NIST has been saying since 2016 not to use SMS for MFA. It’s always been horribly insecure.
The problem for me is that most Canadian Banks give you the choice of SMS or their shitty adware filled bank app that relies on Google Play Services and wont implement TOTP so I can use a true MFA app. And Im done with being forced to accept user policies I don’t agree with to do shit, and most of all done with Google Play Services on my device 😑
Adding to this that my Canadian bank just updated their app and it doesn’t work with my older phone. So my only option is to use online services with SMS/call verification.
It’s such a joy to know that my bank, who made $40.670 billion last year, takes care of every customer equally.
My bank prides itself being the first in the country to support yubikeys for 2fa. I was so happy until i learned it’s just for logging in, transactions are still confirmed by SMS or their app. And security experts all say it’s better this way, using a regular 2fa solution would be insecure because you wouldn’t know what you’re confirming.
There really is no hope.
It’s definitely possible to have a hardware token which allows confirming the transfer details - https://www.manua.ls/nationwide/card-reader-security-for-internet-banking/manual
I’m not defending that madness, but that device doesn’t show who is the recipient. The argument was that this is protection against phishing sites pretending to be a bank, proxying your connection but sending it to a different recipient.
Makes one wonder how much the user has to fuck up to end in such a scenario, and of it’s really worth transmitting everyone’s financial data in almost plain text over the air for this
Even Bank of America doesn’t support MFA apps.
why bank when you can dank
They support USB hardware tokens… but only for the website. Everything else is SMS which kinda defeats the point.
Annoyingly, other than Vanguard, they are the only financial institution to support USB FIDO tokens
in my experience, FIDO tokens suck. I have to around 10 times every time I use one to log in.
Are your USB ports broken? I’ve never had issues other than physical port problems
I don’t think so. It was on three seperate computers. I also used two FIDO keys, both identical. Maybe they’re of poor quality, so it could be that. Any recommendations on a reliable FIDO key?
No idea. I just use the yubikey ones. I have an old usb-a oneb and a newer small usbc one
This is the main reason I switched to Fidelity here in the US. It’s a brokerage, but it does basic bank things, like checks, debit card, etc, and they support SymantecVIP, which works w/o Google Play Services. TOTP support really isn’t that hard, I don’t understand why banks are so slow in adopting it…
Now you’ve got me wondering about this for Canada. Would be a pita to move mortgage and investments, but there must be a better way than the big banks.
Here’s a website that tracks this kind of thing. No guarantees about being up-to-date, but from a surface-level check, it looks like you have options.
Thanks!
Wouldn’t count on it being up to date. For my country 4 out of five biggest banks in the country are missing.
They accept contributions, and I’m sure raising an issue with details would be fine as well if you don’t feel comfortable making changes directly.
Thanks for this…I might be opening a Fidelity account…
They’re fantastic. :)
The only negative stories I’ve heard are from people who really push the boundaries, like people day trading and whatnot. If you’re a regular user looking for a bank alternative, you should be good.
Just know their branches don’t really have any banking services, so you can’t go there to withdraw or deposit cash, get a cashier’s check, etc. I keep an account w/ a local institution and transfer money as needed for banking services.
I had a negative experience when initially setting up my account, because of TikTok. This group of kids who called themselves “Fidelity Boyz” discovered that you could deposit a fake check and immediately withdraw the money.
So many people did this that they had to severely lock things down. For most customers, money transferred in either via check or via ACH pull (telling Fidelity to take the money from an account at another bank), was subject to a 16 business day (three weeks and one day) hold. Direct deposits (e.g. paychecks) were not affected, and ACH pushes (when you tell another bank to send the money to Fidelity) were eventually fine too.
It was a big pain. The money I transferred was in limbo for a long time, after I had already switched all my auto-pays over to Fidelity, so I had to switch them all back until the money cleared.
Now that that’s over, it’s great. I love that they reimburse ATM fees worldwide, and I’m a big fan of their basket portfolios product since it makes it so easy to rebalance a portfolio. Saves me from having to manually do a bunch of calculations, and I love that it has a fixed monthly price instead of being percentage based like roboadvisors.
I’ve got one. It’s nice. The cash is automatically invested in a money market account, which is a bit like a high yield savings account.
In case you weren’t aware, Symantec VIP is just TOTP-OATH in a fancy coat. You can extract the secret and use it with any TOTP app. I use Authenticator Pro (now called Stratum) because it’s open-source and has a watch app.
Do you know how to extract it?
I have this bookmarked from a few years ago, back when PayPal only supported Symantec VIP: https://gist.github.com/jarbro/ca7c9d3eebba1396d53b4a7228575948. I haven’t tried it for a while, but it should still work.
The issue is, banks are only going to do what they’re required to do by law. The government is run by dinosaurs who don’t know what computers are, let alone what TOTP is.
No, they’re only going to do what they’re required to do by their insurance. The law is an option, but if insurance costs go way up if they don’t have proper MFA, they’ll get MFA.
Should be illegal to put ads in something as crucial to day-to-day life as a banking app.
If it’s not illegal, then everyone is going to do it and we won’t have the “choice” that crapitalists love to tout so much.
Its supposed to be illegal for banks to be in “sales” but my wife was working for BMO and they were forcing her to prioritize outbound cold calls ans upselling products the customer didnt need and would clearly be bad for their financials as a Personal Banking Assistant. The conflict of interest was so great it stressed her right the fuck out and she had to take leave and start therapy. Her MS also spiked likely due to the stress levels. She was there to help people, and she made the bank earn loyal customers and they willing got more products from the bank because she helped them. She was the top performer at the bank if she just let her do the job she was there to do, but instead her boss started ragging on her daily about her cold calling numbers and forcing her to cancel necessary appointments and focus time to deal with customer requests and instead prioritize sales.
In the end her numbers dropped, her customer satisfaction dropped, and her MS got worse from the stress and she’s now on long term leave, uncertain if she’ll recover her focus and able to go back to work. Her neurologist has said she cannot go back for now.
Not sure how that bullshit helped the bank, but I can sure see how I didn’t, and I may be wrong but I think there are laws against it.
Also worth noting that this change in tactics happened right at the same time BMO took all their “we’re here to help” signage down. Brings so many memories of Google dropping the “don’t be evil”. Everything that came after in both cases was shit.
EDIT: Oh looks like CBC did an article on this now because it is so prolific. https://www.cbc.ca/news/business/banks-upselling-go-public-1.4023575
Oh it turns out we needed NSA to do its actual fucking job after all rather than holding onto exploits for the surveillance state.
Now — for the second time — we have an adversarial administration eager to weaponize government departments while Americans are vulnerable. Why? Because America is the good guys and would never abuse its extrajudicial powers (say, by detaining, rendering and torturing Americans with names similar to those of POIs.)
We could have had twenty-four years of robust communications security developments if NSA didnt sell the public out like Judas.
rendering
Wait, are they melting people down to make soap now? Fight Club wasn’t just a meme then…
Extraordinary Rendition is the euphemism from the aughts from which the movie Rendition was titled. It means taking your detainee somewhere else, often across national borders, to a black site, usually to do things there for plausible deniability (e.g. we don’t torture in the United States )
Looks like I missed that movie, I’ll have to check it out.
And I don’t think I’ve ever heard the term “rendering” used in that context, I guess we just used other terminology. Thanks!
id take email Authentication over sms Authentication if there was only them 2 let me use my 2facter app for the love of god plz i hate how banks use sms its like come on man
I’m really happy that my doctor’s website uses Signal to send the authentication code.
Email is also unencrypted
Ya just saying I don’t like sms I wish email was encrypted maybe one day
'nuf said
@return2ozma @technology
10 years ago, the Feds wanted backdoors to all of phones so they could read all of our text messages. Now, the Feds want everyone not to use software that has backdoors so the Chinese cannot read our phones. The Feds don’t want competition.The backdoors they use are there for freedom and justice, the backdoors the “others” use are tools of evil and security risks!
“They’re the same picture”
Why do you hate America’s children?
For real, I bet this guy didn’t back the “Definitely Don’t Maybe Not Almost Probably Save The Children ACT.”
Braindead take of the day.
Your comment applies more to your own than the one you responded to. It’s a crazy form of recursion.
Nah that’s just your own wishful thinking.
The backdoors they use are there for freedom and justice, the backdoors the “others” use are tools of evil and security risks!
did you forget to add “/s” or do you really believe what you wrote?
-signed, [email protected]
Sometimes sarcasm is clear enough without signalling it. I guess not for everyone.
It was a joke, bruh!
Edit: Huh. Guess people downvoting didn’t read up on Poe’s Law posted above. Shocked! Well, not that shocked.
For clarity, I was being satirical.
Yes
Absolutely. They were so arrogant they never thought it would happen to us. After all, we are in charge of our own networks so why would we expect the enemy to be at the gates? Let’s make those gates out of cardboard so it’s easier to spy on everyone.
Of course then you have things like CALEA mandating a back door, you have cheap telecom companies that will happily buy cheap lowest bidder Chinese hardware and install it "everywhere* without concern for security (after all, it’s not their data being stolen) and now the enemy isn’t just at the gates but inside the walls.
A decade ago, making sure the feds could read everyone’s mail was the national security priority. Suddenly when the Chinese can read everyone’s mail, good security is the national security priority.
It’s too bad there was no way to predict this in advance. Oh wait…
Oh man it sure would be nice if the feds had the power to regulate something like this /s
They did. That’s the reason for this hack, they wanted Lawful Interception, they got their backdoor. It’s what professionals and privacy advocates said all along, if it exists it will be abused.
This isn’t a hack in the way you’re thinking of, nor is it a product of government mandated interception, or a back door. The salt typhoon event you’re referring to is nothing more than the tip of the iceberg of a much bigger problem, which is abuse of the dated SS7 system we’ve known about for decades.
Do you have a source for this claim? I’d like to repeat it elsewhere…
I.e. this article from October: https://www.techradar.com/pro/chinese-hackers-allegedly-hit-us-wiretap-systems-to-hit-broadband-networks
In an all too predictable turn of events, Salt Typhoon, an infamous Chinese state actor, has reportedly hijacked government systems to breach several American broadband providers and gain access to the interception portals required by US law.
Thanks for bringing receipts. In stark contrast to my experience on Reddit, Lemmings usually seem allergic to showing their work for some reason.
Yeah, I don’t get it. I go out of my way to provide sources even before being asked.
What’s really frustrating is when others users criticize me for providing evidence that could be used to counter my claim. I’m not trying to win arguments, I’m trying to show my work so others can correct me if I missed something. I’m here to learn and educate, in that order, yet so many only seem interested in engaging in discussion that jives w/ their existing opinions. That was a problem on Reddit too, but at least someone would chime in w/ sources much of the time.
@capital @sugar_in_your_tea I’m entering a conversation without reading the other posts, so I apologise. I just want to say that I deeply admire your approach. It is mine as well. I will begin a discussion with a view that I hold, but if someone is able to prove me wrong, I will admit it and thank him. And if my sources should be used to prove his point, then either I didn’t read well enough or it’s simply a line of thought that I hadn’t considered. But I love civil discussions without wasting time on personal attacks and whatnot, and it seems you’re the same way.
Join us, there are dozens of us! 😀
Its essentially what the apple vs FBI encryption legal battle was about years ago:
https://en.m.wikipedia.org/wiki/Apple–FBI_encryption_dispute
I’m not really a fan of apple, but I was very happy they stood their ground on that one. They were absolutely right to do so.
The public broohaha surrounding that event makes me think Apple is providing a back door and this psyop was to make people comfortable trusting Apple.
Just a theory though. But apple is all proprietary so nothing is stopping them from doing whatever they want or what ever FISA order said.
I still don’t trust them, especially when they announced they were scanning images. I don’t really care their reasons for it, that’s intrusive. I can’t trust any closed source tech, no matter what they say.
Ive been slowly hearing about this over the last week or so, and I couldnt tell if it was real news or just over exaggerated.
And everyone has been on an on about iphone to android RCS, but no word on if anything is being done to fix the vulnerability.
What vulnerability? I thought RCS is encrypted on transit
Article is about phone company being hacked, so there’s a good chance that even if we had non-proprietary encryption, they’d be able to read it
That’s precisely what E2EE is supposed to prevent. If the phone company gets hacked, attackers can see all the traffic going through all of their towers, so if everything is encrypted before getting to the towers, they can’t see the contents. IIRC, metadata like phone numbers can be read though, so they can see who you’re talking to, but they can’t see what you’re saying.
The phone manufacturer, however, can see everything before it’s encrypted and after it’s decrypted.
At this point you have to assume that if you are not using your own install of custom Android ROM, your end point is not secure beyond keeping stupid criminals out
RCS doesn’t really do a whole lot of anything. It’s a step up from SMS/MMS, but not by much.
All the features people think they mean when they’re talking about RCS are proprietary Google extensions that only work if you go through Google’s servers. They’re basically exactly the same as Apple putting iMessage on top; Apple just brags about it while Google tries to trick you into thinking incompatibility is someone else’s fault for not giving them control.
Usually I’ll defend Apple on this, but yes it’s a step up from SMS, and Apple is a big reason RCS hadnt been widely adopted as a replacement, and incremented to include more features.
I’m definitely on Googles side here: years of no one doing anything until “fine, I’ll take care it myself”
Apple didn’t bother because it sucks. It’s not an actual solution (or path to one) for messaging not to be a dumpster fire.
Google “did it itself” exclusively for control. It’s exactly the same as their browser behavior.
it at least allows larger files than mms* and has reactions.
*size may vary significantly with MMS and is rarely if ever communicated.
Why would you defend Apple? It’s just a stupid form of lock-in, it was at the start, and it always will be.
If you want security, use an app that provides security. RCS does a little to protect against MITM attacks, unless that MITM is your OS vendor.
I was under the impression Apple already allows RCS, and that RCS is E2EE, I was wrong.
Apple did add RCS in one of the iOS 18 updates.
It’s just only E2EE when routed through Google.
Authentication for my work email: Enter 28 character password, receive sms, enter message, log in
Authentication for my Battle.net account:
-Enter email made before 2000 because they don’t let you change email
-Enter password
-Get rejected
-Solve CAPTCHA
-Try backup passwords, get rejected
-Request new password
-Send request to 24 year old email
-Try to log on to 24 year old email, email is suspicious and sends Authentication request to my newer email
-Open newer email, Authenticate older email
-open old email, Put in code to battle.net
-Battle.net requests Authenticator code from Battle.net app
-Open battle.net app (no requests)
-Try manual code, doesn’t work
- Realize Battle.net app Authenticator not connected
-Try to connect Battle.net app Authenticator to account
-Realize you cannot connect Authenticator without signing in AND signing in requires Authenticator
-Close Battle.net app
-Open Blizzard Authenticator
-Close warning that this app got depreciated in January
-Enter manual code
-it works
-Attempt to change password to password I first attempted
-Won’t let me use same password
-Try logging in using that password
-Still doesn’t work - Solve one more CAPTCHA
-Change password to backup password and back to original password - have to solve 2 more Captchas
-Finally works
-Log in
That just kept going. I feel you, but maybe try a password manager? You open it up, type blizzard and it tells you exactly what password you used. Even better, it can generate really good passwords for you.
I use bitwarden.
It didn’t accept the password that was set.
So many services still don’t even offer 2FA at all. Any service that stores payment information and PII without any 2FA options, let alone a secure one, at this point are a disgrace.
Banks, I’m looking at you
Hollywood hacking has nothing on real hacking it seems.
What are yall using as an alternative?
Yubikey
TOTP or Signal, depending on the use-case
Any examples on what could cause the preference?
Usually signal for communication, totp for 2fa. I’ve as of yet seen only one site that sends 2fa codes through signal.
Oh interesting thanks
Didn’t this happen quite awhile ago? I don’t see anything new in this article
The novelty is the fact that it’s ongoing. They haven’t mitigated the hack. The threat actors are still inside the networks, which is why the government is telling people to switch to E2EE apps.
Lovely
Why the hell is this in 4K HDR?
We here at Lemmy are professionals
Only the best for the worst hack in history.
in other news grass is green
It’s brown in my area. Check mate!
Yes mate! I checked mate, you’re right mate!
actually it’s white
I wish Signal stopped using it. I know you can set a Signal PIN but a lot of the non-techy friends I speak to on Signal probably wouldn’t think to, or look through the settings (not that you need to be “techy” to set it, but you know the kind of learned helplessness most people have about tech). At least a prompt for all users to set an account PIN so their account can’t just be stolen by anyone with their SIM card.
Another thing is that even if you set a PIN, you’d still have to log into your account relatively regularly so that if you lose access to your number, you wouldn’t lose an account. It’s logical, given that numbers are reused… But that means that if you want to register without effectively tying your account to your ID (KYC when buying numbers is mandatory in a lot of the world, remember!), you’d have to pay for another phone bill (expensive given that the number’s practically doing nothing!) or use a one-time rental… Which guess what, puts your account at constant risk!
I thought they abandoned SMS a couple years ago??
They abandoned letting you use the Signal app to send and recieve SMS. You still need to get a code via SMS to activate your Signal account. I believe this is what they are referring to.
Yep, I was referring to that. You can stick someone else’s SIM in your phone and log into their signal account if they’ve not set a Signal PIN. You don’t see message history but new messages to that person will go to you.
