help if you don't use common sense above.
Post Reply