Always has been
I’m new to technology, is this good?
They will now push proprietary apps which steal your data, so you decide.
In a sane world we would move to yubikeys or codes like Google authenticator, but we live in a post sane technological world
TOTP or GTFO
Hollywood hacking has nothing on real hacking it seems.
NIST has been saying since 2016 not to use SMS for MFA. It’s always been horribly insecure.
The problem for me is that most Canadian Banks give you the choice of SMS or their shitty adware filled bank app that relies on Google Play Services and wont implement TOTP so I can use a true MFA app. And Im done with being forced to accept user policies I don’t agree with to do shit, and most of all done with Google Play Services on my device 😑
My bank prides itself being the first in the country to support yubikeys for 2fa. I was so happy until i learned it’s just for logging in, transactions are still confirmed by SMS or their app. And security experts all say it’s better this way, using a regular 2fa solution would be insecure because you wouldn’t know what you’re confirming.
There really is no hope.
This is the main reason I switched to Fidelity here in the US. It’s a brokerage, but it does basic bank things, like checks, debit card, etc, and they support SymantecVIP, which works w/o Google Play Services. TOTP support really isn’t that hard, I don’t understand why banks are so slow in adopting it…
The issue is, banks are only going to do what they’re required to do by law. The government is run by dinosaurs who don’t know what computers are, let alone what TOTP is.
No, they’re only going to do what they’re required to do by their insurance. The law is an option, but if insurance costs go way up if they don’t have proper MFA, they’ll get MFA.
Thanks for this…I might be opening a Fidelity account…
They’re fantastic. :)
The only negative stories I’ve heard are from people who really push the boundaries, like people day trading and whatnot. If you’re a regular user looking for a bank alternative, you should be good.
Just know their branches don’t really have any banking services, so you can’t go there to withdraw or deposit cash, get a cashier’s check, etc. I keep an account w/ a local institution and transfer money as needed for banking services.
Now you’ve got me wondering about this for Canada. Would be a pita to move mortgage and investments, but there must be a better way than the big banks.
Here’s a website that tracks this kind of thing. No guarantees about being up-to-date, but from a surface-level check, it looks like you have options.
Thanks!
Adding to this that my Canadian bank just updated their app and it doesn’t work with my older phone. So my only option is to use online services with SMS/call verification.
It’s such a joy to know that my bank, who made $40.670 billion last year, takes care of every customer equally.
Even Bank of America doesn’t support MFA apps.
They support USB hardware tokens… but only for the website. Everything else is SMS which kinda defeats the point.
Annoyingly, other than Vanguard, they are the only financial institution to support USB FIDO tokens
Oh it turns out we needed NSA to do its actual fucking job after all rather than holding onto exploits for the surveillance state.
Now — for the second time — we have an adversarial administration eager to weaponize government departments while Americans are vulnerable. Why? Because America is the good guys and would never abuse its extrajudicial powers (say, by detaining, rendering and torturing Americans with names similar to those of POIs.)
We could have had twenty-four years of robust communications security developments if NSA didnt sell the public out like Judas.
rendering
Wait, are they melting people down to make soap now? Fight Club wasn’t just a meme then…
Extraordinary Rendition is the euphemism from the aughts from which the movie Rendition was titled. It means taking your detainee somewhere else, often across national borders, to a black site, usually to do things there for plausible deniability (e.g. we don’t torture in the United States )
of course it is. forced 2fa BY SMS OF ALL THINGS is one of the stupidest ideas
Even stupider is supporting hardware keys for MFA, but having SMS fallback which can’t be disabled (looking at you, Vanguard). I’d much rather have email as my second factor than SMS, and I literally abandoned a bank (Ally) for removing email as an alternative to SMS.
I assume businesses only jumped at the chance to enable SMS 2FA to get their greedy little fingers on our phone numbers.
Oh man it sure would be nice if the feds had the power to regulate something like this /s
They did. That’s the reason for this hack, they wanted Lawful Interception, they got their backdoor. It’s what professionals and privacy advocates said all along, if it exists it will be abused.
This isn’t a hack in the way you’re thinking of, nor is it a product of government mandated interception, or a back door. The salt typhoon event you’re referring to is nothing more than the tip of the iceberg of a much bigger problem, which is abuse of the dated SS7 system we’ve known about for decades.
Do you have a source for this claim? I’d like to repeat it elsewhere…
Its essentially what the apple vs FBI encryption legal battle was about years ago:
https://en.m.wikipedia.org/wiki/Apple–FBI_encryption_dispute
I’m not really a fan of apple, but I was very happy they stood their ground on that one. They were absolutely right to do so.
I.e. this article from October: https://www.techradar.com/pro/chinese-hackers-allegedly-hit-us-wiretap-systems-to-hit-broadband-networks
In an all too predictable turn of events, Salt Typhoon, an infamous Chinese state actor, has reportedly hijacked government systems to breach several American broadband providers and gain access to the interception portals required by US law.
Thanks for bringing receipts. In stark contrast to my experience on Reddit, Lemmings usually seem allergic to showing their work for some reason.
Yeah, I don’t get it. I go out of my way to provide sources even before being asked.
What’s really frustrating is when others users criticize me for providing evidence that could be used to counter my claim. I’m not trying to win arguments, I’m trying to show my work so others can correct me if I missed something. I’m here to learn and educate, in that order, yet so many only seem interested in engaging in discussion that jives w/ their existing opinions. That was a problem on Reddit too, but at least someone would chime in w/ sources much of the time.
@return2ozma @technology
10 years ago, the Feds wanted backdoors to all of phones so they could read all of our text messages. Now, the Feds want everyone not to use software that has backdoors so the Chinese cannot read our phones. The Feds don’t want competition.Absolutely. They were so arrogant they never thought it would happen to us. After all, we are in charge of our own networks so why would we expect the enemy to be at the gates? Let’s make those gates out of cardboard so it’s easier to spy on everyone.
Of course then you have things like CALEA mandating a back door, you have cheap telecom companies that will happily buy cheap lowest bidder Chinese hardware and install it "everywhere* without concern for security (after all, it’s not their data being stolen) and now the enemy isn’t just at the gates but inside the walls.
A decade ago, making sure the feds could read everyone’s mail was the national security priority. Suddenly when the Chinese can read everyone’s mail, good security is the national security priority.
It’s too bad there was no way to predict this in advance. Oh wait…
The backdoors they use are there for freedom and justice, the backdoors the “others” use are tools of evil and security risks!
“They’re the same picture”
Why do you hate America’s children?
For real, I bet this guy didn’t back the “Definitely Don’t Maybe Not Almost Probably Save The Children ACT.”
Braindead take of the day.
Your comment applies more to your own than the one you responded to. It’s a crazy form of recursion.
Nah that’s just your own wishful thinking.
The backdoors they use are there for freedom and justice, the backdoors the “others” use are tools of evil and security risks!
did you forget to add “/s” or do you really believe what you wrote?
Sometimes sarcasm is clear enough without signalling it. I guess not for everyone.
It was a joke, bruh!
Edit: Huh. Guess people downvoting didn’t read up on Poe’s Law posted above. Shocked! Well, not that shocked.
For clarity, I was being satirical.
Yes
-signed, [email protected]
Why the hell is this in 4K HDR?
Only the best for the worst hack in history.
Been saying that for years. It’s about damn time.
SMS spoofing and SIM swapping have been around for ages. It was never secure and that’s always been known. The number of companies that rely on it despite sending me a zillion other fucking useless emails is too damn high! Email, or better yet, an authenticator app, are far more secure. Not perfect, but better.
One big reason I’m hesitant to keep my money in banks is because banks think the best form of two-factor authentication is text message based 2FA and I’m like that’s barely any 2FA at all.
My banks are like that too. Of course I can’t speak to anyone who might influence that decision. Steam has better security than almost any other account I have. I appreciate them for that but it also seems ludicrous to me that my video games are more secure than my bank accounts.
I keep my money in Monero. That way, it’s me who has to be targeted instead of an institution. And if I fuck up and lose it, it’s my own damn fault.
I have some crypto, some stocks, etc. For many things I still need standard banking though. Crypto just isn’t there yet. Maybe someday… But having money distributed is still smart either way, so I have many baskets for my eggs.
I keep a little bit in the bank, like enough to pay my bills and such, but any extra I put into Monero.
Thank god, give me my HMAC hash please.
Nothing more terrifying than losing your phone number these days because of all the accounts tied to it via 2FA.
in other news grass is green
It’s brown in my area. Check mate!
I wish Signal stopped using it. I know you can set a Signal PIN but a lot of the non-techy friends I speak to on Signal probably wouldn’t think to, or look through the settings (not that you need to be “techy” to set it, but you know the kind of learned helplessness most people have about tech). At least a prompt for all users to set an account PIN so their account can’t just be stolen by anyone with their SIM card.
Another thing is that even if you set a PIN, you’d still have to log into your account relatively regularly so that if you lose access to your number, you wouldn’t lose an account. It’s logical, given that numbers are reused… But that means that if you want to register without effectively tying your account to your ID (KYC when buying numbers is mandatory in a lot of the world, remember!), you’d have to pay for another phone bill (expensive given that the number’s practically doing nothing!) or use a one-time rental… Which guess what, puts your account at constant risk!
I thought they abandoned SMS a couple years ago??
They abandoned letting you use the Signal app to send and recieve SMS. You still need to get a code via SMS to activate your Signal account. I believe this is what they are referring to.
Yep, I was referring to that. You can stick someone else’s SIM in your phone and log into their signal account if they’ve not set a Signal PIN. You don’t see message history but new messages to that person will go to you.
Didn’t this happen quite awhile ago? I don’t see anything new in this article
The novelty is the fact that it’s ongoing. They haven’t mitigated the hack. The threat actors are still inside the networks, which is why the government is telling people to switch to E2EE apps.
Lovely
New Clipper Chip mandatory in new phones for “security” 😉
