Hollywood hacking has nothing on real hacking it seems.
NIST has been saying since 2016 not to use SMS for MFA. It’s always been horribly insecure.
The problem for me is that most Canadian Banks give you the choice of SMS or their shitty adware filled bank app that relies on Google Play Services and wont implement TOTP so I can use a true MFA app. And Im done with being forced to accept user policies I don’t agree with to do shit, and most of all done with Google Play Services on my device 😑
This is the main reason I switched to Fidelity here in the US. It’s a brokerage, but it does basic bank things, like checks, debit card, etc, and they support SymantecVIP, which works w/o Google Play Services. TOTP support really isn’t that hard, I don’t understand why banks are so slow in adopting it…
Thanks for this…I might be opening a Fidelity account…
They’re fantastic. :)
The only negative stories I’ve heard are from people who really push the boundaries, like people day trading and whatnot. If you’re a regular user looking for a bank alternative, you should be good.
Just know their branches don’t really have any banking services, so you can’t go there to withdraw or deposit cash, get a cashier’s check, etc. I keep an account w/ a local institution and transfer money as needed for banking services.
Now you’ve got me wondering about this for Canada. Would be a pita to move mortgage and investments, but there must be a better way than the big banks.
Here’s a website that tracks this kind of thing. No guarantees about being up-to-date, but from a surface-level check, it looks like you have options.
Even Bank of America doesn’t support MFA apps.
Adding to this that my Canadian bank just updated their app and it doesn’t work with my older phone. So my only option is to use online services with SMS/call verification.
It’s such a joy to know that my bank, who made $40.670 billion last year, takes care of every customer equally.
Oh it turns out we needed NSA to do its actual fucking job after all rather than holding onto exploits for the surveillance state.
Now — for the second time — we have an adversarial administration eager to weaponize government departments while Americans are vulnerable. Why? Because America is the good guys and would never abuse its extrajudicial powers (say, by detaining, rendering and torturing Americans with names similar to those of POIs.)
We could have had twenty-four years of robust communications security developments if NSA didnt sell the public out like Judas.
of course it is. forced 2fa BY SMS OF ALL THINGS is one of the stupidest ideas
Even stupider is supporting hardware keys for MFA, but having SMS fallback which can’t be disabled (looking at you, Vanguard). I’d much rather have email as my second factor than SMS, and I literally abandoned a bank (Ally) for removing email as an alternative to SMS.
I assume businesses only jumped at the chance to enable SMS 2FA to get their greedy little fingers on our phone numbers.
Oh man it sure would be nice if the feds had the power to regulate something like this /s
They did. That’s the reason for this hack, they wanted Lawful Interception, they got their backdoor. It’s what professionals and privacy advocates said all along, if it exists it will be abused.
This isn’t a hack in the way you’re thinking of, nor is it a product of government mandated interception, or a back door. The salt typhoon event you’re referring to is nothing more than the tip of the iceberg of a much bigger problem, which is abuse of the dated SS7 system we’ve known about for decades.
Do you have a source for this claim? I’d like to repeat it elsewhere…
Its essentially what the apple vs FBI encryption legal battle was about years ago:
https://en.m.wikipedia.org/wiki/Apple–FBI_encryption_dispute
I’m not really a fan of apple, but I was very happy they stood their ground on that one. They were absolutely right to do so.
I.e. this article from October: https://www.techradar.com/pro/chinese-hackers-allegedly-hit-us-wiretap-systems-to-hit-broadband-networks
In an all too predictable turn of events, Salt Typhoon, an infamous Chinese state actor, has reportedly hijacked government systems to breach several American broadband providers and gain access to the interception portals required by US law.
Thanks for bringing receipts. In stark contrast to my experience on Reddit, Lemmings usually seem allergic to showing their work for some reason.
Yeah, I don’t get it. I go out of my way to provide sources even before being asked.
What’s really frustrating is when others users criticize me for providing evidence that could be used to counter my claim. I’m not trying to win arguments, I’m trying to show my work so others can correct me if I missed something. I’m here to learn and educate, in that order, yet so many only seem interested in engaging in discussion that jives w/ their existing opinions. That was a problem on Reddit too, but at least someone would chime in w/ sources much of the time.
@return2ozma @technology
10 years ago, the Feds wanted backdoors to all of phones so they could read all of our text messages. Now, the Feds want everyone not to use software that has backdoors so the Chinese cannot read our phones. The Feds don’t want competition.Absolutely. They were so arrogant they never thought it would happen to us. After all, we are in charge of our own networks so why would we expect the enemy to be at the gates? Let’s make those gates out of cardboard so it’s easier to spy on everyone.
Of course then you have things like CALEA mandating a back door, you have cheap telecom companies that will happily buy cheap lowest bidder Chinese hardware and install it "everywhere* without concern for security (after all, it’s not their data being stolen) and now the enemy isn’t just at the gates but inside the walls.
A decade ago, making sure the feds could read everyone’s mail was the national security priority. Suddenly when the Chinese can read everyone’s mail, good security is the national security priority.
It’s too bad there was no way to predict this in advance. Oh wait…
The backdoors they use are there for freedom and justice, the backdoors the “others” use are tools of evil and security risks!
“They’re the same picture”
Braindead take of the day.
Your comment applies more to your own than the one you responded to. It’s a crazy form of recursion.
Nah that’s just your own wishful thinking.
Why do you hate America’s children?
For real, I bet this guy didn’t back the “Definitely Don’t Maybe Not Almost Probably Save The Children ACT.”
The backdoors they use are there for freedom and justice, the backdoors the “others” use are tools of evil and security risks!
did you forget to add “/s” or do you really believe what you wrote?
For clarity, I was being satirical.
Sometimes sarcasm is clear enough without signalling it. I guess not for everyone.
It was a joke, bruh!
Yes
-signed, DefinitelyNotAFed@Federal.Bureau
Thank god, give me my HMAC hash please.
Nothing more terrifying than losing your phone number these days because of all the accounts tied to it via 2FA.
Been saying that for years. It’s about damn time.
SMS spoofing and SIM swapping have been around for ages. It was never secure and that’s always been known. The number of companies that rely on it despite sending me a zillion other fucking useless emails is too damn high! Email, or better yet, an authenticator app, are far more secure. Not perfect, but better.
One big reason I’m hesitant to keep my money in banks is because banks think the best form of two-factor authentication is text message based 2FA and I’m like that’s barely any 2FA at all.
My banks are like that too. Of course I can’t speak to anyone who might influence that decision. Steam has better security than almost any other account I have. I appreciate them for that but it also seems ludicrous to me that my video games are more secure than my bank accounts.
I keep my money in Monero. That way, it’s me who has to be targeted instead of an institution. And if I fuck up and lose it, it’s my own damn fault.
I have some crypto, some stocks, etc. For many things I still need standard banking though. Crypto just isn’t there yet. Maybe someday… But having money distributed is still smart either way, so I have many baskets for my eggs.
I keep a little bit in the bank, like enough to pay my bills and such, but any extra I put into Monero.
in other news grass is green
It’s brown in my area. Check mate!
I wish Signal stopped using it. I know you can set a Signal PIN but a lot of the non-techy friends I speak to on Signal probably wouldn’t think to, or look through the settings (not that you need to be “techy” to set it, but you know the kind of learned helplessness most people have about tech). At least a prompt for all users to set an account PIN so their account can’t just be stolen by anyone with their SIM card.
Another thing is that even if you set a PIN, you’d still have to log into your account relatively regularly so that if you lose access to your number, you wouldn’t lose an account. It’s logical, given that numbers are reused… But that means that if you want to register without effectively tying your account to your ID (KYC when buying numbers is mandatory in a lot of the world, remember!), you’d have to pay for another phone bill (expensive given that the number’s practically doing nothing!) or use a one-time rental… Which guess what, puts your account at constant risk!
I thought they abandoned SMS a couple years ago??
They abandoned letting you use the Signal app to send and recieve SMS. You still need to get a code via SMS to activate your Signal account. I believe this is what they are referring to.
Yep, I was referring to that. You can stick someone else’s SIM in your phone and log into their signal account if they’ve not set a Signal PIN. You don’t see message history but new messages to that person will go to you.
Didn’t this happen quite awhile ago? I don’t see anything new in this article
The novelty is the fact that it’s ongoing. They haven’t mitigated the hack. The threat actors are still inside the networks, which is why the government is telling people to switch to E2EE apps.
Lovely
New Clipper Chip mandatory in new phones for “security” 😉
I coulda told you that for free. And sooner
Ive been slowly hearing about this over the last week or so, and I couldnt tell if it was real news or just over exaggerated.
And everyone has been on an on about iphone to android RCS, but no word on if anything is being done to fix the vulnerability.
What vulnerability? I thought RCS is encrypted on transit
RCS doesn’t really do a whole lot of anything. It’s a step up from SMS/MMS, but not by much.
All the features people think they mean when they’re talking about RCS are proprietary Google extensions that only work if you go through Google’s servers. They’re basically exactly the same as Apple putting iMessage on top; Apple just brags about it while Google tries to trick you into thinking incompatibility is someone else’s fault for not giving them control.
Usually I’ll defend Apple on this, but yes it’s a step up from SMS, and Apple is a big reason RCS hadnt been widely adopted as a replacement, and incremented to include more features.
I’m definitely on Googles side here: years of no one doing anything until “fine, I’ll take care it myself”
Why would you defend Apple? It’s just a stupid form of lock-in, it was at the start, and it always will be.
If you want security, use an app that provides security. RCS does a little to protect against MITM attacks, unless that MITM is your OS vendor.
Apple didn’t bother because it sucks. It’s not an actual solution (or path to one) for messaging not to be a dumpster fire.
Google “did it itself” exclusively for control. It’s exactly the same as their browser behavior.
Article is about phone company being hacked, so there’s a good chance that even if we had non-proprietary encryption, they’d be able to read it
That’s precisely what E2EE is supposed to prevent. If the phone company gets hacked, attackers can see all the traffic going through all of their towers, so if everything is encrypted before getting to the towers, they can’t see the contents. IIRC, metadata like phone numbers can be read though, so they can see who you’re talking to, but they can’t see what you’re saying.
The phone manufacturer, however, can see everything before it’s encrypted and after it’s decrypted.
