Hi,
I just made a payment using Paypal, and it asked to confirm my identity
using WhatsApp, sending a sis digit confirmation code to it. :-)
SMS was also possible.
I chose WA this time :-)
Hi,
I just made a payment using Paypal, and it asked to confirm my identity
using WhatsApp, sending a six digit confirmation code to it. :-)
SMS was also possible.
On 8 Nov 2023 22:57:10 +0100 Carlos E. R. wrote:
Hi,
I just made a payment using Paypal, and it asked to confirm my identity
using WhatsApp, sending a six digit confirmation code to it. :-)
SMS was also possible.
I can see why Meta would encourage that. And in soon...
"WhatsApp Explores Ads in Chat App as Meta Seeks Revenue Boost" <https://m.slashdot.org/story/419088>
But maybe the e2e encryption is worthwhile. Amex sends 2FA codes by _both_ SMS and email which is about as insecure as you get. And it doesn't ask
which I prefer. (I'd prefer an OTP authenticator app but no financial
company I know offers it.)
On 2023-11-09 10:21, Dave Royal wrote:
On 8 Nov 2023 22:57:10 +0100 Carlos E. R. wrote:
Hi,
I just made a payment using Paypal, and it asked to confirm my identity
using WhatsApp, sending a six digit confirmation code to it. :-)
SMS was also possible.
I can see why Meta would encourage that. And in soon...
"WhatsApp Explores Ads in Chat App as Meta Seeks Revenue Boost"
<https://m.slashdot.org/story/419088>
But maybe the e2e encryption is worthwhile. Amex sends 2FA codes by _both_ >> SMS and email which is about as insecure as you get. And it doesn't ask
which I prefer. (I'd prefer an OTP authenticator app but no financial
company I know offers it.)
I use one bank which uses confirmation via sms, and another via its own
bank app. Push messages I think they said. Is that OTP?
On 09.11.23 11:39, Carlos E. R. wrote:
On 2023-11-09 10:21, Dave Royal wrote:
On 8 Nov 2023 22:57:10 +0100 Carlos E. R. wrote:
Hi,
I just made a payment using Paypal, and it asked to confirm my identity >>>> using WhatsApp, sending a six digit confirmation code to it. :-)
SMS was also possible.
I can see why Meta would encourage that. And in soon...
"WhatsApp Explores Ads in Chat App as Meta Seeks Revenue Boost"
<https://m.slashdot.org/story/419088>
But maybe the e2e encryption is worthwhile. Amex sends 2FA codes by _both_ >>> SMS and email which is about as insecure as you get. And it doesn't ask
which I prefer. (I'd prefer an OTP authenticator app but no financial
company I know offers it.)
I use one bank which uses confirmation via sms, and another via its own
bank app. Push messages I think they said. Is that OTP?
Both highly insecure. Good banks use their own app that recognises
patterns that generate numeric codes.
On 9 Nov 2023 11:39:49 +0100 Carlos E. R. wrote:
On 2023-11-09 10:21, Dave Royal wrote:OTP: One Time Passcode
On 8 Nov 2023 22:57:10 +0100 Carlos E. R. wrote:
Hi,
I just made a payment using Paypal, and it asked to confirm my identity >>>> using WhatsApp, sending a six digit confirmation code to it. :-)
SMS was also possible.
I can see why Meta would encourage that. And in soon...
"WhatsApp Explores Ads in Chat App as Meta Seeks Revenue Boost"
<https://m.slashdot.org/story/419088>
But maybe the e2e encryption is worthwhile. Amex sends 2FA codes by _both_ >>> SMS and email which is about as insecure as you get. And it doesn't ask
which I prefer. (I'd prefer an OTP authenticator app but no financial
company I know offers it.)
I use one bank which uses confirmation via sms, and another via its own
bank app. Push messages I think they said. Is that OTP?
Some bank apps generate OTPs
My bank gives me a tiny device that generates an OTP, but it's being
replaced by an app.
But it doesn't have to be the bank's own app or device. There are
standards, such as TOTP - where the code constantly changes. <https://en.m.wikipedia.org/wiki/One-time_password#Standardization>
I use Open Source TOTP apps AndOTP on Android (and FreeOTP on iOS) for 2FA with some sites - eg github. I think Authy and Google Authenticator are
also TOTP generators - not sure.
On 2023-11-09 10:21, Dave Royal wrote:
On 8 Nov 2023 22:57:10 +0100 Carlos E. R. wrote:
Hi,
I just made a payment using Paypal, and it asked to confirm my identity
using WhatsApp, sending a six digit confirmation code to it. :-)
SMS was also possible.
I can see why Meta would encourage that. And in soon...
"WhatsApp Explores Ads in Chat App as Meta Seeks Revenue Boost"
<https://m.slashdot.org/story/419088>
But maybe the e2e encryption is worthwhile. Amex sends 2FA codes by _both_ >> SMS and email which is about as insecure as you get. And it doesn't ask
which I prefer. (I'd prefer an OTP authenticator app but no financial
company I know offers it.)
I use one bank which uses confirmation via sms, and another via its own
bank app. Push messages I think they said. Is that OTP?
Dave Royal<dave@dave123royal.com> wrote:
Amex sends 2FA codes by _both_ask
SMS and email which is about as insecure as you get. And it doesn't
which I prefer.
My Android AMEX app gives me a 2FA CHOICE between text, email, or a
voice phone call. You might recheck yours, perhaps it's changed...
Dave Royal wrote:
Amex sends 2FA codes by _both_ask which I prefer.
SMS and email which is about as
insecure as you get. And it doesn't
My Android AMEX app gives me a
2FA CHOICE between text, email, or a
voice phone call. You might recheck
yours, perhaps it's changed...
Just stuck my old Android Groundhog
newsreader on an old Amazon
tablet. First post. Newer tablets break
it into read only. So lets see his this
one does...
Amex sends 2FA codes by _both_ask
SMS and email which is about as insecure as you get. And it doesn't
which I prefer.
On 09 Nov 2023 07:16:19 -0700 AJL wrote:
Dave Royal<dave@dave123royal.com> wrote:
Amex sends 2FA codes by _both_ SMS and email which is about as
insecure as you get. And it doesn't ask which I prefer.
My Android AMEX app gives me a 2FA CHOICE between text, email, or a
voice phone call. You might recheck yours, perhaps it's changed...
I don't use an Amex app - this is with their website.
On 11/9/2023 7:27 AM, Dave Royal wrote:
On 09 Nov 2023 07:16:19 -0700 AJL wrote:
Dave Royal<dave@dave123royal.com> wrote:
Amex sends 2FA codes by _both_ SMS and email which is about as
insecure as you get. And it doesn't ask which I prefer.
My Android AMEX app gives me a 2FA CHOICE between text, email, or a
voice phone call. You might recheck yours, perhaps it's changed...
I don't use an Amex app - this is with their website.
I just checked it on my AMEX website. They still gave me the same three >CHOICES (text, email, or voice). I'm in the US. Perhaps that's the >difference?
BTW I use text. A one time code good for only minutes. Where's the big >security risk?
On 9 Nov 2023 08:10:33 -0700 AJL wrote:
On 11/9/2023 7:27 AM, Dave Royal wrote:
On 09 Nov 2023 07:16:19 -0700 AJL wrote:
Dave Royal<dave@dave123royal.com> wrote:
Amex sends 2FA codes by _both_ SMS and email which is about as
insecure as you get. And it doesn't ask which I prefer.
My Android AMEX app gives me a 2FA CHOICE between text, email, or a
voice phone call. You might recheck yours, perhaps it's changed...
I don't use an Amex app - this is with their website.
I just checked it on my AMEX website. They still gave me the same three >>CHOICES (text, email, or voice). I'm in the US. Perhaps that's the >>difference?
Maybe.
BTW I use text. A one time code good for only minutes. Where's the big >>security risk?
SIM swap fraud.
On 9 Nov 2023 08:10:33 -0700 AJL wrote:
On 11/9/2023 7:27 AM, Dave Royal wrote:
On 09 Nov 2023 07:16:19 -0700 AJL wrote:
Dave Royal<dave@dave123royal.com> wrote:
Amex sends 2FA codes by _both_ SMS and email which is about
as insecure as you get. And it doesn't ask which I prefer.
My Android AMEX app gives me a 2FA CHOICE between text, email,
or a voice phone call. You might recheck yours, perhaps it's
changed...
I don't use an Amex app - this is with their website.
I just checked it on my AMEX website. They still gave me the same
three CHOICES (text, email, or voice). I'm in the US. Perhaps
that's the difference?
Maybe.
BTW I use text. A one time code good for only minutes. Where's the
big security risk?
SIM swap fraud.
On 11/9/2023 8:50 AM, Dave Royal wrote:
On 9 Nov 2023 08:10:33 -0700 AJL wrote:
On 11/9/2023 7:27 AM, Dave Royal wrote:
On 09 Nov 2023 07:16:19 -0700 AJL wrote:
Dave Royal<dave@dave123royal.com> wrote:
Amex sends 2FA codes by _both_ SMS and email which is about
as insecure as you get. And it doesn't ask which I prefer.
My Android AMEX app gives me a 2FA CHOICE between text, email,
or a voice phone call. You might recheck yours, perhaps it's
changed...
I don't use an Amex app - this is with their website.
I just checked it on my AMEX website. They still gave me the same
three CHOICES (text, email, or voice). I'm in the US. Perhaps
that's the difference?
Maybe.
BTW I use text. A one time code good for only minutes. Where's the
big security risk?
SIM swap fraud.
How would a SIM swap get a perp into my AMEX account? He would need my
AMEX user name and password to even get the text code. And where does he
get that?
So I ask again, where's the big security risk in texting a 2FA code?
On 9 Nov 2023 15:50:13 -0000 (UTC) Dave Royal wrote:
On 9 Nov 2023 08:10:33 -0700 AJL wrote:
On 11/9/2023 7:27 AM, Dave Royal wrote:
On 09 Nov 2023 07:16:19 -0700 AJL wrote:
Dave Royal<dave@dave123royal.com> wrote:
Amex sends 2FA codes by _both_ SMS and email which is about
as insecure as you get. And it doesn't ask which I prefer.
My Android AMEX app gives me a 2FA CHOICE between text,
email, or a voice phone call. You might recheck yours,
perhaps it's changed...
I don't use an Amex app - this is with their website.
I just checked it on my AMEX website. They still gave me the same
three CHOICES (text, email, or voice). I'm in the US. Perhaps
that's the difference?
Maybe.
BTW I use text. A one time code good for only minutes. Where's
the big security risk?
SIM swap fraud.
... but I meant email was particularly insecure - unencrypted, interceptable...
On 9 Nov 2023 09:07:41 -0700 AJL wrote:
So I ask again, where's the big security risk in texting a 2FA
code?
The point of two factor authentication is to add a _second_ layer of
security so that if your account/password is stolen - which happens a
lot in data breaches - there must be a second 'token' - something you
_have_. With SIM swap fraud the malefactors effectively have your
phone and can get the code.
I wouldn't say it's a /big/ risk but it's a risk
if a large financial tranfer depends on it.
Banks implemented it 'cos it was cheap to do.
SIM swap fraud was becoming serious a year or so back in the UK but
I think operators are supposed to carry out more checks now before
providing replacement SIMs.
As for WhatsApp, an account can have up to 6(?) linked devices, so
presumably the code will appear on all of them. I can imagine a new
attack - 'clandestine WA device linking' whereby someone with brief
physical access to your mobile links another device to it.
On 11/9/2023 8:57 AM, Dave Royal wrote:
On 9 Nov 2023 15:50:13 -0000 (UTC) Dave Royal wrote:
On 9 Nov 2023 08:10:33 -0700 AJL wrote:
On 11/9/2023 7:27 AM, Dave Royal wrote:
On 09 Nov 2023 07:16:19 -0700 AJL wrote:
Dave Royal<dave@dave123royal.com> wrote:
Amex sends 2FA codes by _both_ SMS and email which is about
as insecure as you get. And it doesn't ask which I prefer.
My Android AMEX app gives me a 2FA CHOICE between text,
email, or a voice phone call. You might recheck yours,
perhaps it's changed...
I don't use an Amex app - this is with their website.
I just checked it on my AMEX website. They still gave me the same
three CHOICES (text, email, or voice). I'm in the US. Perhaps
that's the difference?
Maybe.
BTW I use text. A one time code good for only minutes. Where's
the big security risk?
SIM swap fraud.
... but I meant email was particularly insecure - unencrypted,
interceptable...
Not for me, though I don't use email for 2FA. With a SIM swap Google
would sense a new device and use Google Authenticator to one of MY
authentic devices to verify. No verification, no email...
If you mean just no encryption, again even if intercepted what can
anyone do with a code only good for a few minutes without a user name
and password...
On 9 Nov 2023 09:07:41 -0700 AJL wrote:
On 11/9/2023 8:50 AM, Dave Royal wrote:
On 9 Nov 2023 08:10:33 -0700 AJL wrote:
On 11/9/2023 7:27 AM, Dave Royal wrote:
BTW I use text. A one time code good for only minutes. Where's the
big security risk?
SIM swap fraud.
How would a SIM swap get a perp into my AMEX account? He would need my
AMEX user name and password to even get the text code. And where does he
get that?
So I ask again, where's the big security risk in texting a 2FA code?
The point of two factor authentication is to add a _second_ layer of
security so that if your account/password is stolen - which happens a lot
in data breaches - there must be a second 'token' - something you _have_. With SIM swap fraud the malefactors effectively have your phone and can
get the code.
I wouldn't say it's a /big/ risk but it's a risk if a large financial
tranfer depends on it. Banks implemented it 'cos it was cheap to do.
SIM swap fraud was becoming serious a year or so back in the UK but I
think operators are supposed to carry out more checks now before providing replacement SIMs.
As for WhatsApp, an account can have up to 6(?) linked devices, so
presumably the code will appear on all of them. I can imagine a new attack
- 'clandestine WA device linking' whereby someone with brief physical
access to your mobile links another device to it.
On 2023-11-09 17:21, AJL wrote:
On 11/9/2023 8:57 AM, Dave Royal wrote:
On 9 Nov 2023 15:50:13 -0000 (UTC) Dave Royal wrote:
On 9 Nov 2023 08:10:33 -0700 AJL wrote:
On 11/9/2023 7:27 AM, Dave Royal wrote:
On 09 Nov 2023 07:16:19 -0700 AJL wrote:
Dave Royal<dave@dave123royal.com> wrote:
Amex sends 2FA codes by _both_ SMS and email which is about
as insecure as you get. And it doesn't ask which I prefer.
My Android AMEX app gives me a 2FA CHOICE between text,
email, or a voice phone call. You might recheck yours,
perhaps it's changed...
I don't use an Amex app - this is with their website.
I just checked it on my AMEX website. They still gave me the same
three CHOICES (text, email, or voice). I'm in the US. Perhaps
that's the difference?
Maybe.
BTW I use text. A one time code good for only minutes. Where's
the big security risk?
SIM swap fraud.
... but I meant email was particularly insecure - unencrypted,
interceptable...
Not for me, though I don't use email for 2FA. With a SIM swap Google
would sense a new device and use Google Authenticator to one of MY
authentic devices to verify. No verification, no email...
If you mean just no encryption, again even if intercepted what can
anyone do with a code only good for a few minutes without a user name
and password...
They could pose as you in their machines.
Then the email would be sent
to you, which they could intercept and >use to login in their machine.
On 11/9/23 12:15 PM, Carlos E. R. wrote:
On 2023-11-09 17:21, AJL wrote:
On 11/9/2023 8:57 AM, Dave Royal wrote:
On 9 Nov 2023 15:50:13 -0000 (UTC) Dave Royal wrote:
On 9 Nov 2023 08:10:33 -0700 AJL wrote:
On 11/9/2023 7:27 AM, Dave Royal wrote:
On 09 Nov 2023 07:16:19 -0700 AJL wrote:
Dave Royal<dave@dave123royal.com> wrote:
Amex sends 2FA codes by _both_ SMS and email which is about
as insecure as you get. And it doesn't ask which I prefer.
My Android AMEX app gives me a 2FA CHOICE between text,
email, or a voice phone call. You might recheck yours,
perhaps it's changed...
I don't use an Amex app - this is with their website.
I just checked it on my AMEX website. They still gave me the same
three CHOICES (text, email, or voice). I'm in the US. Perhaps
that's the difference?
Maybe.
BTW I use text. A one time code good for only minutes. Where's
the big security risk?
SIM swap fraud.
... but I meant email was particularly insecure - unencrypted,
interceptable...
Not for me, though I don't use email for 2FA. With a SIM swap Google
would sense a new device and use Google Authenticator to one of MY
authentic devices to verify. No verification, no email...
If you mean just no encryption, again even if intercepted what can
anyone do with a code only good for a few minutes without a user name
and password...
They could pose as you in their machines.
How if no user/password info?
And if they had it somehow and tried to
log in
I'd get a uncalled for text code that'd tell me someone had my UN/PW and
was trying to break in my AMEX account and I'd change it.
Then the email would be sent to you, which they could intercept and
use to login in their machine.
Since I use text 2FA notification guess they'd need my phone too? Unlikely
to the 1000000th degree...
On 2023-11-09 20:49, AJL wrote:
On 11/9/23 12:15 PM, Carlos E. R. wrote:
They could pose as you in their machines.
How if no user/password info?
Obtained earlier "somehow".
And if they had it somehow and tried to log in I'd get a uncalled
for text code that'd tell me someone had my UN/PW and was trying to
break in my AMEX account and I'd change it.
There is a window of opportunity. They do it fast and reconfigure so
you get no more warnings and your phone invalidated.
The fact is that SIM swap fraud is a thing, not a rumour. People
have lost money.
They ask the system to send the 2FA via email.
On 11/9/2023 1:30 PM, Carlos E. R. wrote:
On 2023-11-09 20:49, AJL wrote:
On 11/9/23 12:15 PM, Carlos E. R. wrote:
They could pose as you in their machines.
How if no user/password info?
Obtained earlier "somehow".
"Somehow" = magic?
And if they had it somehow and tried to log in I'd get a uncalled
for text code that'd tell me someone had my UN/PW and was trying to
break in my AMEX account and I'd change it.
There is a window of opportunity. They do it fast and reconfigure so
you get no more warnings and your phone invalidated.
How would they get my username/password. Please no more magic...
The fact is that SIM swap fraud is a thing, not a rumour. People
have lost money.
Yup. That's why I have a security code registered with my phone
provider. No code, no business transacted.
They ask the system to send the 2FA via email.
No username/password no email/text 2FA. And if they break into the AMEX servers to get them no biggie. As long as it's NOT MY FAULT I'm covered
there too...
On 11/9/2023 12:20 PM, Carlos E. R. wrote:
imagine I use the app in the phone to connect to the bank. The bank
sends a code by SMS to the *same* phone,
the app reads automatically the message and logins.
Doesn't work that way on any of my apps. The 2FA code is sent by text as
a number that I then have to then reenter into the app.
Now suppose my phone is stolen...
Hopefully your phone AND your phone bank app are BOTH LOCKED. That way
the thief has to go through TWO LOCKS to enter your bank app. Pretty unlikely, don't you think...
On my phone the 2FA text code only had to authorize the AMEX app ONCE.
After that only the user name and PW is required to open the app.
(Though AMEX can be set to require a 2FA code on every app entry I find
that a bit too much of a hassle for what little added security it may
give (IMO-YMMV).
I'm still waiting to see why SMS is a poor way to send a 2FA codes.
Though I'll admit that pushing "Yes" on a Google Authenticator screen to authorize an app is sure a lot easier...
On 2023-11-09 22:23, AJL wrote:
Hopefully your phone AND your phone bank app are BOTH LOCKED. That
way the thief has to go through TWO LOCKS to enter your bank app.
Pretty unlikely, don't you think...
I hope, but could happen.
Some bank apps here use a 4 digit pin code. Others use 8.
I'm still waiting to see why SMS is a poor way to send a 2FA
codes.
Well, experts in the field have said so.
On 11/9/2023 2:31 PM, Carlos E. R. wrote:
On 2023-11-09 22:23, AJL wrote:
Hopefully your phone AND your phone bank app are BOTH LOCKED. That
way the thief has to go through TWO LOCKS to enter your bank app.
Pretty unlikely, don't you think...
I hope, but could happen.
By the time a thief could break your locks you could have your passwords changed.
My Google stuff (like Gmail) doesn't have a password once you get past
my phone lock screen lock. If my phone were stolen I'm counting on that
lock screen lock to hold at least an hour or so until I can change my
Google password...
Some bank apps here use a 4 digit pin code. Others use 8.
Same as above. Change the password quickly if stolen. Then the pin will
no longer work.
I'm still waiting to see why SMS is a poor way to send a 2FA
codes.
Well, experts in the field have said so.
Got me there. But still waiting for a reason why. Though text is
unencrypted what good would a timed 6 digit number intercept do anyone?
And the good part of using a text is that I'd know IMMEDIATELY if
someone's trying to log in to one of my accounts and can take immediate action. Not so with encrypted email...
On 2023-11-09 23:08, AJL wrote:
By the time a thief could break your [phone] locks you could have
your passwords changed.
How? I am on the street, probably, far from home and with no phone.
still waiting for a reason why [text 2FA is bad].
If they got your user and password in advance, a lot.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 06:46:54 |
Calls: | 6,666 |
Files: | 12,213 |
Messages: | 5,336,029 |