Reply
 
Thread Tools Display Modes
  #1  
Old 10-07-2019, 09:31 PM
Llama Llogophile is online now
Guest
 
Join Date: Apr 2002
Location: 50% chord point
Posts: 4,064

Two-factor authentification - is it sometimes just data phishing?


There's a vendor I work with that has a rewards program. You get points for buying their services and then redeem them for gift cards and whatnot.

Today I try to log in and find that they've implemented two-factor authentification. Meaning, I have to put in my phone number so they can supposedly verify I am the person associated with an account. Previously this was just a user name and password.

I realize there are actually security needs in the online world. But could this really just be an excuse to data-mine peoples' phone numbers? I really don't want to give my phone number out just to be in some rewards scheme. And is it just me, or is "security" being used as an excuse for this sort of thing more an more often?
  #2  
Old 10-07-2019, 09:59 PM
Joey P is offline
Charter Member
 
Join Date: Jun 1999
Location: Milwaukee, WI
Posts: 29,215
I assume they're asking for your number so they can use 2FA going forward. The idea behind 2FA is that it would send a text message to the number already associated with your account. Just asking for the number, as part of the login process, wouldn't work since anyone trying to access your account would just put their number in, get the text message and type in the code. It wouldn't really do anything.

If you don't want to give them your phone number, see if they give you the option to use your email address or turn off 2FA altogether. Besides, if there's no sensitive info in the account, 2FA is just an extra step for no real reason.

Something else you can do is set up (for free) a google voice number and use that for this type of stuff. It's easy enough to get a number and adjust the settings on the account so the only thing it can do it receive texts (IOW, no spam calls, no voicemails etc).
  #3  
Old 10-08-2019, 12:23 PM
ftg's Avatar
ftg is offline
Member
 
Join Date: Feb 2001
Location: Not the PNW :-(
Posts: 20,309
Unfortunately too many sites are wise to Google Voice and refuse to accept those numbers. (Which must be a real headache for those whose number was originally assigned by Google Voice and is now their actual, real-for-real, only phone number.)

I've run into this several times.

And in terms of so-called "security", Slashdot posted about this (again) just yesterday. Search there for more posts about how insecure 2FA is.

Any site that thinks that 2FA is a good idea, let alone a must, is not to be trusted.
  #4  
Old 10-08-2019, 12:27 PM
BorgHunter is offline
Guest
 
Join Date: Nov 2008
Location: Chicago
Posts: 772
2FA over SMS is an insecure mess, because SMS is an insecure protocol. 2FA using a dedicated hardware or software token is indeed a good idea, and a must for anything you want to be remotely secure. I wish more banks supported it, but few do.

ETA: Of course, the entire banking system in the U.S. is an insecure mess, too (cf. checks, just for one), so the lack of proper 2FA is the least of our worries.

Last edited by BorgHunter; 10-08-2019 at 12:30 PM.
  #5  
Old 10-08-2019, 01:15 PM
Spiderman's Avatar
Spiderman is offline
Member
 
Join Date: Oct 2000
Location: somewhere East of there
Posts: 11,029
Quote:
Originally Posted by ftg View Post
Unfortunately too many sites are wise to Google Voice and refuse to accept those numbers. (Which must be a real headache for those whose number was originally assigned by Google Voice and is now their actual, real-for-real, only phone number.)
It used to be that numbers were assigned in large blocks (an exchange) to a given company; however, with number porting being allowed for so long all I can tell you is that 123-456-xxxx was originally assigned to ____ Telco. If I take my TMO/Verizon/Ma Bell landline & port it to GV (which one can do) how would a given company know that it's a GV phone #? What if I go the other way & port my originally-a-GV-phone-# to another telco?

How do GV #s differ from Google Fi numbers?
  #6  
Old 10-08-2019, 06:09 PM
Llama Llogophile is online now
Guest
 
Join Date: Apr 2002
Location: 50% chord point
Posts: 4,064
Well, this is timely
  #7  
Old 10-08-2019, 07:14 PM
Yllaria is offline
Charter Member
 
Join Date: Nov 2001
Location: Stockton
Posts: 10,889
I just had to deal with this with my insurance company. I needed to get into my account and they were setting up 2FA as a required first window for logging on. Unfortunately, both the phone number and the email address they had for my account were old and no longer usable. And customer service was only open during business hours.

Annoying.
  #8  
Old 10-08-2019, 08:19 PM
Xema is offline
Guest
 
Join Date: Mar 2002
Posts: 12,259
[nitpick]
I think it's 'authentication', not 'authentification'
[/nitpick]
  #9  
Old 10-09-2019, 12:59 PM
ftg's Avatar
ftg is offline
Member
 
Join Date: Feb 2001
Location: Not the PNW :-(
Posts: 20,309
Quote:
Originally Posted by Llama Llogophile View Post
You just have to assume that all these companies are 100% evil. The OP is not being paranoid.
  #10  
Old 10-09-2019, 03:48 PM
scr4 is offline
Guest
 
Join Date: Aug 1999
Location: Alabama
Posts: 16,081
Quote:
Originally Posted by BorgHunter View Post
2FA over SMS is an insecure mess, because SMS is an insecure protocol.
So one wouldn't use it for, say, a military computer system. But surely it's perfectly adequate for commercial web sites?
  #11  
Old 10-09-2019, 04:27 PM
ftg's Avatar
ftg is offline
Member
 
Join Date: Feb 2001
Location: Not the PNW :-(
Posts: 20,309
Quote:
Originally Posted by scr4 View Post
So one wouldn't use it for, say, a military computer system. But surely it's perfectly adequate for commercial web sites?
Sure. As long as nobody sends any information like credit card numbers, email addresses, real addresses, phone numbers, names, etc. And anything having to do with login verification, passwords, etc. are right out.

So, talking about last night's game is okay. If you don't care who reads it.
  #12  
Old 10-10-2019, 08:43 AM
scr4 is offline
Guest
 
Join Date: Aug 1999
Location: Alabama
Posts: 16,081
Quote:
Originally Posted by ftg View Post
Sure. As long as nobody sends any information like credit card numbers, email addresses, real addresses, phone numbers, names, etc. And anything having to do with login verification, passwords, etc. are right out.

So, talking about last night's game is okay. If you don't care who reads it.
But we're talking about two-factor authentication here, which means having two totally separate ways to verify access. Passwords, e-mail, SMS, hardware dongle, etc, each have their vulnerabilities, but if someone were to hack one of those, they still can't access the system. Hacking two of those for the same account would be extremely difficult.
  #13  
Old 10-10-2019, 09:28 AM
Spiderman's Avatar
Spiderman is offline
Member
 
Join Date: Oct 2000
Location: somewhere East of there
Posts: 11,029
Quote:
Originally Posted by scr4 View Post
But we're talking about two-factor authentication here, which means having two totally separate ways to verify access. Passwords, e-mail, SMS, hardware dongle, etc, each have their vulnerabilities, but if someone were to hack one of those, they still can't access the system. Hacking two of those for the same account would be extremely difficult.
The idea behind security is 'something you know & something you have'. I know my signon/password & have my phone, which means that providing a 'key' / One-time password (OTP) should be secure; however, since SMS isn't secure it's kind of like leaving your key under a rock. If I lift the right rock I now have the key to your house. SMS has vulnerabilities & shouldn't be looked at as being secure.
  #14  
Old 10-10-2019, 12:31 PM
control-z is offline
Guest
 
Join Date: Mar 2003
Location: Virginia
Posts: 12,966
I came across this in June with Stripe, who is a pretty big merchant account provider. It's a service that we occasionally use when our primary merchant account isn't working for whatever reason.

One day we go to log on and Stripe isn't suggesting 2FA, they require it. Trouble is linking the Stripe account to my phone wouldn't be good because I'm not always at the office and if someone needs to run a charge it wouldn't work.

Solution turns out to be that I could (and should have already) created user accounts for each user, and those user accounts don't require 2FA, only the administrator account.

And for what's it worth, for my 2FA phone number I was able to use a Google Voice number.
  #15  
Old 10-10-2019, 01:57 PM
MeanJoe is offline
Guest
 
Join Date: Feb 2000
Location: Columbus, Ohio
Posts: 2,323
I work for a company that provides consumer facing payment applications to financial institutions. We use One-Time Passwords (OTP) as an in-session risk mitigation tool. It is not 100% effective by itself but is an important tool in a layered risk management strategy. Additionally, financial institutions are required to deploy multi-factor authentication strategies. It is not an attempt to phish your personal data for marketing purposes, it is to add further security to your interaction online. It provides, as others have mentioned, a way to further authenticate you when they are suspicious of your login attempt - for example, maybe from a computer you've not used before, or a geo-IP location outside our normal area, or a whole host of data points they're evaluating when you access their website. Our products also look at device reputation and ownership data as a part of our risk strategy. It doesn't do good to send an OTP to a phone number if the device itself has been associated with reported fraud and the device is not owned by the customer. But we can do all that validation behind the scenes and that data helps drive when or if we would issue a OTP.

OTP is not a silver bullet - it is simply one tool in a toolbox. Due to social engineering vulnerabilities with OTP we are also moving away from them to a 2-way SMS challenge process.
__________________
Father to sassy girls. Husband to a mad wife. And I will have my vengeance, in this life or the next.
  #16  
Old 10-11-2019, 11:22 AM
Lare is offline
Guest
 
Join Date: Jun 2010
Location: My spot: 0,0,0,0
Posts: 1,075
My potential problem with 2FA has always been this situation:
You lose your phone.
Your phone is logged in to your email account.
You have your banking app on your phone.
Badguy picks up your phone before the screen lock engages.
Badguy goes to app and hits "forgot password."
Bank sends password reset to the email account logged in on the phone.
Badguy resets password, 2FA not an issue since it comes to the same phone.
  #17  
Old 10-11-2019, 02:40 PM
The Librarian's Avatar
The Librarian is offline
Guest
 
Join Date: May 2002
Location: Delft
Posts: 1,188
Quote:
Originally Posted by Lare View Post
My potential problem with 2FA has always been this situation:
You lose your phone.
Your phone is logged in to your email account.
You have your banking app on your phone.
Badguy picks up your phone before the screen lock engages.
Badguy goes to app and hits "forgot password."
Bank sends password reset to the email account logged in on the phone.
Badguy resets password, 2FA not an issue since it comes to the same phone.
Your scenario requires 2/3 things to go wrong at the same time.

Without 2FA your bank just has to forget to secure a customer database (something that happens all the time).

2FA is not perfect, nothing is, but it is the best solution for automated authentication at this point in time.

(BTW. you wouldn't be able to reset my email-password with just my unlocked phone, or access my banking app; those require separate logins (TouchID)
__________________
Oook!
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 12:38 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@straightdope.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Copyright 2019 STM Reader, LLC.

 
Copyright © 2017