[conspire] Smartphones for 'two-factor authentiction' (was: Scamming SMC Alert recipients)

Fri Dec 7 19:15:12 PST 2018

Meant to add a few more-general comments about the problematic trend of 
security-sensitive Web sites sending the customer's cellular 'phone 
an SMS with an authentication token, like a six-digit authentication
code.  Yeah, funny thing about that.  People are getting
social-engineered on this subject in ways that defeat the intent
and make that well-intentioned out-of-band mechanism an actual 
factor in security breach:

  [A] reader’s daughter had received a text message claiming to be from
  Google, warning that her Gmail account had been locked because someone
  in India had tried to access her account. The young woman was advised to
  expect a 6-digit verification code to be sent to her and to reply to the
  scammer’s message with that code.

https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentication/

The daughter, as intended, didn't stop and think:  I'm sorry, send the
verification code _where_ exactly?  In this case, the thieves had
already stolen her GMail password, probably because she'd made the fatal
but extremely common error of also using that same password for another
purpose (in this case, LinkedIn) that had been security-compromised, 
but in order to assume total control of her GMail account and lock her
out, they needed to trick her into providing _to them_ a verificaiton code 
they caused her GMail login to send to her mobile 'phone (which they
then did).

Author & security pundit Brian Krebs goes on:

  Okay, so the geeks-in-chief are saying it’s time to move away from
  texting as a form of 2-factor authentication. And, of course, they’re
  right, because text messages are a lot like email, in that it’s
  difficult to tell who really sent the message, and the message itself is
  sent in plain text — i.e. is readable by anyone who happens to be
  lurking in the middle.

The SMC Alert scam illustrates the 'difficult to tell who really sent
the message' problem nicely.

Krebs also opines:

  Personally, I favor app-based time-based one-time password (TOTP)
  systems like Google Authenticator, which continuously auto-generates a
  unique code via a mobile-based app.

Eh, no thanks.  The day (e.g.) my bank tells me I need to run some
particular piece of proprietary, spying-on-me software just to use
services, I'll need to find a different way to use those services or
switch to a different provider.

Anyway, this whole area is problematic in that it mixes up authorisation
('prove you have a token I sent you') with authetication (prove you're
the real you), acting as if the former proves the latter, which it
doesn't at all.  That's InfoSec 101.  

o  Or have the operators of security-sensitive Web sites never heard of
lost mobile 'phones?

o  Also, never heard of needing access to a Web site from a location
where you lack cellular service?)

o  Also#2, never heard of the widespread compromise by intruders of
telco equipment using the  Signalling System No. 7 routing protocol?
https://arstechnica.com/information-technology/2016/04/how-hackers-eavesdropped-on-a-us-congressman-using-only-his-phone-number/

(tl;dr:  US Representative Ted Lieu was one of many people whose
smartphone activity was able to be finely tracked and eavesdropped by 
computer criminals.  The point being that SMS and voice traffic along
with anything else you do on a smartphone is insecure.)