[Don't use Google Voice for two-factor authentication]

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
RationalWalk
Posts: 461
Joined: Sun May 07, 2023 12:31 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by RationalWalk »

Not so hard to do a SIM swap, Princeton study says:
While wireless carriers have some authentication procedures in place to prevent unauthorized access and the successful takeover of a victim’s phone number by calling the carrier to request a SIM card transfer, these seem inefficient, researchers from Princeton University have discovered.

To evaluate the authentication mechanisms employed by five U.S. prepaid carriers, namely AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless, the researchers signed up for 50 prepaid accounts (10 with each carrier) and then called the provider to request a SIM swap on each account.

“Our key finding is that, at the time of our data collection, all 5 carriers used insecure authentication challenges that could easily be subverted by attackers. We also found that in general, callers only needed to successfully respond to one challenge in order to authenticate, even if they had failed numerous prior challenges,” the researchers say.
https://www.securityweek.com/major-us-m ... g-attacks/
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
User avatar
nps
Posts: 1611
Joined: Thu Dec 04, 2014 9:18 am

Re: [Don't use Google Voice for two-factor authentication]

Post by nps »

RationalWalk wrote: Sun Feb 11, 2024 12:04 pm Not so hard to do a SIM swap, Princeton study says
Hmm maybe the lesson should be "use Google Voice for two-factor authentication"
gavinsiu
Posts: 4289
Joined: Sun Nov 14, 2021 11:42 am

Re: [Don't use Google Voice for two-factor authentication]

Post by gavinsiu »

The reason the wireless carrier has issue is because security is not really high on the priority and they probably did not setup their workflow properly. For example, if you want a secure method of porting, you can setup some sort of workflow like this:

1. User provides a PIN.
2. If the user does not have a pin, they show up at a store in person with a state issue ID to provide who they are.
3. There is no override without PIN or ID, except for a seurity rep.

However, i they have implemented this, too many users will forget their pin and get locked out, so they probaby have a lot of different override to get around the person forgetting their pin The override weakens security, since a clever hacker should be able to convince the rep that they simply forgot and would they please override. The other thing you can do is bribe a rep or implant a rep to override. ID can also be faked. Turnover is high and the employee probably gets zero training.

Basically using your wirless carrier as a security gatekeeper is a bad idea.
Topic Author
RationalWalk
Posts: 461
Joined: Sun May 07, 2023 12:31 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by RationalWalk »

It appears that prepaid services are particularly vulnerable to SIM swapping, as they don't provide security PINS at all as far as I know.
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
User avatar
beyou
Posts: 6793
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: [Don't use Google Voice for two-factor authentication]

Post by beyou »

michaeljc70 wrote: Sun Feb 11, 2024 11:58 am
RationalWalk wrote: Sun Feb 11, 2024 11:55 am I called my carrier and said I had a new phone and needed to move my number to that phone. The only security check was to send a code to my email that I had to repeat back. Not much deterrence.
I moved to a new carrier last month. My old carrier required me to verify a bunch of items including the IMEI of my phone. I have no idea how a scammer would be able to get that easily. I didn't have any special lock on transfers.
if your old phone is dead, how would one provide IMEI ? They have to have a backup solution and therein lies the security flaw.
User avatar
beyou
Posts: 6793
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: [Don't use Google Voice for two-factor authentication]

Post by beyou »

RationalWalk wrote: Sun Feb 11, 2024 11:55 am I called my carrier and said I had a new phone and needed to move my number to that phone. The only security check was to send a code to my email that I had to repeat back. Not much deterrence.
Really ? So he person who got your bank/broker password, also has your email password ? Boy are you unlucky.
User avatar
anagram
Posts: 1460
Joined: Fri Aug 04, 2023 1:03 am

Re: [Don't use Google Voice for two-factor authentication]

Post by anagram »

RationalWalk wrote: Sun Feb 11, 2024 1:14 pm It appears that prepaid services are particularly vulnerable to SIM swapping, as they don't provide security PINS at all as far as I know.
Yes they do.
michaeljc70
Posts: 10801
Joined: Thu Oct 15, 2015 3:53 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by michaeljc70 »

beyou wrote: Sun Feb 11, 2024 1:15 pm
michaeljc70 wrote: Sun Feb 11, 2024 11:58 am
RationalWalk wrote: Sun Feb 11, 2024 11:55 am I called my carrier and said I had a new phone and needed to move my number to that phone. The only security check was to send a code to my email that I had to repeat back. Not much deterrence.
I moved to a new carrier last month. My old carrier required me to verify a bunch of items including the IMEI of my phone. I have no idea how a scammer would be able to get that easily. I didn't have any special lock on transfers.
if your old phone is dead, how would one provide IMEI ? They have to have a backup solution and therein lies the security flaw.
I guess if I login on a computer, go to Find My Device and click the info button it shows the IMEI. So if they had access to my Google account they could get it.
User avatar
beyou
Posts: 6793
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: [Don't use Google Voice for two-factor authentication]

Post by beyou »

michaeljc70 wrote: Sun Feb 11, 2024 1:24 pm
beyou wrote: Sun Feb 11, 2024 1:15 pm
michaeljc70 wrote: Sun Feb 11, 2024 11:58 am
RationalWalk wrote: Sun Feb 11, 2024 11:55 am I called my carrier and said I had a new phone and needed to move my number to that phone. The only security check was to send a code to my email that I had to repeat back. Not much deterrence.
I moved to a new carrier last month. My old carrier required me to verify a bunch of items including the IMEI of my phone. I have no idea how a scammer would be able to get that easily. I didn't have any special lock on transfers.
if your old phone is dead, how would one provide IMEI ? They have to have a backup solution and therein lies the security flaw.
I guess if I login on a computer, go to Find My Device and click the info button it shows the IMEI. So if they had access to my Google account they could get it.
Ah, yes I can see that the IMEI is available on my carrier website. But what does that have to do with google ?
My carrier site has their own security unrelated to google.
michaeljc70
Posts: 10801
Joined: Thu Oct 15, 2015 3:53 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by michaeljc70 »

beyou wrote: Sun Feb 11, 2024 1:29 pm
michaeljc70 wrote: Sun Feb 11, 2024 1:24 pm
beyou wrote: Sun Feb 11, 2024 1:15 pm
michaeljc70 wrote: Sun Feb 11, 2024 11:58 am
RationalWalk wrote: Sun Feb 11, 2024 11:55 am I called my carrier and said I had a new phone and needed to move my number to that phone. The only security check was to send a code to my email that I had to repeat back. Not much deterrence.
I moved to a new carrier last month. My old carrier required me to verify a bunch of items including the IMEI of my phone. I have no idea how a scammer would be able to get that easily. I didn't have any special lock on transfers.
if your old phone is dead, how would one provide IMEI ? They have to have a backup solution and therein lies the security flaw.
I guess if I login on a computer, go to Find My Device and click the info button it shows the IMEI. So if they had access to my Google account they could get it.
Ah, yes I can see that the IMEI is available on my carrier website. But what does that have to do with google ?
My carrier site has their own security unrelated to google.
Google has my IMEI. The Find my Device service (on Android) has info on your phone. I have a non-Google watch with LTE and I can see the IMEI for that too.
User avatar
anagram
Posts: 1460
Joined: Fri Aug 04, 2023 1:03 am

Re: [Don't use Google Voice for two-factor authentication]

Post by anagram »

michaeljc70 wrote: Sun Feb 11, 2024 1:24 pm
beyou wrote: Sun Feb 11, 2024 1:15 pm
michaeljc70 wrote: Sun Feb 11, 2024 11:58 am
RationalWalk wrote: Sun Feb 11, 2024 11:55 am I called my carrier and said I had a new phone and needed to move my number to that phone. The only security check was to send a code to my email that I had to repeat back. Not much deterrence.
I moved to a new carrier last month. My old carrier required me to verify a bunch of items including the IMEI of my phone. I have no idea how a scammer would be able to get that easily. I didn't have any special lock on transfers.
if your old phone is dead, how would one provide IMEI ? They have to have a backup solution and therein lies the security flaw.
I guess if I login on a computer, go to Find My Device and click the info button it shows the IMEI. So if they had access to my Google account they could get it.
If Google does this, then that is a huge security issue. Apple Find My does not show the IMEI which is how it should be.
User avatar
anagram
Posts: 1460
Joined: Fri Aug 04, 2023 1:03 am

Re: [Don't use Google Voice for two-factor authentication]

Post by anagram »

michaeljc70 wrote: Sun Feb 11, 2024 1:31 pm
beyou wrote: Sun Feb 11, 2024 1:29 pm
michaeljc70 wrote: Sun Feb 11, 2024 1:24 pm
beyou wrote: Sun Feb 11, 2024 1:15 pm
michaeljc70 wrote: Sun Feb 11, 2024 11:58 am

I moved to a new carrier last month. My old carrier required me to verify a bunch of items including the IMEI of my phone. I have no idea how a scammer would be able to get that easily. I didn't have any special lock on transfers.
if your old phone is dead, how would one provide IMEI ? They have to have a backup solution and therein lies the security flaw.
I guess if I login on a computer, go to Find My Device and click the info button it shows the IMEI. So if they had access to my Google account they could get it.
Ah, yes I can see that the IMEI is available on my carrier website. But what does that have to do with google ?
My carrier site has their own security unrelated to google.
Google has my IMEI. The Find my Device service (on Android) has info on your phone. I have a non-Google watch with LTE and I can see the IMEI for that too.
This is an excellent reason not to use any Google or Android products.
michaeljc70
Posts: 10801
Joined: Thu Oct 15, 2015 3:53 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by michaeljc70 »

anagram wrote: Sun Feb 11, 2024 2:29 pm
michaeljc70 wrote: Sun Feb 11, 2024 1:31 pm
beyou wrote: Sun Feb 11, 2024 1:29 pm
michaeljc70 wrote: Sun Feb 11, 2024 1:24 pm
beyou wrote: Sun Feb 11, 2024 1:15 pm

if your old phone is dead, how would one provide IMEI ? They have to have a backup solution and therein lies the security flaw.
I guess if I login on a computer, go to Find My Device and click the info button it shows the IMEI. So if they had access to my Google account they could get it.
Ah, yes I can see that the IMEI is available on my carrier website. But what does that have to do with google ?
My carrier site has their own security unrelated to google.
Google has my IMEI. The Find my Device service (on Android) has info on your phone. I have a non-Google watch with LTE and I can see the IMEI for that too.
This is an excellent reason not to use any Google or Android products.
According to this, it does:
https://www.makeuseof.com/ways-to-find- ... hone-ipad/
User avatar
anagram
Posts: 1460
Joined: Fri Aug 04, 2023 1:03 am

Re: [Don't use Google Voice for two-factor authentication]

Post by anagram »

michaeljc70 wrote: Sun Feb 11, 2024 2:39 pm
anagram wrote: Sun Feb 11, 2024 2:29 pm
michaeljc70 wrote: Sun Feb 11, 2024 1:31 pm
beyou wrote: Sun Feb 11, 2024 1:29 pm
michaeljc70 wrote: Sun Feb 11, 2024 1:24 pm
I guess if I login on a computer, go to Find My Device and click the info button it shows the IMEI. So if they had access to my Google account they could get it.
Ah, yes I can see that the IMEI is available on my carrier website. But what does that have to do with google ?
My carrier site has their own security unrelated to google.
Google has my IMEI. The Find my Device service (on Android) has info on your phone. I have a non-Google watch with LTE and I can see the IMEI for that too.
This is an excellent reason not to use any Google or Android products.
According to this, it does:
https://www.makeuseof.com/ways-to-find- ... hone-ipad/
No, the quote above was for using Find My. If you use FM and get info on a device you cannot get the IMEI. Of course you can get the IMEI is you go to Setting on the actual device in question. That's rather obvious.
michaeljc70
Posts: 10801
Joined: Thu Oct 15, 2015 3:53 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by michaeljc70 »

anagram wrote: Sun Feb 11, 2024 3:22 pm
michaeljc70 wrote: Sun Feb 11, 2024 2:39 pm
anagram wrote: Sun Feb 11, 2024 2:29 pm
michaeljc70 wrote: Sun Feb 11, 2024 1:31 pm
beyou wrote: Sun Feb 11, 2024 1:29 pm

Ah, yes I can see that the IMEI is available on my carrier website. But what does that have to do with google ?
My carrier site has their own security unrelated to google.
Google has my IMEI. The Find my Device service (on Android) has info on your phone. I have a non-Google watch with LTE and I can see the IMEI for that too.
This is an excellent reason not to use any Google or Android products.
According to this, it does:
https://www.makeuseof.com/ways-to-find- ... hone-ipad/
No, the quote above was for using Find My. If you use FM and get info on a device you cannot get the IMEI. Of course you can get the IMEI is you go to Setting on the actual device in question. That's rather obvious.
"If you don't have your iPhone or iPad with you but need its IMEI number, there may still be hope online. As long as the device is connected to your iCloud account, you can get your iPhone's IMEI information from Apple's website."
User avatar
anagram
Posts: 1460
Joined: Fri Aug 04, 2023 1:03 am

Re: [Don't use Google Voice for two-factor authentication]

Post by anagram »

michaeljc70 wrote: Sun Feb 11, 2024 3:30 pm
anagram wrote: Sun Feb 11, 2024 3:22 pm
michaeljc70 wrote: Sun Feb 11, 2024 2:39 pm
anagram wrote: Sun Feb 11, 2024 2:29 pm
michaeljc70 wrote: Sun Feb 11, 2024 1:31 pm
Google has my IMEI. The Find my Device service (on Android) has info on your phone. I have a non-Google watch with LTE and I can see the IMEI for that too.
This is an excellent reason not to use any Google or Android products.
According to this, it does:
https://www.makeuseof.com/ways-to-find- ... hone-ipad/
No, the quote above was for using Find My. If you use FM and get info on a device you cannot get the IMEI. Of course you can get the IMEI is you go to Setting on the actual device in question. That's rather obvious.
"If you don't have your iPhone or iPad with you but need its IMEI number, there may still be hope online. As long as the device is connected to your iCloud account, you can get your iPhone's IMEI information from Apple's website."
That is not using the Find My app on another device. You are changing scenarios.
michaeljc70
Posts: 10801
Joined: Thu Oct 15, 2015 3:53 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by michaeljc70 »

anagram wrote: Sun Feb 11, 2024 3:39 pm
michaeljc70 wrote: Sun Feb 11, 2024 3:30 pm
anagram wrote: Sun Feb 11, 2024 3:22 pm
michaeljc70 wrote: Sun Feb 11, 2024 2:39 pm
anagram wrote: Sun Feb 11, 2024 2:29 pm

This is an excellent reason not to use any Google or Android products.
According to this, it does:
https://www.makeuseof.com/ways-to-find- ... hone-ipad/
No, the quote above was for using Find My. If you use FM and get info on a device you cannot get the IMEI. Of course you can get the IMEI is you go to Setting on the actual device in question. That's rather obvious.
"If you don't have your iPhone or iPad with you but need its IMEI number, there may still be hope online. As long as the device is connected to your iCloud account, you can get your iPhone's IMEI information from Apple's website."
That is not using the Find My app on another device. You are changing scenarios.
You can get the IMEI without the device which is the whole point. You think the name of the website/app makes it harder for scammers?
torso2500
Posts: 113
Joined: Wed Sep 14, 2022 11:35 am

Re: [Don't use Google Voice for two-factor authentication]

Post by torso2500 »

anagram wrote: Sun Feb 11, 2024 3:39 pm
michaeljc70 wrote: Sun Feb 11, 2024 3:30 pm
anagram wrote: Sun Feb 11, 2024 3:22 pm
michaeljc70 wrote: Sun Feb 11, 2024 2:39 pm
anagram wrote: Sun Feb 11, 2024 2:29 pm

This is an excellent reason not to use any Google or Android products.
According to this, it does:
https://www.makeuseof.com/ways-to-find- ... hone-ipad/
No, the quote above was for using Find My. If you use FM and get info on a device you cannot get the IMEI. Of course you can get the IMEI is you go to Setting on the actual device in question. That's rather obvious.
"If you don't have your iPhone or iPad with you but need its IMEI number, there may still be hope online. As long as the device is connected to your iCloud account, you can get your iPhone's IMEI information from Apple's website."
That is not using the Find My app on another device. You are changing scenarios.
If they are in your Find My app, they must have access to a device or environment that's logged into your Apple account. It's a connected scenario. I believe the new Stolen Device setting that launched in a recent iOS update may help with this though
User avatar
anagram
Posts: 1460
Joined: Fri Aug 04, 2023 1:03 am

Re: [Don't use Google Voice for two-factor authentication]

Post by anagram »

michaeljc70 wrote: Sun Feb 11, 2024 4:05 pm
anagram wrote: Sun Feb 11, 2024 3:39 pm
michaeljc70 wrote: Sun Feb 11, 2024 3:30 pm
anagram wrote: Sun Feb 11, 2024 3:22 pm
michaeljc70 wrote: Sun Feb 11, 2024 2:39 pm

According to this, it does:
https://www.makeuseof.com/ways-to-find- ... hone-ipad/
No, the quote above was for using Find My. If you use FM and get info on a device you cannot get the IMEI. Of course you can get the IMEI is you go to Setting on the actual device in question. That's rather obvious.
"If you don't have your iPhone or iPad with you but need its IMEI number, there may still be hope online. As long as the device is connected to your iCloud account, you can get your iPhone's IMEI information from Apple's website."
That is not using the Find My app on another device. You are changing scenarios.
You can get the IMEI without the device which is the whole point. You think the name of the website/app makes it harder for scammers?
Please let me know how you expect to hack iCloud that is protected with a YubiKey.
User avatar
anagram
Posts: 1460
Joined: Fri Aug 04, 2023 1:03 am

Re: [Don't use Google Voice for two-factor authentication]

Post by anagram »

torso2500 wrote: Sun Feb 11, 2024 6:08 pm
anagram wrote: Sun Feb 11, 2024 3:39 pm
michaeljc70 wrote: Sun Feb 11, 2024 3:30 pm
anagram wrote: Sun Feb 11, 2024 3:22 pm
michaeljc70 wrote: Sun Feb 11, 2024 2:39 pm

According to this, it does:
https://www.makeuseof.com/ways-to-find- ... hone-ipad/
No, the quote above was for using Find My. If you use FM and get info on a device you cannot get the IMEI. Of course you can get the IMEI is you go to Setting on the actual device in question. That's rather obvious.
"If you don't have your iPhone or iPad with you but need its IMEI number, there may still be hope online. As long as the device is connected to your iCloud account, you can get your iPhone's IMEI information from Apple's website."
That is not using the Find My app on another device. You are changing scenarios.
If they are in your Find My app, they must have access to a device or environment that's logged into your Apple account. It's a connected scenario. I believe the new Stolen Device setting that launched in a recent iOS update may help with this though
The point is it is NOT in Find My with Apple. Apparently it is available in Find My with Google.
snic
Posts: 637
Joined: Wed Jun 28, 2023 11:37 am

Re: [Don't use Google Voice for two-factor authentication]

Post by snic »

nps wrote: Sun Feb 11, 2024 12:13 pm
RationalWalk wrote: Sun Feb 11, 2024 12:04 pm Not so hard to do a SIM swap, Princeton study says
Hmm maybe the lesson should be "use Google Voice for two-factor authentication"
Or perhaps, "Use Google Fi for the phone you use for 2FA". Should be just as secure as GV with regard to SIM swapping and malicious port-outs, and even financial institutions that refuse GV numbers should accept Fi numbers.

With regard to cookie-stealing by malicious browser extensions: would using incognito mode for logging in to financial institutions' web sites (and the email account used for financial stuff) provide any degree of protection? The idea is that you would disable all browser extensions in incognito mode except the password manager. So even if you have a malicious extension operating in the "swamp" that is your regular browser session, it can't see your session cookies for the incognito session. Or can it?
gavinsiu
Posts: 4289
Joined: Sun Nov 14, 2021 11:42 am

Re: [Don't use Google Voice for two-factor authentication]

Post by gavinsiu »

[quote=snic post_id=7709011 time=1707705142 user_id=194872
Or perhaps, "Use Google Fi for the phone you use for 2FA". Should be just as secure as GV with regard to SIM swapping and malicious port-outs, and even financial institutions that refuse GV numbers should accept Fi numbers.

With regard to cookie-stealing by malicious browser extensions: would using incognito mode for logging in to financial institutions' web sites (and the email account used for financial stuff) provide any degree of protection? The idea is that you would disable all browser extensions in incognito mode except the password manager. So even if you have a malicious extension operating in the "swamp" that is your regular browser session, it can't see your session cookies for the incognito session. Or can it?
[/quote]

Incognito mode only means your browsing history is erase when you close the browser, it does not prevent the website from collecting info about you. All it does is prevent other members of your family from seeing what you have been browsing.

Cookie stealing isn’t new and it’s difficult because modern browser and os have so much protection. Any exploits are quickly closed up.
Some of the extensions like ublock origin are actually protective since they block ads. What would be more protective is to make sure you are browsing on https so that your traffic is encrypted.
michaeljc70
Posts: 10801
Joined: Thu Oct 15, 2015 3:53 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by michaeljc70 »

anagram wrote: Sun Feb 11, 2024 6:46 pm
michaeljc70 wrote: Sun Feb 11, 2024 4:05 pm
anagram wrote: Sun Feb 11, 2024 3:39 pm
michaeljc70 wrote: Sun Feb 11, 2024 3:30 pm
anagram wrote: Sun Feb 11, 2024 3:22 pm

No, the quote above was for using Find My. If you use FM and get info on a device you cannot get the IMEI. Of course you can get the IMEI is you go to Setting on the actual device in question. That's rather obvious.
"If you don't have your iPhone or iPad with you but need its IMEI number, there may still be hope online. As long as the device is connected to your iCloud account, you can get your iPhone's IMEI information from Apple's website."
That is not using the Find My app on another device. You are changing scenarios.
You can get the IMEI without the device which is the whole point. You think the name of the website/app makes it harder for scammers?
Please let me know how you expect to hack iCloud that is protected with a YubiKey.
Every iPhone has a Yubikey? You keep changing the scenario. Your original premise was that the iPhone was more secure because you couldn't get the IMEI without the phone. You can get a Yubikey to secure your Google account too.
User avatar
Vulcan
Posts: 2949
Joined: Sat Apr 05, 2014 11:43 pm

Re: Google Voice for 2FA verification can be easily hacked

Post by Vulcan »

torso2500 wrote: Sat Feb 10, 2024 11:22 amOnce the machine is compromised they can get into everything
Many people still haven't internalized this simple fact.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
User avatar
Vulcan
Posts: 2949
Joined: Sat Apr 05, 2014 11:43 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by Vulcan »

nps wrote: Sun Feb 11, 2024 12:13 pm
RationalWalk wrote: Sun Feb 11, 2024 12:04 pm Not so hard to do a SIM swap, Princeton study says
Hmm maybe the lesson should be "use Google Voice for two-factor authentication"
Or Google Fi.
Absolutely.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
88Mike
Posts: 17
Joined: Tue Sep 12, 2023 9:43 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by 88Mike »

This is just a scammy clickbait article pushing Authy. Nothing that was described here implicates Google Voice 2FA as being more vulnerable than any other 2FA option. It is unnecessarily alarmist and the mods should delete IMO.
torso2500
Posts: 113
Joined: Wed Sep 14, 2022 11:35 am

Re: Google Voice for 2FA verification can be easily hacked

Post by torso2500 »

Vulcan wrote: Mon Feb 12, 2024 7:23 am
torso2500 wrote: Sat Feb 10, 2024 11:22 amOnce the machine is compromised they can get into everything
Many people still haven't internalized this simple fact.
Yeah, there have been multiple threads on here that are about things to do assuming your machine is compromised as if that's a random chance occurrence or some unknown thing that happens- no! The first focus should be on how compromise happens so you can protect yourself from unwittingly participating in it. 99.999999% of the time you have to take some sort of affirmative action to let malicious access start, whether it's clicking "install" or "download", changing a setting, etc. If your machine is compromised there's no point wondering how to maneuver around specifics, you'll just have to nuke the machine and start fresh.
User avatar
anagram
Posts: 1460
Joined: Fri Aug 04, 2023 1:03 am

Re: [Don't use Google Voice for two-factor authentication]

Post by anagram »

michaeljc70 wrote: Mon Feb 12, 2024 6:45 am
anagram wrote: Sun Feb 11, 2024 6:46 pm
michaeljc70 wrote: Sun Feb 11, 2024 4:05 pm
anagram wrote: Sun Feb 11, 2024 3:39 pm
michaeljc70 wrote: Sun Feb 11, 2024 3:30 pm

"If you don't have your iPhone or iPad with you but need its IMEI number, there may still be hope online. As long as the device is connected to your iCloud account, you can get your iPhone's IMEI information from Apple's website."
That is not using the Find My app on another device. You are changing scenarios.
You can get the IMEI without the device which is the whole point. You think the name of the website/app makes it harder for scammers?
Please let me know how you expect to hack iCloud that is protected with a YubiKey.
Every iPhone has a Yubikey? You keep changing the scenario. Your original premise was that the iPhone was more secure because you couldn't get the IMEI without the phone. You can get a Yubikey to secure your Google account too.
What I said was by using Find My on another Apple device, you cannot get the IMEI for an iPhone. That's all I said. I'm not continuing this discussion. Good luck to you. :sharebeer
Topic Author
RationalWalk
Posts: 461
Joined: Sun May 07, 2023 12:31 pm

Re: [Don't use Google Voice for two-factor authentication]

Post by RationalWalk »

To maximize security some people on the board have suggested using a dedicated device for logging only onto financial websites. If your only exposure to Google is on that machine and you are using GV for 2FA perhaps that is the safest 2FA strategy. Kind of inconvenient but your chances of picking up cookie hijacking or other malware would be pretty minimal that way. It would also mean not using Gmail or any other Google apps on any machine, I believe. Only GV on the dedicated machine.
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
gavinsiu
Posts: 4289
Joined: Sun Nov 14, 2021 11:42 am

Re: [Don't use Google Voice for two-factor authentication]

Post by gavinsiu »

RationalWalk wrote: Mon Feb 12, 2024 11:55 am To maximize security some people on the board have suggested using a dedicated device for logging only onto financial websites. If your only exposure to Google is on that machine and you are using GV for 2FA perhaps that is the safest 2FA strategy. Kind of inconvenient but your chances of picking up cookie hijacking or other malware would be pretty minimal that way. It would also mean not using Gmail or any other Google apps on any machine, I believe. Only GV on the dedicated machine.
You can also do that by creating virtual machines log into each machine for its own purpose. If you set up the network properly, they won't be able to talk to each other. Of course the protection isn't perfect some malware might exploit a virtual machine vulnerability to break out of the network. I think this is a bit too much for every day use.
User avatar
1955Chevy
Posts: 67
Joined: Thu Jul 11, 2019 8:30 am
Location: Land of Milk and Honey

This is the way

Post by 1955Chevy »

torso2500 wrote: Sat Feb 10, 2024 1:00 pm I guess you could combat this by tying the GV number to a separate account from the one used for the logins. Then you have to never log into the GV-linked account anywhere that would cause both auth tokens to be saved in the same place.
IMO, this is correct. I have an unused Gmail account behind a Yubikey just for Google Voice. I prefer TOTP/Yubikey, but for the sites (read: banks) that only use SMS, I use the GV number. Further, every login has a different email alias so no accounts are connected to any other, i.e.: bogleforum@mydomain.com | vanguard5565@broker.mydomain.com | cutekittenvideos@hobbies.mydomain.com etc.

You don't have access to email aliases? There are online services that offer them, or better yet, roll your own when you pay a few bucks a month for your email service at a place like FastMail, so you aren't the product of the "free" email service.
"Investment success accrues not so much to the brilliant as to the disciplined." | Bernstein
User avatar
HanSolo
Posts: 2146
Joined: Thu Jul 19, 2012 3:18 am

Re: [Don't use Google Voice for two-factor authentication]

Post by HanSolo »

True to the thread title, I don't use Google Voice for two-factor authentication.

The reason is, I prefer to use the same set of phone numbers at all of my financial institutions, and if any of them refuse to use my GV number, then I won't use my GV number at any of them.
Strategic Macro Senior (top 1%, 2019 Bogleheads Contest)
Post Reply