Mailing List Archive

Every SMS 2FA should check the current carrier against the carrier when
enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a
few others do this.

--
Tim

On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:

>
> https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80
>
>
> https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
>
>
> Anecdotal: With the prior consent of the DID holders, I have successfully
> ported peoples' numbers using nothing more than a JPG scan of a signature
> that looks like an illegible 150 dpi black and white blob, pasted in an
> image editor on top of a generic looking 'phone bill'.
>
>
>

No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.

-mel via cell

On Apr 17, 2021, at 6:27 PM, Tim Jackson <jackson.tim@gmail.com> wrote:

?
Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this.

--
Tim

On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke@gmail.com<mailto:eric.kuhnke@gmail.com>> wrote:
https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80

https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/


Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.

paypal used to openly support token 2fa, but have since made it nearly
impossible to use hardware tokens. they try very hard to ram sms down
everyones throats.

-Dan

On Sun, 18 Apr 2021, Mel Beckman wrote:

> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> -mel via cell
>
> On Apr 17, 2021, at 6:27 PM, Tim Jackson <jackson.tim@gmail.com> wrote:
>
> ?
> Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this.
>
> --
> Tim
>
> On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke@gmail.com<mailto:eric.kuhnke@gmail.com>> wrote:
> https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80
>
> https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
>
>
> Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
>
>
>

I'd add to that that people probably shouldn't treat phones as a significant increase in security, it's not really the out-of-band device that it used to be/was in the 1990s. Today, it basically equates to a second computer and the probability that the second computer is also compromised isn't overly unrealistic. While the focus is rightfully on SMS, I'd basically consider anything that isn't a hardware token to be more or less the same-- although in fairness the specifics of what we're talking about here doesn't include any of the computers involved, which is a different problem. 18.04.2021, 06:21, "Mel Beckman" <mel@beckman.org>:

No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc. 
 -mel via cell 

On Apr 17, 2021, at 6:27 PM, Tim Jackson <jackson.tim@gmail.com> wrote:
 

&#xfeff;Every SMS 2FA should check the current carrier against the carrier when enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few others do this. --Tim
 On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:

https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80"]https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80 https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/"]https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/  Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.  

On 4/18/21 05:18, Mel Beckman wrote:

> No, every SMS 2FA should be prohibited by regulatory certifications.
> The telcos had years to secure SMS. They did nothing. The plethora of
> well-secured commercial 2FA authentication tokens, many of them free,
> should be a mandatory replacement for 2FA in every security governance
> regime, such as PCI, financial account access, government web portals,
> etc.

While I agree that SMS is insecure at the moment, I think there still
needs to be a mechanism that does not rely on the presence of an
Internet connection. One may not be able to have access to the Internet
for a number of reasons (traveling, coverage, outage, device, money,
e.t.c.), and a fallback needs to be available to authenticate.

I know some companies have been pushing for voice authentication for
their services through a phone call, in lieu of SMS or DTMF-based PIN's.

We need something that works at the lowest common denominator as well,
because as available as the Internet is worldwide, it's not yet at a
level that one would consider "basic access".

Mark.

As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.

There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

-mel

> On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>
> ?
>
>> On 4/18/21 05:18, Mel Beckman wrote:
>>
>> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
>
> Mark.

On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
> Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.

Hi Eric,

SMS for 2FA is fine. It's understood that a single authentication
factor is not secure enough; that's why you use two. SMS for 1FA is
hugely risky and should not be used for anything important, like
money. SMS for a password reset is an example of 1FA -- your ability
to receive SMS messages at the required phone number becomes the sole
authentication factor needed to access the account.

If the adversary has captured your password -and- reprogrammed your
phone number, what makes you think they lack the wherewithal to have
captured the shared secret used to generate your TOTP code?

Regards,
Bill Herrin

--
William Herrin
bill@herrin.us
https://bill.herrin.us/

Bill,

SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:

https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

-mel

On Apr 18, 2021, at 6:31 AM, William Herrin <bill@herrin.us> wrote:

?On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.

Hi Eric,

SMS for 2FA is fine. It's understood that a single authentication
factor is not secure enough; that's why you use two. SMS for 1FA is
hugely risky and should not be used for anything important, like
money. SMS for a password reset is an example of 1FA -- your ability
to receive SMS messages at the required phone number becomes the sole
authentication factor needed to access the account.

If the adversary has captured your password -and- reprogrammed your
phone number, what makes you think they lack the wherewithal to have
captured the shared secret used to generate your TOTP code?

Regards,
Bill Herrin

--
William Herrin
bill@herrin.us
https://bill.herrin.us/

On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org> wrote:
> SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:
>
> https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

Mel,

That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Regards,
Bill Herrin



--
William Herrin
bill@herrin.us
https://bill.herrin.us/

Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for 2FA. There are many ways to attack SMS, not the least of which is social engineering of the security-unconscious cellular carriers. The bottom line is, why use an insecure form of communication for 2FA at all? Since very good hardware-token-quality OTP apps are freely available, why be so lazy as to implement 2FA using radically insecure SMS?

Your argument that 2FA is only meant to “enhance” the security of a memorized password is just wrong. 2FA is meant as a bulwark against passwords that very often are disclosed by data breaches, through no fault of the password owner. 2FA enhances nothing. It guards against the abject security failures of others.

Consider this sage advice from 2020, long after NIST caved to industry pressure on its recommendations.

https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html

-mel

On Apr 18, 2021, at 8:02 AM, William Herrin <bill@herrin.us<mailto:bill@herrin.us>> wrote:

On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:

https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

Mel,

That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Regards,
Bill Herrin



--
William Herrin
bill@herrin.us
https://bill.herrin.us/

Bill,

You don’t even have to bother with social engineering, as Bruce Schneier points out in his blog from last month:

https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html

"It turns out that with a little bit of anonymous money — in this case, $16 off an anonymous prepaid credit card — and a few lies, you can forward the text messages from any phone to any other phone.”

-mel

On Apr 18, 2021, at 8:24 AM, Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:

Although NIST “softened” its stance on SMS for 2FA, it’s still a bad choice for 2FA. There are many ways to attack SMS, not the least of which is social engineering of the security-unconscious cellular carriers. The bottom line is, why use an insecure form of communication for 2FA at all? Since very good hardware-token-quality OTP apps are freely available, why be so lazy as to implement 2FA using radically insecure SMS?

Your argument that 2FA is only meant to “enhance” the security of a memorized password is just wrong. 2FA is meant as a bulwark against passwords that very often are disclosed by data breaches, through no fault of the password owner. 2FA enhances nothing. It guards against the abject security failures of others.

Consider this sage advice from 2020, long after NIST caved to industry pressure on its recommendations.

https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html

-mel

On Apr 18, 2021, at 8:02 AM, William Herrin <bill@herrin.us<mailto:bill@herrin.us>> wrote:

On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:

https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

Mel,

That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Regards,
Bill Herrin



--
William Herrin
bill@herrin.us<mailto:bill@herrin.us>
https://bill.herrin.us/

On 4/18/21 15:04, Mel Beckman wrote:

> As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.
>
> There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

It's quite likely that most institutions (especially financial ones)
will prefer to use their own homegrown app-based authenticators. But
again, those require a smartphone, which is still not the most basic
pathway.

The good news - I just ran a test to log on to my banking profile from
my laptop. I disconnected my phone from the world (Airplane mode) and
while the app complained about not having Internet access, it was still
able to generate a log-on, transaction or re-authentication code. So
that helps. But that's just one of them... the other banks I use either
don't have apps that replace physical authenticators, or require an
Internet connection for 2FA. Thankfully, none of them require SMS to
authenticate.

Nearly all the banks use SMS to either confirm a transaction has taken
place, or to deliver an OTP to complete a transaction (but don't use SMS
to do the initial or follow-up authentication).

Some of them are sending secure messages to confirm (and notify about)
transactions within their apps, in lieu of SMS.

Mark.

On Sun, Apr 18, 2021 at 8:31 AM Mel Beckman <mel@beckman.org> wrote:
> You don’t even have to bother with social engineering [...]
> $16 off an anonymous prepaid credit card — and a few lies

Mel,

What do you think social engineering is? It's a couple well placed
lies that convince someone to do the wrong thing.

Regards,
Bill Herrin



--
William Herrin
bill@herrin.us
https://bill.herrin.us/

Fine. And you think 2FA trivially susceptible to social engineering is OK. “Come on, man”, as Biden would say :)

-mel

> On Apr 18, 2021, at 11:29 AM, William Herrin <bill@herrin.us> wrote:
>
> ?On Sun, Apr 18, 2021 at 8:31 AM Mel Beckman <mel@beckman.org> wrote:
>> You don’t even have to bother with social engineering [...]
>> $16 off an anonymous prepaid credit card — and a few lies
>
> Mel,
>
> What do you think social engineering is? It's a couple well placed
> lies that convince someone to do the wrong thing.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/

On top of this most TOTP and HOTP systems have additional security checks
like blocking reuse of codes, rate-limiting of guesses, and in some cases
acceptance of earlier codes (in TOTP) if the clock skews too far that make
them much stronger options which decreases security but is certainly more
of a convenience factor.

-john


On Sun, Apr 18, 2021 at 6:06 AM Mel Beckman <mel@beckman.org> wrote:

> As far as I know, authenticators on cell phone apps don’t require the
> Internet. For example, the Google Authenticator mobile app doesn't require
> any Internet or cellular connection. The authenticated system generates a
> secret key - a unique 16 or 32 character alphanumeric code. This key is
> scanned by GA or can be entered manually and as a result, both the
> authenticated system and GA know the same secret key, and can compute the
> time-based 2nd factor OTP just as hardware tokens do.
>
> There are two algorithms: HOTP and TOTP. The main difference is in OTP
> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
> TOTP times out after some specified interval - usually 30 or 60 seconds.
> For TOTP, the system time must be synced, otherwise the generated OTPs will
> be wrong. But you can get accurate enough clock time without the Internet,
> either manually using some radio source such as WWV, or by GPS or cellular
> system synchronization.
>
> -mel
>
> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
> >
> > ?
> >
> >> On 4/18/21 05:18, Mel Beckman wrote:
> >>
> >> No, every SMS 2FA should be prohibited by regulatory certifications.
> The telcos had years to secure SMS. They did nothing. The plethora of
> well-secured commercial 2FA authentication tokens, many of them free,
> should be a mandatory replacement for 2FA in every security governance
> regime, such as PCI, financial account access, government web portals, etc.
> >
> > While I agree that SMS is insecure at the moment, I think there still
> needs to be a mechanism that does not rely on the presence of an Internet
> connection. One may not be able to have access to the Internet for a number
> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
> fallback needs to be available to authenticate.
> >
> > I know some companies have been pushing for voice authentication for
> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
> >
> > We need something that works at the lowest common denominator as well,
> because as available as the Internet is worldwide, it's not yet at a level
> that one would consider "basic access".
> >
> > Mark.
>

On Sun, Apr 18, 2021 at 12:03 PM John Adams <jna@retina.net> wrote:
> On top of this most TOTP and HOTP systems have additional security checks
like blocking reuse of codes, rate-limiting of guesses, and in some cases
acceptance of earlier codes (in TOTP) if the clock skews too far that make
them much stronger options which decreases security but is certainly more
of a convenience factor.

Hi John,

On a site, the symmetric key used to generate the TOTP code is stored in
the same database as the user's password. Unencrypted or with readily
reversible encryption since unlike a password it can't be verified by
comparing ciphertext. Your protection is that every site uses a different
TOTP key, just like you're supposed to use a different password, so
compromise of a single site doesn't broadly compromise you elsewhere. It
can also be captured with malware on your phone, the same place an
adversary will sniff your password, which -will- broadly compromise you if
you're also entering the passwords on your phone.

None of these authentication schemes are magic. They all have attack
vectors with varying degrees of difficulty, none of which are particularly
harder than breaking a well chosen password. 2FA doesn't solve this. All it
does is require an adversary to break -two- completely different
authentication schemes in close enough proximity that you won't have closed
the first breach before they gain the second. That's it. That's all it
does.

While attacks on SMS are certainly practical, stop and think for a moment
on how you would scale them up and break 10000 accounts per day. Got a plan
where you're not caught in the first two days? No, you don't.

SMS is not a strong authentication factor. When used well, it's not
intended to be. It's meant to require an adversary to do enough extra work
after having already captured your password that unless they're
specifically targeting you, the odds favor discovering and correcting the
original breach before much harm can be done. For that use and that use
only, it performs about as well as TOTP.

If you can reset your email password with an SMS message and reset your
bank password with an email then SMS has been misused as a very weak single
factor authentication process. Not because SMS offers weak authentication
(that's all it's meant to offer) but because it was used incorrectly in a
process that needed strong authentication.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/

I’m sorry - I think we miscommunicated here.

I was not advocating for TOTP or HOTP for SMS - in fact I’m completely against SMS being used for multi factor auth at all.

-j

Sent from my iPhone

> On Apr 18, 2021, at 12:48, William Herrin <bill@herrin.us> wrote:
>
> ?
> On Sun, Apr 18, 2021 at 12:03 PM John Adams <jna@retina.net> wrote:
> > On top of this most TOTP and HOTP systems have additional security checks like blocking reuse of codes, rate-limiting of guesses, and in some cases acceptance of earlier codes (in TOTP) if the clock skews too far that make them much stronger options which decreases security but is certainly more of a convenience factor.
>
> Hi John,
>
> On a site, the symmetric key used to generate the TOTP code is stored in the same database as the user's password. Unencrypted or with readily reversible encryption since unlike a password it can't be verified by comparing ciphertext. Your protection is that every site uses a different TOTP key, just like you're supposed to use a different password, so compromise of a single site doesn't broadly compromise you elsewhere. It can also be captured with malware on your phone, the same place an adversary will sniff your password, which -will- broadly compromise you if you're also entering the passwords on your phone.
>
> None of these authentication schemes are magic. They all have attack vectors with varying degrees of difficulty, none of which are particularly harder than breaking a well chosen password. 2FA doesn't solve this. All it does is require an adversary to break -two- completely different authentication schemes in close enough proximity that you won't have closed the first breach before they gain the second. That's it. That's all it does.
>
> While attacks on SMS are certainly practical, stop and think for a moment on how you would scale them up and break 10000 accounts per day. Got a plan where you're not caught in the first two days? No, you don't.
>
> SMS is not a strong authentication factor. When used well, it's not intended to be. It's meant to require an adversary to do enough extra work after having already captured your password that unless they're specifically targeting you, the odds favor discovering and correcting the original breach before much harm can be done. For that use and that use only, it performs about as well as TOTP.
>
> If you can reset your email password with an SMS message and reset your bank password with an email then SMS has been misused as a very weak single factor authentication process. Not because SMS offers weak authentication (that's all it's meant to offer) but because it was used incorrectly in a process that needed strong authentication.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/

I wonder how much of this is moot because the amount of actual SS7 is
low and getting lower every day. Aren't most "SMS" messages these days
just SIP MESSAGE transactions, or maybe they use XMPP? As I understand a
lot of the cell carriers are using SIPoLTE directly to your phone.

Mike

On 4/18/21 8:24 AM, Mel Beckman wrote:
> Although NIST “softened” its stance on SMS for 2FA, it’s still a bad
> choice for 2FA. There are many ways to attack SMS, not the least of
> which is social engineering of the security-unconscious cellular
> carriers. The bottom line is, why use an insecure form of
> communication for 2FA at all? Since very good hardware-token-quality
> OTP apps are freely available, why be so lazy as to implement 2FA
> using radically insecure SMS?
>
> Your argument that 2FA is only meant to “enhance” the security of a
> memorized password is just wrong. 2FA is meant as a /bulwark /against
> passwords that very often are disclosed by data breaches, through no
> fault of the password owner. 2FA enhances nothing. It guards against
> the abject security failures of others.
>
> Consider this sage advice from 2020, long after NIST caved to industry
> pressure on its recommendations.
>
> https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html
> <https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html>
>
>   -mel
>
>> On Apr 18, 2021, at 8:02 AM, William Herrin <bill@herrin.us
>> <mailto:bill@herrin.us>> wrote:
>>
>> On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org
>> <mailto:mel@beckman.org>> wrote:
>>> SMS for 2FA is not fine. I recommend you study the issue in more
>>> depth. It’s not just me who disagrees with you:
>>>
>>> https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
>>> <https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html>
>>
>> Mel,
>>
>> That Schneier article is from 2016. The 3/2020 update to the NIST
>> recommendation (four years later and the currently active one) still
>> allows the use of SMS specifically and the PSTN in general as an out
>> of band authenticator in part of a two-factor authentication scheme.
>> The guidance includes a note explaining the social engineering threat
>> to SMS authenticators: "An out of band secret sent via SMS is received
>> by an attacker who has convinced the mobile operator to redirect the
>> victim’s mobile phone to the attacker."
>>
>> https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1
>> <https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1>
>>
>> The bottom line is that an out-of-band authenticator like SMS is meant
>> to -enhance- the security of a memorized secret authenticator, not
>> replace it. If properly used, it does exactly that. If misused, it of
>> course weakens your security.
>>
>> Regards,
>> Bill Herrin
>>
>>
>>
>> --
>> William Herrin
>> bill@herrin.us
>> https://bill.herrin.us/
>

One of my main problems with SMS 2FA from a usability standpoint, aside
from SS7 hijacks and security problems, is that it cannot be relied upon
when traveling in many international locations. I have been *so many places*
where there is just about zero chance of my T-Mobile SIM successfully
roaming onto the local network and receiving SMS at my US or Canadian
number successfully.

What am I supposed to do, take the SIM out of my phone, put it in a burner
and give it to a trusted family member in North America, just for the
purpose of receiving SMS 2FA codes (which I then have to call them and get
the code from manually each time), before going somewhere weird?

In the pre covid19 era when people were actually traveling places, imagine
you've had reason to go somewhere weird and need access to a thing (such as
your online banking, perhaps?) protected by SMS 2FA, but you have
absolutely no way of receiving the SMS where you're presently located...

Many of the people designing SMS 2FA systems used by people with
accounts/services in the US 50 states and Canada seem to assume that their
domestic customers will forever remain in a domestic location.




On Sun, Apr 18, 2021 at 5:44 AM Mark Tinka <mark@tinka.africa> wrote:

>
>
> On 4/18/21 05:18, Mel Beckman wrote:
>
> > No, every SMS 2FA should be prohibited by regulatory certifications.
> > The telcos had years to secure SMS. They did nothing. The plethora of
> > well-secured commercial 2FA authentication tokens, many of them free,
> > should be a mandatory replacement for 2FA in every security governance
> > regime, such as PCI, financial account access, government web portals,
> > etc.
>
> While I agree that SMS is insecure at the moment, I think there still
> needs to be a mechanism that does not rely on the presence of an
> Internet connection. One may not be able to have access to the Internet
> for a number of reasons (traveling, coverage, outage, device, money,
> e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for
> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well,
> because as available as the Internet is worldwide, it's not yet at a
> level that one would consider "basic access".
>
> Mark.
>

On 4/19/21 05:05, Eric Kuhnke wrote:

> One of my main problems with SMS 2FA from a usability standpoint,
> aside from SS7 hijacks and security problems, is that it cannot be
> relied upon when traveling in many international locations. I have
> been /so many places/ where there is just about zero chance of my
> T-Mobile SIM successfully roaming onto the local network and receiving
> SMS at my US or Canadian number successfully.
>
> What am I supposed to do, take the SIM out of my phone, put it in a
> burner and give it to a trusted family member in North America, just
> for the purpose of receiving SMS 2FA codes (which I then have to call
> them and get the code from manually each time), before going somewhere
> weird?
>
> In the pre covid19 era when people were actually traveling places,
> imagine you've had reason to go somewhere weird and need access to a
> thing (such as your online banking, perhaps?) protected by SMS 2FA,
> but you have absolutely no way of receiving the SMS where you're
> presently located...
>
> Many of the people designing SMS 2FA systems used by people with
> accounts/services in the US 50 states and Canada seem to assume that
> their domestic customers will forever remain in a domestic location.

This is a practical problem that I suffer with one of my South African
providers, every time I traveled to the U.S. in the last 3 years. I
could roam on all GSM networks in the U.S., and even make voice calls,
but SMS's would not get delivered. Delivery of those only resumed the
moment I transited in the Gulf on my way back home. This did not affect
other countries I traveled to.

But you are right, most network operators and SMS authentication
designers do not necessarily work together to account for folk that travel.

Mark.

On 19/4/21 2:36 pm, Mark Tinka wrote:
> On 4/19/21 05:05, Eric Kuhnke wrote:
[...]
>> In the pre covid19 era when people were actually traveling places,
>> imagine you've had reason to go somewhere weird and need access to a
>> thing (such as your online banking, perhaps?) protected by SMS 2FA,
>> but you have absolutely no way of receiving the SMS where you're
>> presently located...
>>
>> Many of the people designing SMS 2FA systems used by people with
>> accounts/services in the US 50 states and Canada seem to assume that
>> their domestic customers will forever remain in a domestic location.
>
> This is a practical problem that I suffer with one of my South African
> providers, every time I traveled to the U.S. in the last 3 years. I
> could roam on all GSM networks in the U.S., and even make voice calls,
> but SMS's would not get delivered. Delivery of those only resumed the
> moment I transited in the Gulf on my way back home. This did not affect
> other countries I traveled to.
>
> But you are right, most network operators and SMS authentication
> designers do not necessarily work together to account for folk that travel.

This is already probably past the point of being on topic here, but you
tickled my personal favorite one of these.

My airline of choice (Qantas) has mandatory SMS second factor, after
perhaps a mobile carrier requiring it for support one of the most
facepalm-worthy uses of SMS 2FA I've seen.

On 4/19/21 06:50, Julien Goodwin wrote:

> This is already probably past the point of being on topic here, but you
> tickled my personal favorite one of these.
>
> My airline of choice (Qantas) has mandatory SMS second factor, after
> perhaps a mobile carrier requiring it for support one of the most
> facepalm-worthy uses of SMS 2FA I've seen.

It's interesting that VoWiFi is meant to support both voice and SMS,
domestically and when one travels. So I'm curious why SMS's would not
work with VoWiFi when traveling to a country that won't deliver your
SMS's generically. After all, VoWiFi is, as far as I understand it,
meant to be a direct IP tunnel back to your home network for both
billing and service.

If anyone has more clue about this on the list, I'd really like to know,
as my mobile service providers hardly know what I'm talking about when I
ring them up with questions.

Mark.

I would start with cellular carriers and nations that intentionally take
steps to block anything VoIP as a threat to their revenue model. Or because
anything vpn/ipsec/whatever related is a threat to local Internet
censorship laws.

Plenty of places the sort of ipsec tunnel used for vowifi is not usable on
whatever consumer-grade cellular or local broadband ISP you might find.




On Sun, Apr 18, 2021 at 11:11 PM Mark Tinka <mark@tinka.africa> wrote:

>
>
> On 4/19/21 06:50, Julien Goodwin wrote:
>
> > This is already probably past the point of being on topic here, but you
> > tickled my personal favorite one of these.
> >
> > My airline of choice (Qantas) has mandatory SMS second factor, after
> > perhaps a mobile carrier requiring it for support one of the most
> > facepalm-worthy uses of SMS 2FA I've seen.
>
> It's interesting that VoWiFi is meant to support both voice and SMS,
> domestically and when one travels. So I'm curious why SMS's would not
> work with VoWiFi when traveling to a country that won't deliver your
> SMS's generically. After all, VoWiFi is, as far as I understand it,
> meant to be a direct IP tunnel back to your home network for both
> billing and service.
>
> If anyone has more clue about this on the list, I'd really like to know,
> as my mobile service providers hardly know what I'm talking about when I
> ring them up with questions.
>
> Mark.
>
>

On 4/19/21 11:17, Eric Kuhnke wrote:

> I would start with cellular carriers and nations that intentionally
> take steps to block anything VoIP as a threat to their revenue model.
> Or because anything vpn/ipsec/whatever related is a threat to local
> Internet censorship laws.
>
> Plenty of places the sort of ipsec tunnel used for vowifi is not
> usable on whatever consumer-grade cellular or local broadband ISP you
> might find.

Not sure what that says for the US of A, as that is where this has hit
me so far.

Mark.

>
> As far as I know, authenticators on cell phone apps don’t require the
> Internet. For example, the Google Authenticator mobile app doesn't require
> any Internet or cellular connection
>

Lots of people still use feature phones that are not capable of running
applications such as this.

On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:

> As far as I know, authenticators on cell phone apps don’t require the
> Internet. For example, the Google Authenticator mobile app doesn't require
> any Internet or cellular connection. The authenticated system generates a
> secret key - a unique 16 or 32 character alphanumeric code. This key is
> scanned by GA or can be entered manually and as a result, both the
> authenticated system and GA know the same secret key, and can compute the
> time-based 2nd factor OTP just as hardware tokens do.
>
> There are two algorithms: HOTP and TOTP. The main difference is in OTP
> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
> TOTP times out after some specified interval - usually 30 or 60 seconds.
> For TOTP, the system time must be synced, otherwise the generated OTPs will
> be wrong. But you can get accurate enough clock time without the Internet,
> either manually using some radio source such as WWV, or by GPS or cellular
> system synchronization.
>
> -mel
>
> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
> >
> > ?
> >
> >> On 4/18/21 05:18, Mel Beckman wrote:
> >>
> >> No, every SMS 2FA should be prohibited by regulatory certifications.
> The telcos had years to secure SMS. They did nothing. The plethora of
> well-secured commercial 2FA authentication tokens, many of them free,
> should be a mandatory replacement for 2FA in every security governance
> regime, such as PCI, financial account access, government web portals, etc.
> >
> > While I agree that SMS is insecure at the moment, I think there still
> needs to be a mechanism that does not rely on the presence of an Internet
> connection. One may not be able to have access to the Internet for a number
> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
> fallback needs to be available to authenticate.
> >
> > I know some companies have been pushing for voice authentication for
> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
> >
> > We need something that works at the lowest common denominator as well,
> because as available as the Internet is worldwide, it's not yet at a level
> that one would consider "basic access".
> >
> > Mark.
>

Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk

-mel

On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:

?
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection

Lots of people still use feature phones that are not capable of running applications such as this.

On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.

There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

-mel

> On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>
> ?
>
>> On 4/18/21 05:18, Mel Beckman wrote:
>>
>> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
>
> Mark.

On 4/19/21 14:47, Mel Beckman wrote:

> Then they can buy a hardware token. Using SMS is provably insecure,
> and for people being spear-phished (a much more common occurrence now
> that so much net worth data has been breached), a huge risk

Most regular folk (especially those that may not have smartphones) who
have the option of SMS or a key fob will end up using SMS because it
does not cause them to spend time standing in a queue in a building to
give up cash.

Their belief that SMS is secure (enough) has nothing to do with whether
it actually is. It's all about convenience, and how much they can get
done without speaking to human.

If a key fob can be sent to them - preferably for free - that would help.

Mark.

HW tokens are great, sure.

Except there is a lot of overlap in the Venn diagram between those who
still use feature phones and those that spending $30 on said hardware token
is financially obtrusive. ( Not to mention that every hardware token I can
remember looking at requires an app to set themselves up in the first
place, and if this is for the people who can't install apps, that's an
interesting circular dependency. )

I'm not arguing for or against anything here honestly. I'm just pointing
out that we ( as in the technical community we ) have a tendency to put
forward solutions that completely ignore what might be reasonably feasible
for those of lower income , or parts of the world not as technologically
developed as we might be in ourselves, and we should try to shrink that gap
whenever possible, not make it worse.

On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:

> Then they can buy a hardware token. Using SMS is provably insecure, and
> for people being spear-phished (a much more common occurrence now that so
> much net worth data has been breached), a huge risk
>
> -mel
>
> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
>
> ?
>
>> As far as I know, authenticators on cell phone apps don’t require the
>> Internet. For example, the Google Authenticator mobile app doesn't require
>> any Internet or cellular connection
>>
>
> Lots of people still use feature phones that are not capable of running
> applications such as this.
>
> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
>
>> As far as I know, authenticators on cell phone apps don’t require the
>> Internet. For example, the Google Authenticator mobile app doesn't require
>> any Internet or cellular connection. The authenticated system generates a
>> secret key - a unique 16 or 32 character alphanumeric code. This key is
>> scanned by GA or can be entered manually and as a result, both the
>> authenticated system and GA know the same secret key, and can compute the
>> time-based 2nd factor OTP just as hardware tokens do.
>>
>> There are two algorithms: HOTP and TOTP. The main difference is in OTP
>> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
>> TOTP times out after some specified interval - usually 30 or 60 seconds.
>> For TOTP, the system time must be synced, otherwise the generated OTPs will
>> be wrong. But you can get accurate enough clock time without the Internet,
>> either manually using some radio source such as WWV, or by GPS or cellular
>> system synchronization.
>>
>> -mel
>>
>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>> >
>> > ?
>> >
>> >> On 4/18/21 05:18, Mel Beckman wrote:
>> >>
>> >> No, every SMS 2FA should be prohibited by regulatory certifications.
>> The telcos had years to secure SMS. They did nothing. The plethora of
>> well-secured commercial 2FA authentication tokens, many of them free,
>> should be a mandatory replacement for 2FA in every security governance
>> regime, such as PCI, financial account access, government web portals, etc.
>> >
>> > While I agree that SMS is insecure at the moment, I think there still
>> needs to be a mechanism that does not rely on the presence of an Internet
>> connection. One may not be able to have access to the Internet for a number
>> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
>> fallback needs to be available to authenticate.
>> >
>> > I know some companies have been pushing for voice authentication for
>> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>> >
>> > We need something that works at the lowest common denominator as well,
>> because as available as the Internet is worldwide, it's not yet at a level
>> that one would consider "basic access".
>> >
>> > Mark.
>>
>

On 4/19/21 15:07, Tom Beecher wrote:

>
> I'm not arguing for or against anything here honestly. I'm just
> pointing out that we ( as in the technical community we ) have a
> tendency to put forward solutions that completely ignore what might be
> reasonably feasible for those of lower income , or parts of the world
> not as technologically developed as we might be in ourselves, and we
> should try to shrink that gap whenever possible, not make it worse.

This!

Nowadays, the businesses that tend to do very well while seeming like a
black box to most of their customers, are the ones who are consistently
solving problems from the perspective of real people, at scale.

If you solve it for 1, you solve it for 10,000 - and then the rest of
exponential impact.

Mark.

Tom,

Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us.

-mel


On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

HW tokens are great, sure.

Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. )

I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse.

On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk

-mel

On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

?
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection

Lots of people still use feature phones that are not capable of running applications such as this.

On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.

There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

-mel

> On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa<mailto:mark@tinka.africa>> wrote:
>
> ?
>
>> On 4/18/21 05:18, Mel Beckman wrote:
>>
>> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
>
> Mark.

> I'd add to that that people probably shouldn't treat phones as a
> significant increase in security, it's not really the out-of-band
> device that it used to be/was in the 1990s. Today, it basically
> equates to a second computer and the probability that the second
> computer is also compromised isn't overly unrealistic.

by the same attacker? raises the bar a bit. it's just a second factor,
not a guarantee.

i am a fan of the google token and don't like having to carry a
different hw token for everyone who wants to hw 2fa me.

but i think $ubject is correct. sms 2fa is roadkill.

randy

---
randy@psg.com
`gpg --locate-external-keys --auto-key-locate wkd randy@psg.com`
signatures are back, thanks to dmarc header butchery

>
> These low-income people are not the targets of identity thieves, spear
> fishers, or data ransomers.
>

This is patently false. Low-income / disabled / minority / non-english
speakers are absolutely targets of scams like those, and in
significant numbers.



On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org> wrote:

> Tom,
>
> Well, yes, not everyone can afford all technology options. That’s life.
> One has to wonder how someone who needs to protect online accounts cannot
> afford a $30 hardware token (which can be shared across several accounts).
> These low-income people are not the targets of identity thieves, spear
> fishers, or data ransomers. Unlike you, I AM arguing against something: SMS
> as a 2FA token. In this case I don’t think we have ignored low-income
> users, for the same reason that home alarm security aren't ignoring
> low-income users who can’t afford their products. It’s certainly no reason
> to hobble security for the rest of us.
>
> -mel
>
>
> On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc> wrote:
>
> HW tokens are great, sure.
>
> Except there is a lot of overlap in the Venn diagram between those who
> still use feature phones and those that spending $30 on said hardware token
> is financially obtrusive. ( Not to mention that every hardware token I can
> remember looking at requires an app to set themselves up in the first
> place, and if this is for the people who can't install apps, that's an
> interesting circular dependency. )
>
> I'm not arguing for or against anything here honestly. I'm just pointing
> out that we ( as in the technical community we ) have a tendency to put
> forward solutions that completely ignore what might be reasonably feasible
> for those of lower income , or parts of the world not as technologically
> developed as we might be in ourselves, and we should try to shrink that gap
> whenever possible, not make it worse.
>
> On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:
>
>> Then they can buy a hardware token. Using SMS is provably insecure, and
>> for people being spear-phished (a much more common occurrence now that so
>> much net worth data has been breached), a huge risk
>>
>> -mel
>>
>> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>
>> ?
>>
>>> As far as I know, authenticators on cell phone apps don’t require the
>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>> any Internet or cellular connection
>>>
>>
>> Lots of people still use feature phones that are not capable of running
>> applications such as this.
>>
>> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
>>
>>> As far as I know, authenticators on cell phone apps don’t require the
>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>> any Internet or cellular connection. The authenticated system generates a
>>> secret key - a unique 16 or 32 character alphanumeric code. This key is
>>> scanned by GA or can be entered manually and as a result, both the
>>> authenticated system and GA know the same secret key, and can compute the
>>> time-based 2nd factor OTP just as hardware tokens do.
>>>
>>> There are two algorithms: HOTP and TOTP. The main difference is in OTP
>>> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
>>> TOTP times out after some specified interval - usually 30 or 60 seconds.
>>> For TOTP, the system time must be synced, otherwise the generated OTPs will
>>> be wrong. But you can get accurate enough clock time without the Internet,
>>> either manually using some radio source such as WWV, or by GPS or cellular
>>> system synchronization.
>>>
>>> -mel
>>>
>>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>>> >
>>> > ?
>>> >
>>> >> On 4/18/21 05:18, Mel Beckman wrote:
>>> >>
>>> >> No, every SMS 2FA should be prohibited by regulatory certifications.
>>> The telcos had years to secure SMS. They did nothing. The plethora of
>>> well-secured commercial 2FA authentication tokens, many of them free,
>>> should be a mandatory replacement for 2FA in every security governance
>>> regime, such as PCI, financial account access, government web portals, etc.
>>> >
>>> > While I agree that SMS is insecure at the moment, I think there still
>>> needs to be a mechanism that does not rely on the presence of an Internet
>>> connection. One may not be able to have access to the Internet for a number
>>> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
>>> fallback needs to be available to authenticate.
>>> >
>>> > I know some companies have been pushing for voice authentication for
>>> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>>> >
>>> > We need something that works at the lowest common denominator as well,
>>> because as available as the Internet is worldwide, it's not yet at a level
>>> that one would consider "basic access".
>>> >
>>> > Mark.
>>>
>>
>

Can you cite data? Or provide a rational argument other than “they are”?

-mel via cell

On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote:

?
These low-income people are not the targets of identity thieves, spear fishers, or data ransomers.

This is patently false. Low-income / disabled / minority / non-english speakers are absolutely targets of scams like those, and in significant numbers.



On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Tom,

Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us.

-mel


On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

HW tokens are great, sure.

Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. )

I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse.

On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk

-mel

On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

?
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection

Lots of people still use feature phones that are not capable of running applications such as this.

On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.

There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

-mel

> On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa<mailto:mark@tinka.africa>> wrote:
>
> ?
>
>> On 4/18/21 05:18, Mel Beckman wrote:
>>
>> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
>
> Mark.

https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf

https://www.bjs.gov/content/pub/pdf/vit18.pdf




On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <mel@beckman.org> wrote:

> Can you cite data? Or provide a rational argument other than “they are”?
>
> -mel via cell
>
> On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote:
>
> ?
>
>> These low-income people are not the targets of identity thieves, spear
>> fishers, or data ransomers.
>>
>
> This is patently false. Low-income / disabled / minority / non-english
> speakers are absolutely targets of scams like those, and in
> significant numbers.
>
>
>
> On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org> wrote:
>
>> Tom,
>>
>> Well, yes, not everyone can afford all technology options. That’s life.
>> One has to wonder how someone who needs to protect online accounts cannot
>> afford a $30 hardware token (which can be shared across several accounts).
>> These low-income people are not the targets of identity thieves, spear
>> fishers, or data ransomers. Unlike you, I AM arguing against something: SMS
>> as a 2FA token. In this case I don’t think we have ignored low-income
>> users, for the same reason that home alarm security aren't ignoring
>> low-income users who can’t afford their products. It’s certainly no reason
>> to hobble security for the rest of us.
>>
>> -mel
>>
>>
>> On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>
>> HW tokens are great, sure.
>>
>> Except there is a lot of overlap in the Venn diagram between those who
>> still use feature phones and those that spending $30 on said hardware token
>> is financially obtrusive. ( Not to mention that every hardware token I can
>> remember looking at requires an app to set themselves up in the first
>> place, and if this is for the people who can't install apps, that's an
>> interesting circular dependency. )
>>
>> I'm not arguing for or against anything here honestly. I'm just pointing
>> out that we ( as in the technical community we ) have a tendency to put
>> forward solutions that completely ignore what might be reasonably feasible
>> for those of lower income , or parts of the world not as technologically
>> developed as we might be in ourselves, and we should try to shrink that gap
>> whenever possible, not make it worse.
>>
>> On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:
>>
>>> Then they can buy a hardware token. Using SMS is provably insecure, and
>>> for people being spear-phished (a much more common occurrence now that so
>>> much net worth data has been breached), a huge risk
>>>
>>> -mel
>>>
>>> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>>
>>> ?
>>>
>>>> As far as I know, authenticators on cell phone apps don’t require the
>>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>>> any Internet or cellular connection
>>>>
>>>
>>> Lots of people still use feature phones that are not capable of running
>>> applications such as this.
>>>
>>> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
>>>
>>>> As far as I know, authenticators on cell phone apps don’t require the
>>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>>> any Internet or cellular connection. The authenticated system generates a
>>>> secret key - a unique 16 or 32 character alphanumeric code. This key is
>>>> scanned by GA or can be entered manually and as a result, both the
>>>> authenticated system and GA know the same secret key, and can compute the
>>>> time-based 2nd factor OTP just as hardware tokens do.
>>>>
>>>> There are two algorithms: HOTP and TOTP. The main difference is in OTP
>>>> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
>>>> TOTP times out after some specified interval - usually 30 or 60 seconds.
>>>> For TOTP, the system time must be synced, otherwise the generated OTPs will
>>>> be wrong. But you can get accurate enough clock time without the Internet,
>>>> either manually using some radio source such as WWV, or by GPS or cellular
>>>> system synchronization.
>>>>
>>>> -mel
>>>>
>>>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>>>> >
>>>> > ?
>>>> >
>>>> >> On 4/18/21 05:18, Mel Beckman wrote:
>>>> >>
>>>> >> No, every SMS 2FA should be prohibited by regulatory certifications.
>>>> The telcos had years to secure SMS. They did nothing. The plethora of
>>>> well-secured commercial 2FA authentication tokens, many of them free,
>>>> should be a mandatory replacement for 2FA in every security governance
>>>> regime, such as PCI, financial account access, government web portals, etc.
>>>> >
>>>> > While I agree that SMS is insecure at the moment, I think there still
>>>> needs to be a mechanism that does not rely on the presence of an Internet
>>>> connection. One may not be able to have access to the Internet for a number
>>>> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
>>>> fallback needs to be available to authenticate.
>>>> >
>>>> > I know some companies have been pushing for voice authentication for
>>>> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>>>> >
>>>> > We need something that works at the lowest common denominator as
>>>> well, because as available as the Internet is worldwide, it's not yet at a
>>>> level that one would consider "basic access".
>>>> >
>>>> > Mark.
>>>>
>>>
>>

I don’t see any data showing that poor people are targets of Account access attacks. Can you point out the specific data you think supports your claim?

-mel via cell

On Apr 19, 2021, at 7:33 AM, Tom Beecher <beecher@beecher.cc> wrote:

?
https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf

https://www.bjs.gov/content/pub/pdf/vit18.pdf




On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Can you cite data? Or provide a rational argument other than “they are”?

-mel via cell

On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote:

?
These low-income people are not the targets of identity thieves, spear fishers, or data ransomers.

This is patently false. Low-income / disabled / minority / non-english speakers are absolutely targets of scams like those, and in significant numbers.



On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Tom,

Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us.

-mel


On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

HW tokens are great, sure.

Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. )

I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse.

On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk

-mel

On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

?
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection

Lots of people still use feature phones that are not capable of running applications such as this.

On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.

There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

-mel

> On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa<mailto:mark@tinka.africa>> wrote:
>
> ?
>
>> On 4/18/21 05:18, Mel Beckman wrote:
>>
>> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
>
> Mark.

>
> Can you point out the specific data you think supports your claim?
>

I can, but I'm not going to, because that's not what this side discussion
has been based on.

You said :

These low-income people are not the targets of identity thieves, spear
> fishers, or data ransomers.


I just showed you data that shows they are, but now are trying to move the
goalposts with new quantifiers. I think this discussion has run its course
for me. Take care.

On Mon, Apr 19, 2021 at 10:45 AM Mel Beckman <mel@beckman.org> wrote:

> I don’t see any data showing that poor people are *targets* of Account
> access attacks. Can you point out the specific data you think supports your
> claim?
>
> -mel via cell
>
> On Apr 19, 2021, at 7:33 AM, Tom Beecher <beecher@beecher.cc> wrote:
>
> ?
>
> https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf
>
> https://www.bjs.gov/content/pub/pdf/vit18.pdf
>
>
>
>
> On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <mel@beckman.org> wrote:
>
>> Can you cite data? Or provide a rational argument other than “they are”?
>>
>> -mel via cell
>>
>> On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>
>> ?
>>
>>> These low-income people are not the targets of identity thieves, spear
>>> fishers, or data ransomers.
>>>
>>
>> This is patently false. Low-income / disabled / minority / non-english
>> speakers are absolutely targets of scams like those, and in
>> significant numbers.
>>
>>
>>
>> On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org> wrote:
>>
>>> Tom,
>>>
>>> Well, yes, not everyone can afford all technology options. That’s life.
>>> One has to wonder how someone who needs to protect online accounts cannot
>>> afford a $30 hardware token (which can be shared across several accounts).
>>> These low-income people are not the targets of identity thieves, spear
>>> fishers, or data ransomers. Unlike you, I AM arguing against something: SMS
>>> as a 2FA token. In this case I don’t think we have ignored low-income
>>> users, for the same reason that home alarm security aren't ignoring
>>> low-income users who can’t afford their products. It’s certainly no reason
>>> to hobble security for the rest of us.
>>>
>>> -mel
>>>
>>>
>>> On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>>
>>> HW tokens are great, sure.
>>>
>>> Except there is a lot of overlap in the Venn diagram between those who
>>> still use feature phones and those that spending $30 on said hardware token
>>> is financially obtrusive. ( Not to mention that every hardware token I can
>>> remember looking at requires an app to set themselves up in the first
>>> place, and if this is for the people who can't install apps, that's an
>>> interesting circular dependency. )
>>>
>>> I'm not arguing for or against anything here honestly. I'm just pointing
>>> out that we ( as in the technical community we ) have a tendency to put
>>> forward solutions that completely ignore what might be reasonably feasible
>>> for those of lower income , or parts of the world not as technologically
>>> developed as we might be in ourselves, and we should try to shrink that gap
>>> whenever possible, not make it worse.
>>>
>>> On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:
>>>
>>>> Then they can buy a hardware token. Using SMS is provably insecure, and
>>>> for people being spear-phished (a much more common occurrence now that so
>>>> much net worth data has been breached), a huge risk
>>>>
>>>> -mel
>>>>
>>>> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>>>
>>>> ?
>>>>
>>>>> As far as I know, authenticators on cell phone apps don’t require the
>>>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>>>> any Internet or cellular connection
>>>>>
>>>>
>>>> Lots of people still use feature phones that are not capable of running
>>>> applications such as this.
>>>>
>>>> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
>>>>
>>>>> As far as I know, authenticators on cell phone apps don’t require the
>>>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>>>> any Internet or cellular connection. The authenticated system generates a
>>>>> secret key - a unique 16 or 32 character alphanumeric code. This key is
>>>>> scanned by GA or can be entered manually and as a result, both the
>>>>> authenticated system and GA know the same secret key, and can compute the
>>>>> time-based 2nd factor OTP just as hardware tokens do.
>>>>>
>>>>> There are two algorithms: HOTP and TOTP. The main difference is in OTP
>>>>> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
>>>>> TOTP times out after some specified interval - usually 30 or 60 seconds.
>>>>> For TOTP, the system time must be synced, otherwise the generated OTPs will
>>>>> be wrong. But you can get accurate enough clock time without the Internet,
>>>>> either manually using some radio source such as WWV, or by GPS or cellular
>>>>> system synchronization.
>>>>>
>>>>> -mel
>>>>>
>>>>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>>>>> >
>>>>> > ?
>>>>> >
>>>>> >> On 4/18/21 05:18, Mel Beckman wrote:
>>>>> >>
>>>>> >> No, every SMS 2FA should be prohibited by regulatory
>>>>> certifications. The telcos had years to secure SMS. They did nothing. The
>>>>> plethora of well-secured commercial 2FA authentication tokens, many of them
>>>>> free, should be a mandatory replacement for 2FA in every security
>>>>> governance regime, such as PCI, financial account access, government web
>>>>> portals, etc.
>>>>> >
>>>>> > While I agree that SMS is insecure at the moment, I think there
>>>>> still needs to be a mechanism that does not rely on the presence of an
>>>>> Internet connection. One may not be able to have access to the Internet for
>>>>> a number of reasons (traveling, coverage, outage, device, money, e.t.c.),
>>>>> and a fallback needs to be available to authenticate.
>>>>> >
>>>>> > I know some companies have been pushing for voice authentication for
>>>>> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>>>>> >
>>>>> > We need something that works at the lowest common denominator as
>>>>> well, because as available as the Internet is worldwide, it's not yet at a
>>>>> level that one would consider "basic access".
>>>>> >
>>>>> > Mark.
>>>>>
>>>>
>>>

On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
> It's all about convenience, and how much they can get
> done without speaking to human.

Hi Mark,

Convenience is the most important factor in any security scheme. The
user nearly always has a choice, even if the choice is as
rough-grained as "switch to a different company." If your process is
too onerous (the user's notion of onerous) then it simply won't be
used. An effective security scheme is the strongest which can be built
within that boundary.

> If a key fob can be sent to them - preferably for free - that would help.

Hint: carrying around a separate hardware fob for each important
Internet-based service is a non-starter. Users might do it for their
one or two most important services but yours isn't one of them.

Regards,
Bill Herrin

--
William Herrin
bill@herrin.us
https://bill.herrin.us/

An unfortunate fact is that many companies don't support anything other
than sending a token via email, SMS, or sometimes a voice call. I've seen
several large banks, insurers, etc. who do this. It's maddening when you
sign up for access to something and are restricted to these options.

On Mon, Apr 19, 2021 at 11:49 AM William Herrin <bill@herrin.us> wrote:

> On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
> > It's all about convenience, and how much they can get
> > done without speaking to human.
>
> Hi Mark,
>
> Convenience is the most important factor in any security scheme. The
> user nearly always has a choice, even if the choice is as
> rough-grained as "switch to a different company." If your process is
> too onerous (the user's notion of onerous) then it simply won't be
> used. An effective security scheme is the strongest which can be built
> within that boundary.
>
> > If a key fob can be sent to them - preferably for free - that would help.
>
> Hint: carrying around a separate hardware fob for each important
> Internet-based service is a non-starter. Users might do it for their
> one or two most important services but yours isn't one of them.
>
> Regards,
> Bill Herrin
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>

The goal of U2F is one key fob that works on many services. Implementation is pretty simple and the hardware is inexpensive.


Sent from my iPhone

> On Apr 19, 2021, at 08:51, William Herrin <bill@herrin.us> wrote:
>
> ?On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
>> It's all about convenience, and how much they can get
>> done without speaking to human.
>
> Hi Mark,
>
> Convenience is the most important factor in any security scheme. The
> user nearly always has a choice, even if the choice is as
> rough-grained as "switch to a different company." If your process is
> too onerous (the user's notion of onerous) then it simply won't be
> used. An effective security scheme is the strongest which can be built
> within that boundary.
>
>> If a key fob can be sent to them - preferably for free - that would help.
>
> Hint: carrying around a separate hardware fob for each important
> Internet-based service is a non-starter. Users might do it for their
> one or two most important services but yours isn't one of them.
>
> Regards,
> Bill Herrin
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/

It appears that William Herrin <bill@herrin.us> said:
>> If a key fob can be sent to them - preferably for free - that would help.
>
>Hint: carrying around a separate hardware fob for each important
>Internet-based service is a non-starter. Users might do it for their
>one or two most important services but yours isn't one of them.

You think?

https://obvious.services.net/2013/07/better-have-big-pockets-if-you-want.html

R's,
John

On 4/19/21 17:48, William Herrin wrote:

> Convenience is the most important factor in any security scheme.

But often not at the top of the implementation priority list.


> Hint: carrying around a separate hardware fob for each important
> Internet-based service is a non-starter. Users might do it for their
> one or two most important services but yours isn't one of them.

You make my point for me.

Mark.

Can I make an old f*** comment on all this?

We didn't design this network to be highly secure.

It's general enough that security can be layered on at various places.

But when you get down to it it was mostly designed to get information
flowing easy, fast, and freely. Not to lock it down or provide strong
accountability, authorization, and authentication.

Look at RFCs prior to about 1990, security's hardly considered beyond
an occasional login/password scheme or MITM packet injection.

It was designed to be very cheap to implement and deploy at least in
part because it was designed and implemented on frugal academic
budgets.

And to share those implementations or roll your own because the specs
(RFCs etc) were published free.

Then people, corporations by and large, came along and realized they
could use the net to make many zillions of dollars if only it were
secure.

IF...ONLY!

Did anyone promise them that?

And no one ever really figured out how to make it secure beyond some
superficial attempts like adopting login/passwords, wire encryption
(SSL etc.), 2FA, MITM avoidance, etc. none of which were really part
of some well thought out, engineered scheme. Just some new doo-dad to
toss on hoping that maybe this will be good enough. It wasn't.

Now, when their sites are compromised, when they lose gazillions of
dollars to ransomware, when 100M records walk out the door, whatever,
they put on the big sad face and imply they were let down and *they*,
someone else, some gearheads, need to try harder. They're terribly,
terribly disappointed.

What a great con job, try to shame someone else into solving your
problems for you basically for free.

If they want to protect trillions of dollars in assets maybe they need
to toss in a few billion to help, and stop hoping some bad press for
the technical community will shame some geniuses into dreaming up
better security for them mostly for free in terms of research and
specs and acceptance but that's the hard part.

You know what the net did successfully produce, over and over? Some of
the wealthiest individuals and corporations etc in the history of
civilization. Maybe the profit margins were a little too high and now
we're paying the price, or someone is.

It's like my aged, now gone, adviser who'd worked in software going
back to the 50s said about the Y2K problem at that time: It's not that
we couldn't anticipate Y2K problems. It's that we never dreamed the
cheap bastards would still be running the same exact software without
any updates or review for forty years!

--
-Barry Shein

Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD
The World: Since 1989 | A Public Information Utility | *oo*

On 4/19/21 15:33, Mel Beckman wrote:

> Tom,
>
> Well, yes, not everyone can afford all technology options. That’s
> life. One has to wonder how someone who needs to protect online
> accounts cannot afford a $30 hardware token (which can be shared
> across several accounts). These low-income people are not the targets
> of identity thieves, spear fishers, or data ransomers. Unlike you, I
> AM arguing against something: SMS as a 2FA token. In this case I don’t
> think we have ignored low-income users, for the same reason that home
> alarm security aren't ignoring low-income users who can’t afford their
> products. It’s certainly no reason to hobble security for the rest of us.

Hmmh, I'm not quite sure that is accurate. Low-income folk will
certainly have a mobile service, even though they might not have enough
to buy a security alarm once the rent is paid.

Take finance, for example, in places like East Africa, they folk are
lucky that they don't need a bank account to either put money away or
transact for everyday needs. In other countries that don't have this
(mobile money), low-income folk who earn a living will have a bank
account, and even that one will come with some kind of online access.

The issue isn't so much the product. The issue is that mobile services
are so basic and fundamental, everybody, regardless of their financial
position, will have one. The stats say that as of 2020, of the number of
users around the world using mobile phones, only 46% of them are "smart".

Mark.

On 4/19/21 16:10, Mel Beckman wrote:

> Can you cite data? Or provide a rational argument other than “they are”?

https://www.businessinsider.co.za/whatsapp-scam-asking-for-money-after-number-port-2020-1
https://www.sowetanlive.co.za/news/south-africa/2020-01-06-beware-south-africans-are-falling-victim-to-cellphone-porting-scam/
https://www.news24.com/fin24/companies/financial-services/just-hang-up-consumer-group-warns-of-phone-scams-20190620

This is a country full of low-income (or blatantly unemployed) citizens.

Mark.

On 4/20/21 01:46, bzs@theworld.com wrote:

> If they want to protect trillions of dollars in assets maybe they need
> to toss in a few billion to help, and stop hoping some bad press for
> the technical community will shame some geniuses into dreaming up
> better security for them mostly for free in terms of research and
> specs and acceptance but that's the hard part.
>
> You know what the net did successfully produce, over and over? Some of
> the wealthiest individuals and corporations etc in the history of
> civilization. Maybe the profit margins were a little too high and now
> we're paying the price, or someone is.
>

For the most part, services that (want to) rely on security are
providing their own security solutions. But they are bespoke, and each
one is designing and pushing out their own solution in their own silo.
So users have to contend with a multitude of security ideas that each of
the services they consume come up with. Standardization, here, would go
a long way in fixing much of this, but what's the incentive for them to
all work together, when "better security" is one of their selling points?

If, "magically", the Internet community came up with a solution that one
felt is fairly standard, we've seen how well that would be adopted, a la
DNSSEC, DANE and RPKI.

At the very least, the discussions need to be had; but not as separate
streams. Internet folk. Mobile folk. Telco folk. Service folk.

Mark.

Shop with your feet if security is weak. I changed banks because of SMS 2FA.

-mel via cell

On Apr 20, 2021, at 9:06 AM, Mike <craigslist4md@gmail.com> wrote:

?
An unfortunate fact is that many companies don't support anything other than sending a token via email, SMS, or sometimes a voice call. I've seen several large banks, insurers, etc. who do this. It's maddening when you sign up for access to something and are restricted to these options.

On Mon, Apr 19, 2021 at 11:49 AM William Herrin <bill@herrin.us<mailto:bill@herrin.us>> wrote:
On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
> It's all about convenience, and how much they can get
> done without speaking to human.

Hi Mark,

Convenience is the most important factor in any security scheme. The
user nearly always has a choice, even if the choice is as
rough-grained as "switch to a different company." If your process is
too onerous (the user's notion of onerous) then it simply won't be
used. An effective security scheme is the strongest which can be built
within that boundary.

> If a key fob can be sent to them - preferably for free - that would help.

Hint: carrying around a separate hardware fob for each important
Internet-based service is a non-starter. Users might do it for their
one or two most important services but yours isn't one of them.

Regards,
Bill Herrin

--
William Herrin
bill@herrin.us<mailto:bill@herrin.us>
https://bill.herrin.us/

Something which binds them together are their insurance underwriters
who generally want to set minimum requirements without having to
review home-brewed security schemes. They want buzzwords and acronyms
to put onto checklists.

Others would be courts (e.g., when lawsuits arise) and government and
other contractors who, similarly, don't want to have to evaluate
beyond checklists of accepted industry practices.

And a major value of standardized practices is precisely so they don't
become competitive advantages particularly by their omission.

It's one reason, for example, car manufacturers are ok with something
like requiring seat belts or air bags, or in many industries
environmental regs, precisely so a competitor can't lower their costs
(and likely prices) by omitting them. Everyone has to have them and up
to some standard, compete on something else.

Perhaps if we began referring to a lot of this as "safety" rather than
"security" that would sink in.

On April 20, 2021 at 06:59 mark@tinka.africa (Mark Tinka) wrote:
>
>
> On 4/20/21 01:46, bzs@theworld.com wrote:
>
> > If they want to protect trillions of dollars in assets maybe they need
> > to toss in a few billion to help, and stop hoping some bad press for
> > the technical community will shame some geniuses into dreaming up
> > better security for them mostly for free in terms of research and
> > specs and acceptance but that's the hard part.
> >
> > You know what the net did successfully produce, over and over? Some of
> > the wealthiest individuals and corporations etc in the history of
> > civilization. Maybe the profit margins were a little too high and now
> > we're paying the price, or someone is.
> >
>
> For the most part, services that (want to) rely on security are
> providing their own security solutions. But they are bespoke, and each
> one is designing and pushing out their own solution in their own silo.
> So users have to contend with a multitude of security ideas that each of
> the services they consume come up with. Standardization, here, would go
> a long way in fixing much of this, but what's the incentive for them to
> all work together, when "better security" is one of their selling points?
>
> If, "magically", the Internet community came up with a solution that one
> felt is fairly standard, we've seen how well that would be adopted, a la
> DNSSEC, DANE and RPKI.
>
> At the very least, the discussions need to be had; but not as separate
> streams. Internet folk. Mobile folk. Telco folk. Service folk.
>
> Mark.

--
-Barry Shein

Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD
The World: Since 1989 | A Public Information Utility | *oo*