[ALERT] A Gaping Hole in Your Online Security

Both options {sms and app on phone} are poor choices.
a. SMS you described here. Country and network dependant, most network operators simply do not offer an option for you "lock" the account so no new sims can be issued.

b. 2FA on the phone is not much better. We turn our mobile phones into gold bars.
What are we most likely to lose by accident and theft? The mobile phone, with all these super safe keys on the device.

c. Using USB keys. Most do not use these exclusively. Take Google as an example, they will still use your phone even if you registered the dongle.

Been trying to find an android capable raspberry pi with gsm. This so I can lock this in a safe with a sim I do not use or carry on my person. This is still not available at a reasonable cost.

For now all sing get 2FA on your phone. It is in some ways worst than where we started.

Years later, this is till not resolved.

The usual 2FA requires a mobile/cell phone. That's fine provided there is a reliable cell phone service. We have unreliable service at home due to the terrain. If 2FA could be modified so that it happened when the user was away from their usual computer or location, then I would be more enthusiastic about using it.

SS7, the protocol used by the phone companies is inherently insecure.It was developed for use over internal telephones trunks,mainly landlines.It was carried over to the cellular networks without much thought to security.Text messages,though simple,eventually are somewhat insecure as well.

No one ever thought that hackers would have a field day with it,but here we are.In my opinion,anything send over the air is subject to interception.I don't care about laws or cellular security, it will happen.

I would recommend that if you are using 2FA,try using a regular landline where interception of your call is harder to get.

Bob - This seems like sowing FUD - fear, uncertainty, and doubt. For the vast majority of people username/password entry into a website works just fine. Using 2FA for financial information (banks or investment sites) is an added bonus. If you dive into the details of intercepting SMS messages it takes considerable time and resources. I appreciate all the great info, but I think it needs to said this is not a problem for most of your readers.

This has been going on for a LONG time! Decades ago an unscrupulous AT&T employee enabled "Remote Call Forwarding" on my landline, unbeknownst to me. Then they used Western Union to send a large amount of cash to their account. When Western Union called my phone to verify, they had remotely forwarded it to their phone and pretended to be me! The on;y reason I found out was the FBI had been following the crooks and called me. I was all set to fly to LA to testify against them, but they agreed to a plea deal. Anyway, that ploy of secretly redirecting your phone has probably been around as long as there have been phones!

I reckon that it's an equal risk if "you can also print a list of codes for use when you don’t have your phone handy". A printed list doesn't sound all that secure.

I have encountered 2FA with very discouraging resuts. Having to purchase texting from your phone provider and then having to wait for receiving the text (or e-mail) is stupid. I'm considering returning to snail mail, it is more reliable and safer. One should consider effects on the senior citizens that find some of these changes difficult to follow.

What leaves me wondering about security are credit card company practices. What do they know about user security that other companies don't? I seldom have to go through a 2FA process to access my CC account. And I am almost never asked to change my password. Why not? I've had the same PW for a major CC account for maybe ten years. I don't think my online access to my CC account has ever been compromised. The card number, yes. The online account, no. What do they know that other companies don't?

I depend mostly on "security by obscurity". I take reasonable precautions, and depend on the computers at the credit card companies I use to spot any unusual activity (which has happened). They then contact me in those cases, so I can indicate whether the activity is valid. And most companies are very good about reversing any fraudulent or scam charges.

Text or email 2FA is just another layer of protection to further minimize risks. But 2FA doesn't have to be foolproof, and it's not worth the hassle of trying to make it so.

I like to use the analogy of locking my car. I live in a fairly safe city, so the odds of my car being stolen are low but not non-existent. If the car is locked, that further reduces the odds, perhaps by a factor of 10. But what if I forget one night to lock the car? It's more at risk for that one night, but if that happens at most a handful of times per year then my car is still safer by a factor of 9.9 instead of 10. That's good enough. There's no absolute certainty against car theft, but it isn't worth going to the hassle and expense of further reducing that already-small risk.

Off-topic, but I use that same analogy for COVID: I take reasonable precautions, but occasional breaches (e.g., sometimes forgetting to wear a mask or not always social distancing) are similar to not locking my car 100% of the time. The added percentage risk is miniscule. And the consequences are tolerable: The risk of death from contracting COVID is typically less than 1%. In the same way, the impact of having your car stolen is not enormous, if you have insurance (or prefer to self-insure) or the police recover it. The same argument applies to most data breaches.

People need to learn to realistically estimate risks of all kinds, and make sensible trade-off decisions.

To: Daniel Wiener - Not wearing a mask puts others at risk too so that's a huge difference. That's all I'm going to say.

I use an authenticator app (Authy) when I can. However, my problem is that SMS is still allowed as a backup 2FA method. A hacker or bad actor would just bypass the authenticator app.

To: Doug - The act of driving a car also puts others at risk, so that's not a huge difference. Unfortunately, most people's perceptions of various risky activities fail to accurately correspond to the actual danger levels shown by the statistical data.

My view is really very simple - if the hackers have managed to subvert my phone provider for the irregular eTAC I receive - then no other additional security measures will help - they will have taken your money and the fight with your bank begins QED

Bob,
You have yet again presented a number of alternative solutions to problem that should not exist (but it does).
Frankly posting a series of links that might upon careful & time consuming examination, point to safer options, well that's just not good enough!
Not many of us have the capability to implement successfully anyway.
Why not present a simple list of best actions to achieve better security with no impact on usability?

ZDNET subject line reads: "Microsoft urges users to stop using phone-based multi-factor authentication" on November 12, 2020. MFA/2FA kinda puts the kibosh on the whole concept of convenience in your [whichever]-pocket. And the most recommendations for less complicated passwords by NIST adds a whole new 'chkink' in our security knight's armor.

I use a strong password (in LastPass), and my (encrypted) Desktop PC as my 2fa with my bank. If I use either of my Lap Tops to access my bank, when I log in, I am presented with a screen that requires me to have the bank call me. When I receive the call (immediately), I enter a unique code posted on the banks web page into my phone. After entering the code, the robotic phone call directs me to "click the Continue key" on the web page. The next page requests a few personal bits of information, then I am allowed to access my online banking web page. I believe that this is fairly secure since I am sending a code back to the bank (not the other way around). Most of my other online services are protected with 2fa using the Last Pass authenticator which I can securely access from my Desktop or phone.

This is my 2fa experience,

Ernie

Risk cannot be eliminated, but the potential for loss must be part of the calculation. Few of us have large Bitcoin accounts that would make a determined and sustained attack worthwhile...
My accounts all have long random passwords that are unique to each account stored in KeePass. Having passed the username/password stage, a text to my phone is more than sufficient given the relatively small loss potential.
Everything being on our phones is problematic, but I don't do smartphones.

I don't have a cell phone. A few of the banks and investment companies call me on my land line for 2FA. It works for me.

A few years ago, the Social Security Administration REQUIRED a cell phone for 2FA. That requirement didn't last long.

I sometimes feel like I'm one of the few people that doesn't bank or make purchases with a cell phone. I have never felt that cell phones are secure. I use my desktop computer for banking and purchases, and get emails for 2FA.

Bob the post by Peter Oh
17 Nov 2020 seems like a reasonable suggestion on
this nasty matter.. most people as you kNow are not
too versed in security tech so consider
the "KISS" formula my wife reading you e-mail too.
This way I don't have answer so many questions
You doing a great job keep it coming...RML