Topic: For All Of You That Still Think SMS For 2FA For Wallets Is Or Was Safe. (Read 389 times)

Some services will email you a PGP encrypted 2FA code to your email. So an adversary would need to access both your email and have access to your (unencrypted) PGP key. Generally speaking, this will be just as good as using google authenticator, if you keep both keys similarly safe.

They can probably also make a copy of your private keys if you give them physical access to them.

Keep in mind that something like an RFID badge can be trivially deactivated. If an RFID badge gives a person access to an especially sensitive location, you can track access times to try to detect if it appears that a badge was duplicated, or is being used by more than one person. Also, some RDIF badges will only let you "out" of a door if you have "entered" a set of doors last, and will only let you "in" a door if you have last "entered" a door without exiting the door.

I think the biggest threat to SMS verification linked to 2FA has always been a Sim Swap and this is something that is happening a lot in my country. The Banks and other financial institutions are struggling with the exact same problem. There are syndicates working inside mobile phone operators that will assist these criminals to do Sim swaps and that is difficult to stop.

In most cases, these syndicates cannot swap the SimCard, whilst your phone is operational, so they find ingenious ways to get you to reboot or to switch off your phone, so that your cloned Sim card could be linked to another phone. (Tip : Do not switch off your phone, if you are being harassed to do it)  

Just a bit of a bump and a note for all those people who use RFID for security things like doors, elevators and such:
https://twitter.com/jjx/status/1475493289021292551

Nope, that is not secure either. If you thought you could control access to your stuff, through access control devices, make sure they are up to the task.
Just one more thing to think about as you try to make your life more secure.

-Dave

Better still: Your phone does not need an internet connection for a good 2FA app to generate the correct codes. All it needs to do is have the shared secret (which can be entered either by scanning the QR code or by entering the 16 character back up code), and the correct time (which you can adjust manually if your phone is out of sync). If you want to be extra secure with a phone, then use one on permanent flight mode to store your 2FA app. If you want to be more secure than that, then do away with the phone altogether and use a hardware key.

About a possible threat because one uses the same network? I assume we are talking about internet networks. Instead of one, use two different internet networks. Don't connect your phone to the same network that your computer is connected to. You could use your mobile data, for example, when you want to access your 2FA codes instead of WIFI. 

As Welsh said


[/quote]
"You could go as far to say that a device on the same network, could become a problem if your trying to use two factor authentication, though I think I'll leave that for another day."


What is one to do regarding this is?

Since you mentioned open source, there are few linux-based OS (not Android) for mobile device such as PureOS (https://pureos.net/). AFAIK the security is comparable with Android, but it's not option for most people due to lack of application.

Pretty much, I wouldn't recommend any other operating system to anyone, and the beauty about it, there's various open source ROMs out there for all your customization needs, without need to root your phone. Whether you want a custom rom for the customization it offers aesthetically, or the added functionality. As far as I know, Apple doesn't allow you to do this, without rooting the phone which is a security risk in itself, at least if it isn't used correctly, and not carefully managed.

Yeah, my old bank used to have this facility. It kind of looked like a hardware wallet, except it had numbers directly on it, rather than using a interface like Trezor does. I do prefer Trezor's approach, though banks might have significantly improved these days.

American Express had something like that over 20 years ago:
https://bits.blogs.nytimes.com/2008/12/05/a-credit-card-loses-its-high-tech-cred/
Almost nobody used it at the time.

I would not mind if the NFC/RFID in my phone needed a card to activate some things.
Would kind of be nice, you get a phone it comes with "X" number of cards. On top of PIN / fingerprint / faceID / whatever you can have some security things tagged to the card.

As for why some things need access to parts of your phone data. There are a few reasons.
The biggest one I see is crappy coders re-using parts of code or just using pre-packaged things.

My door access access app does not need access to the speaker & microphone, but it does need the camera & NFC. The people who wrote it, bought a package called media access that wants access to all 4, just so they did not have to write something that can get camera & NFC access

-Dave

Speaking of banks, I know there are some which offer using your debit card as a 2FA method. You either connect up a card reader via USB to your computer to prove possession of the debit card, or your card reader uses your debit card as the shared secret to produce a 2FA code, before you are allowed to log in to your online bank account. It's a nice solution since it is effectively a hardware key but using something that everyone has in their possession already.

Another bugbear of mine. Everyone should go in to the app permissions setting on their phone and just look at what apps are accessing what. Tell me why Facebook needs access to your microphone? Or why WhatsApp needs access to your location? Or why some random wallet app needs access to all your files? It's a huge privacy and security risk. The same applies to browser extensions. The fewer apps and extensions you install, the better.

If you are going to use an authenticator app as your 2FA method, then ideally it should be on an old phone after you reset it to factory settings, remove all the bloatware, and turn off all connectivity.

Let's be honest, anything outside of Android and iOS is dead in terms of mobile OS

From my knowledge of iOS programming, it's not trivial. An App can identify a device, but that identifier is bound to the application; so different applications see different identifiers, which is good for privacy. There is no way to extract the IMEI via app.
However, it might be enough to have this application- and device-bound ID for this use case. I'm not 100% sure about what the attacker model is, though.

If your using a recent version of Android then it needs to specifically request, and be granted the privileges. Though, I can't actually verify that, since I use custom operating systems on my phone, which have this ability, though I'm pretty sure since Android 10 you have to give permissions for most things.  

Although, I'm pretty sure it's relatively easy to spoof a IMEI number, and you shouldn't really be giving it out if you don't want to open up yourself to attacks via that method, or be identified through the IMEI. Most apps, if not all non system applications shouldn't have access to it.

I can't speak for Apple or any other variation of operating systems for mobiles. However, for anything involving Bitcoin, especially when your acting as your own bank, you should probably be looking for the most secure way possible, so physical isolation, and using a hardware key would be the best approach. I personally, wouldn't recommend using something like your phone that you use for other things, and could potentially be compromised through negligence. For example, I've seen android users be very negligent in the permissions they give to applications, even with the improved permissions system that custom operating systems have, and I believe the latest Android versions.

Or we are humans and do stupid things now and then. What I did in the beginning of the year:


Was actually thinking while driving home, how difficult would it be for an exchange (or bank) to have an 2FA app that is tied to a phone or device by IMEI or serial number.
I don't actually know what privilege's apps have on which mobile OS but I think that could help a lot of security issues. You would need a semi secure way of installing it. But, beyond that it should work. Even if someone clones your device they would still need to get by the initial secure installation issue, which should be obvious. Say a automated phone call. Followed by a 48 hour timeout before anything could be switched.

-Dave

To this day, banks are using two factor authentication (2FA) as a way of securing your bank account, i.e authorising who can log in, send payments, and whatever else you can do with a bank account these days. The fact that they even offer this should have you questioning the true security of banks, it's often said that security specialists have a stronger, and more secure network at home, than many of the workplaces they work in, even government based ones.

Plus, the fact is that you can take control of your money completely, without actually making it any less insecure, in fact you can make your money more secure with Bitcoin. This is something that I've tried explaining over the years to anyone who said that I wouldn't be as qualified as a multi billion pound bank securing my money, but despite trying to explain, they never really grasp the idea of storing your money inside an address that was generated offline, the fact that you can get air gap computers, use non digital ways of key generation, and there's a whole lot of headaches when you try, and explain it this way. However, bringing up the issue with 2FA with SMS, and the fact that banks are still using this today, could be a way of explaining the security flaws in traditional banks, and how they could actually make it more secure by securing the money themselves inside Bitcoin, whether or not they intend on using it as a currency or a reserve doesn't matter for this point (ignoring volatility).  

This is something I'm actually incredibly passionate about; compartmentalization either via physical breaks, i.e completely different computers or virtualisation via Qubes OS. You could potentially come up with a decent 2FA method via Qubes OS, and depending on your threat model that could suffice. However, I would always recommend physical isolation whenever possible. You could go as far to say that a device on the same network, could become a problem if your trying to use two factor authentication, though I think I'll leave that for another day.  

It almost always comes down to convenience. I'll use the cliche saying of; the human is the point of failure. That's true for almost every thing I can imagine, there are ways to secure your Bitcoin, accounts or whatever you want, however the vast majority, even those that are security conscious ignore it, simply due to it being not convenient.  

It all comes down to the risk associated, and your personal threat model as I mentioned above. If you are a pretty low target, aren't someone famous, then your unlikely to be targeted, and that might be a reason to lower your threat model. That's just one of the examples I could think of off the top of my head, but I'm sure there's plenty more.

I think each, and everyone one of us at some point has ignored some sort of security concern, this might be due to laziness, not fully understanding the issue at hand or simply because you didn't deem the risk high enough to take action.

I absolutely second the idea of a hardware key though. It's specifically designed for it, and it somewhat removes the inconvenience that you might run into with other methods.

Heh. At least you're honest.

This is a key thing that a lot of people, maybe even most people, don't appreciate with 2FA. It must require the compromise of two different factors to actually be 2FA. If you think as the second factor as just an additional password or something like that, then why not just set two passwords and store them both in the same password manager. If both your password and your 2FA can be compromised by the compromise of a single physical device or a single email account, then it isn't 2FA at all.

Do you log in to your exchange account from your phone, and have the login details saved in your phone's browser or password manager? If so, then anything involving that phone is not a second factor, be that SMS, receiving emails to that phone, or a 2FA app on that phone.* If you log in from your computer, then receiving emails to an account you also log in from the same computer is not secure. This is part of the reason that a hardware key is such a good 2FA method, because it is by design a second factor, and cannot possibly be part of a single point of failure (unless you do something stupid like leave it permanently plugged in to your laptop).

*This is all obviously separate from the fact that SMS is never secure as a 2FA method.

A centralized phone app controlled by the organization, sending encrypted data could be a good solution.  If you're already doing business with the organization your trust is implied.  It's certainly more secure than using SMS or email 2FA.  The only trouble is if you lose your phone, you're screwed.


*Hand Raised.  As o_e_l_e_o is apt to do, he gave some really good advice about using multiple devices.  Most of us here are aware of many security pitfalls that we face every day, yet we continue to take shortcuts for the sake of convenience.  It's a choice we all need to make for ourselves.

For a while my bank REQUIRED their phone app to be able to log into their web portal.
Don't know if it really was secure or how the phone app worked, but it seemed like a good idea.

Phone apps are really the downfall of a lot of security, Google auth, Authy, Email, SMS whatever since for too many people your phone does have it all.

Going back to the Coinbase hack.
Lets assume that to change you CB password or do certain transactions you need ALL of the following

1) Email access
2) Google / Authy access
3) SMS access

Raise your hands if all of those are on one device.

PGP works to a point, but too many people use it and assume they are safe, when if the PC that you have it on is compromised it's just a bad as any other authentication. Could be worse, if you are doing everything on that 1 PC.

For your own wallet, a HW wallet is the only way to go. For 2FA stuff, there are only going to be 'less bad' answers. I can't really think of a good one.

-Dave

Once upon a time there was a bitcoin mixer that used PGP to generate a one-time password.  I can't remember their name (bitcoin blender?,) but they shutdown a couple of years ago when there was a law enforcement crack-down on mixers.  I thought that was probably the most secure 2FA process I had ever used.

PGP may not be ready for main-stream adoption, or maybe it's more accurate to say that the "Main-Stream" aren't ready for PGP adoption, but this is crypto!  You would think that more businesses involved in crypto would at least provide PGP as one of the 2FA options.  I can't wait for the day when MainStreet Bank implements PGP security options for those of who use it.

Easily done if the user's details have been part of a database leak from the exchange or from any other site where they have signed up using their email address and phone number in the same account. And then you can potentially exploit an SMS account recovery process as was done in the Coinbase hack.

Most TOTP are generated using an authenticator app such as Aegis, andOTP, or (shudder!) Google Authenticator. And regardless, TOTP refers only to the process of generating the code, which is completely secure provided you don't leak the shared secret. It is the mode of delivery - SMS instead of on an app - which is insecure.

This shares more light on how the Sim splitting scammer was able to scam their victim, cause I once thought it was an error from a crypto holder who set 2fa that led to their wallet/account been hacked.

In my view, TOTP is also not better since most TOTP are send as SMS.