this post was submitted on 20 Dec 2024
644 points (98.6% liked)

Technology

60090 readers
2877 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world
644
Feds Warn SMS Authentication Is Unsafe After ‘Worst Hack in Our Nation’s History’ (gizmodo.com)
submitted 6 days ago by return2ozma@lemmy.world to c/technology@lemmy.world
162 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] randon31415@lemmy.world 34 points 4 days ago (2 children)

Authentication for my work email: Enter 28 character password, receive sms, enter message, log in

Authentication for my Battle.net account:

-Enter email made before 2000 because they don't let you change email

-Enter password

-Get rejected

-Solve CAPTCHA

-Try backup passwords, get rejected

-Request new password

-Send request to 24 year old email

-Try to log on to 24 year old email, email is suspicious and sends Authentication request to my newer email

-Open newer email, Authenticate older email

-open old email, Put in code to battle.net

-Battle.net requests Authenticator code from Battle.net app

-Open battle.net app (no requests)

-Try manual code, doesn't work

  • Realize Battle.net app Authenticator not connected

-Try to connect Battle.net app Authenticator to account

-Realize you cannot connect Authenticator without signing in AND signing in requires Authenticator

-Close Battle.net app

-Open Blizzard Authenticator

-Close warning that this app got depreciated in January

-Enter manual code

-it works

-Attempt to change password to password I first attempted

-Won't let me use same password

-Try logging in using that password

-Still doesn't work - Solve one more CAPTCHA

-Change password to backup password and back to original password - have to solve 2 more Captchas

-Finally works

-Log in

load more comments (2 replies)
[–] someguy@pleroma.someotherguy.xyz 226 points 6 days ago (2 children)

@return2ozma @technology
10 years ago, the Feds wanted backdoors to all of phones so they could read all of our text messages. Now, the Feds want everyone not to use software that has backdoors so the Chinese cannot read our phones. The Feds don't want competition.

[–] Godnroc@lemmy.world 108 points 6 days ago (9 children)

The backdoors they use are there for freedom and justice, the backdoors the "others" use are tools of evil and security risks!

[–] Rentlar@lemmy.ca 46 points 5 days ago (5 children)

"They're the same picture"

load more comments (5 replies)
load more comments (8 replies)
load more comments (1 replies)
[–] Cornelius_Wangenheim@lemmy.world 106 points 5 days ago (1 children)

NIST has been saying since 2016 not to use SMS for MFA. It's always been horribly insecure.

[–] Routhinator@startrek.website 69 points 5 days ago (26 children)

The problem for me is that most Canadian Banks give you the choice of SMS or their shitty adware filled bank app that relies on Google Play Services and wont implement TOTP so I can use a true MFA app. And Im done with being forced to accept user policies I don't agree with to do shit, and most of all done with Google Play Services on my device 😑

[–] john89@lemmy.ca 8 points 4 days ago* (last edited 4 days ago) (1 children)

Should be illegal to put ads in something as crucial to day-to-day life as a banking app.

If it's not illegal, then everyone is going to do it and we won't have the "choice" that crapitalists love to tout so much.

load more comments (1 replies)
[–] HellsBelle@sh.itjust.works 21 points 5 days ago

Adding to this that my Canadian bank just updated their app and it doesn't work with my older phone. So my only option is to use online services with SMS/call verification.

It's such a joy to know that my bank, who made $40.670 billion last year, takes care of every customer equally.

load more comments (24 replies)
[–] archchan@lemmy.ml 40 points 5 days ago (2 children)

I hate forced 2FA that you can't disable anyway. I don't want to waste time waiting for an insecure text, I don't want to input an unencrypted code you sent to my email, I don't want to click your damn notification that runs through Play Services, and no I'm not enrolling in passwordless auth. I don't need to be babied into securing my accounts. Any account I do actively and willingly secure is already using TOTP. Let me put in my username and password, then kindly fuck off.

[–] Charlatan@lemm.ee 20 points 5 days ago (2 children)

Yeah. So you, myself, and some others are the exception to the rule. But, you can't look at it that way because its a 'lowest common denominator' problem. The least secure of us means we are all only as secure. Others need to be hand held.

It's definitely time to raise all boats and drop SMS 2fa like a hot rock.

load more comments (2 replies)
load more comments (1 replies)
[–] finitebanjo@lemmy.world 25 points 4 days ago* (last edited 4 days ago) (2 children)

The end of an era.

Or actually, probably not until we redo whole cellular phone technology works and kick out all the bad actors using SS7 vulnerabilities for stuff like spoofing numbers and stealing messages. We really shouldn't be using a 45 year old system for almost all communications.

[–] 01189998819991197253@infosec.pub 3 points 3 days ago* (last edited 3 days ago)

In their defense, they JUST applied an update in March 1993, so they're knocking on the doors of cutting edge technology updates -_-

Edit: added link

[–] Agent641@lemmy.world 7 points 4 days ago* (last edited 4 days ago) (2 children)

Use Telegram.

Not the app, the 200 year old wire radio messaging system based on Morse code, E2EE (Elderly man to Elderly man Enciphered)

load more comments (2 replies)
[–] ChaoticEntropy@feddit.uk 10 points 4 days ago* (last edited 4 days ago) (1 children)

So many services still don't even offer 2FA at all. Any service that stores payment information and PII without any 2FA options, let alone a secure one, at this point are a disgrace.

[–] 01189998819991197253@infosec.pub 2 points 3 days ago

Banks, I'm looking at you

[–] bjoern_tantau@swg-empire.de 109 points 6 days ago (3 children)

load more comments (3 replies)
[–] uriel238@lemmy.blahaj.zone 55 points 5 days ago* (last edited 5 days ago) (3 children)

Oh it turns out we needed NSA to do its actual fucking job after all rather than holding onto exploits for the surveillance state.

Now — for the second time — we have an adversarial administration eager to weaponize government departments while Americans are vulnerable. Why? Because America is the good guys and would never abuse its extrajudicial powers (say, by detaining, rendering and torturing Americans with names similar to those of POIs.)

We could have had twenty-four years of robust communications security developments if NSA didnt sell the public out like Judas.

load more comments (3 replies)
[–] rarbg@lemmy.zip 67 points 5 days ago (1 children)

Oh man it sure would be nice if the feds had the power to regulate something like this /s

[–] da_peda@lemmings.world 56 points 5 days ago (8 children)

They did. That's the reason for this hack, they wanted Lawful Interception, they got their backdoor. It's what professionals and privacy advocates said all along, if it exists it will be abused.

load more comments (8 replies)
[–] JoeKrogan@lemmy.world 32 points 5 days ago

Always has been

[–] shortwavesurfer@lemmy.zip 66 points 6 days ago (1 children)

Been saying that for years. It's about damn time.

[–] Screen_Shatter@lemmy.world 17 points 5 days ago (11 children)

SMS spoofing and SIM swapping have been around for ages. It was never secure and that's always been known. The number of companies that rely on it despite sending me a zillion other fucking useless emails is too damn high! Email, or better yet, an authenticator app, are far more secure. Not perfect, but better.

load more comments (11 replies)
[–] DragonTypeWyvern@midwest.social 7 points 4 days ago (1 children)

Incoming forced 4-factor authentication

[–] Agent641@lemmy.world 10 points 4 days ago* (last edited 4 days ago)

Something you know, something you are, something you have, and something you saw in a dream once when you were a kid at summer camp during a feverish Dr Pepper-overdose-driven fitful sleep at age 12.

[–] Cocodapuf@lemmy.world 20 points 5 days ago* (last edited 5 days ago) (17 children)

Since when was sms ever secure? My understanding is that messages are sent in the clear, meaning your carrier and the recipient's carrier both have the opportunity to intercept messages.

I mean that's the message content, not the authentication, but still, sms is the opposite of secure, always has been.

load more comments (17 replies)
[–] cypherpunks@lemmy.ml 15 points 5 days ago (1 children)

an astronaut pointing a gun at their colleague, with earth in the background. ( "always has been" meme template, no text)

load more comments (1 replies)
[–] umbrella@lemmy.ml 26 points 5 days ago (3 children)

of course it is. forced 2fa BY SMS OF ALL THINGS is one of the stupidest ideas

load more comments (3 replies)
[–] metaStatic@kbin.earth 37 points 6 days ago (3 children)

in other news grass is green

load more comments (3 replies)
[–] Edieto12@lemmy.ca 13 points 5 days ago (3 children)

id take email Authentication over sms Authentication if there was only them 2 let me use my 2facter app for the love of god plz i hate how banks use sms its like come on man

load more comments (3 replies)
[–] phoneymouse@lemmy.world 28 points 6 days ago* (last edited 6 days ago)

Thank god, give me my HMAC hash please.

Nothing more terrifying than losing your phone number these days because of all the accounts tied to it via 2FA.

[–] Imgonnatrythis@sh.itjust.works 30 points 6 days ago (1 children)

Didn't this happen quite awhile ago? I don't see anything new in this article

[–] Telorand@reddthat.com 52 points 6 days ago (1 children)

The novelty is the fact that it's ongoing. They haven't mitigated the hack. The threat actors are still inside the networks, which is why the government is telling people to switch to E2EE apps.

load more comments (1 replies)
[–] Phoenicianpirate@lemm.ee 16 points 5 days ago

Hollywood hacking has nothing on real hacking it seems.

load more comments
view more: next ›