Topic: For All Of You That Still Think SMS For 2FA For Wallets Is Or Was Safe. (Read 366 times)

Some services will email you a PGP encrypted 2FA code to your email. So an adversary would need to access both your email and have access to your (unencrypted) PGP key. Generally speaking, this will be just as good as using google authenticator, if you keep both keys similarly safe.

They can probably also make a copy of your private keys if you give them physical access to them.

Keep in mind that something like an RFID badge can be trivially deactivated. If an RFID badge gives a person access to an especially sensitive location, you can track access times to try to detect if it appears that a badge was duplicated, or is being used by more than one person. Also, some RDIF badges will only let you "out" of a door if you have "entered" a set of doors last, and will only let you "in" a door if you have last "entered" a door without exiting the door.

I think the biggest threat to SMS verification linked to 2FA has always been a Sim Swap and this is something that is happening a lot in my country. The Banks and other financial institutions are struggling with the exact same problem. There are syndicates working inside mobile phone operators that will assist these criminals to do Sim swaps and that is difficult to stop.

In most cases, these syndicates cannot swap the SimCard, whilst your phone is operational, so they find ingenious ways to get you to reboot or to switch off your phone, so that your cloned Sim card could be linked to another phone. (Tip : Do not switch off your phone, if you are being harassed to do it)  

Just a bit of a bump and a note for all those people who use RFID for security things like doors, elevators and such:
https://twitter.com/jjx/status/1475493289021292551

Nope, that is not secure either. If you thought you could control access to your stuff, through access control devices, make sure they are up to the task.
Just one more thing to think about as you try to make your life more secure.

-Dave

Better still: Your phone does not need an internet connection for a good 2FA app to generate the correct codes. All it needs to do is have the shared secret (which can be entered either by scanning the QR code or by entering the 16 character back up code), and the correct time (which you can adjust manually if your phone is out of sync). If you want to be extra secure with a phone, then use one on permanent flight mode to store your 2FA app. If you want to be more secure than that, then do away with the phone altogether and use a hardware key.

About a possible threat because one uses the same network? I assume we are talking about internet networks. Instead of one, use two different internet networks. Don't connect your phone to the same network that your computer is connected to. You could use your mobile data, for example, when you want to access your 2FA codes instead of WIFI. 

As Welsh said


[/quote]
"You could go as far to say that a device on the same network, could become a problem if your trying to use two factor authentication, though I think I'll leave that for another day."


What is one to do regarding this is?

Since you mentioned open source, there are few linux-based OS (not Android) for mobile device such as PureOS (https://pureos.net/). AFAIK the security is comparable with Android, but it's not option for most people due to lack of application.

Pretty much, I wouldn't recommend any other operating system to anyone, and the beauty about it, there's various open source ROMs out there for all your customization needs, without need to root your phone. Whether you want a custom rom for the customization it offers aesthetically, or the added functionality. As far as I know, Apple doesn't allow you to do this, without rooting the phone which is a security risk in itself, at least if it isn't used correctly, and not carefully managed.

Yeah, my old bank used to have this facility. It kind of looked like a hardware wallet, except it had numbers directly on it, rather than using a interface like Trezor does. I do prefer Trezor's approach, though banks might have significantly improved these days.

American Express had something like that over 20 years ago:
https://bits.blogs.nytimes.com/2008/12/05/a-credit-card-loses-its-high-tech-cred/
Almost nobody used it at the time.

I would not mind if the NFC/RFID in my phone needed a card to activate some things.
Would kind of be nice, you get a phone it comes with "X" number of cards. On top of PIN / fingerprint / faceID / whatever you can have some security things tagged to the card.

As for why some things need access to parts of your phone data. There are a few reasons.
The biggest one I see is crappy coders re-using parts of code or just using pre-packaged things.

My door access access app does not need access to the speaker & microphone, but it does need the camera & NFC. The people who wrote it, bought a package called media access that wants access to all 4, just so they did not have to write something that can get camera & NFC access

-Dave

Speaking of banks, I know there are some which offer using your debit card as a 2FA method. You either connect up a card reader via USB to your computer to prove possession of the debit card, or your card reader uses your debit card as the shared secret to produce a 2FA code, before you are allowed to log in to your online bank account. It's a nice solution since it is effectively a hardware key but using something that everyone has in their possession already.

Another bugbear of mine. Everyone should go in to the app permissions setting on their phone and just look at what apps are accessing what. Tell me why Facebook needs access to your microphone? Or why WhatsApp needs access to your location? Or why some random wallet app needs access to all your files? It's a huge privacy and security risk. The same applies to browser extensions. The fewer apps and extensions you install, the better.

If you are going to use an authenticator app as your 2FA method, then ideally it should be on an old phone after you reset it to factory settings, remove all the bloatware, and turn off all connectivity.

Let's be honest, anything outside of Android and iOS is dead in terms of mobile OS

From my knowledge of iOS programming, it's not trivial. An App can identify a device, but that identifier is bound to the application; so different applications see different identifiers, which is good for privacy. There is no way to extract the IMEI via app.
However, it might be enough to have this application- and device-bound ID for this use case. I'm not 100% sure about what the attacker model is, though.

If your using a recent version of Android then it needs to specifically request, and be granted the privileges. Though, I can't actually verify that, since I use custom operating systems on my phone, which have this ability, though I'm pretty sure since Android 10 you have to give permissions for most things.  

Although, I'm pretty sure it's relatively easy to spoof a IMEI number, and you shouldn't really be giving it out if you don't want to open up yourself to attacks via that method, or be identified through the IMEI. Most apps, if not all non system applications shouldn't have access to it.

I can't speak for Apple or any other variation of operating systems for mobiles. However, for anything involving Bitcoin, especially when your acting as your own bank, you should probably be looking for the most secure way possible, so physical isolation, and using a hardware key would be the best approach. I personally, wouldn't recommend using something like your phone that you use for other things, and could potentially be compromised through negligence. For example, I've seen android users be very negligent in the permissions they give to applications, even with the improved permissions system that custom operating systems have, and I believe the latest Android versions.

Or we are humans and do stupid things now and then. What I did in the beginning of the year:


Was actually thinking while driving home, how difficult would it be for an exchange (or bank) to have an 2FA app that is tied to a phone or device by IMEI or serial number.
I don't actually know what privilege's apps have on which mobile OS but I think that could help a lot of security issues. You would need a semi secure way of installing it. But, beyond that it should work. Even if someone clones your device they would still need to get by the initial secure installation issue, which should be obvious. Say a automated phone call. Followed by a 48 hour timeout before anything could be switched.

-Dave

To this day, banks are using two factor authentication (2FA) as a way of securing your bank account, i.e authorising who can log in, send payments, and whatever else you can do with a bank account these days. The fact that they even offer this should have you questioning the true security of banks, it's often said that security specialists have a stronger, and more secure network at home, than many of the workplaces they work in, even government based ones.

Plus, the fact is that you can take control of your money completely, without actually making it any less insecure, in fact you can make your money more secure with Bitcoin. This is something that I've tried explaining over the years to anyone who said that I wouldn't be as qualified as a multi billion pound bank securing my money, but despite trying to explain, they never really grasp the idea of storing your money inside an address that was generated offline, the fact that you can get air gap computers, use non digital ways of key generation, and there's a whole lot of headaches when you try, and explain it this way. However, bringing up the issue with 2FA with SMS, and the fact that banks are still using this today, could be a way of explaining the security flaws in traditional banks, and how they could actually make it more secure by securing the money themselves inside Bitcoin, whether or not they intend on using it as a currency or a reserve doesn't matter for this point (ignoring volatility).  

This is something I'm actually incredibly passionate about; compartmentalization either via physical breaks, i.e completely different computers or virtualisation via Qubes OS. You could potentially come up with a decent 2FA method via Qubes OS, and depending on your threat model that could suffice. However, I would always recommend physical isolation whenever possible. You could go as far to say that a device on the same network, could become a problem if your trying to use two factor authentication, though I think I'll leave that for another day.  

It almost always comes down to convenience. I'll use the cliche saying of; the human is the point of failure. That's true for almost every thing I can imagine, there are ways to secure your Bitcoin, accounts or whatever you want, however the vast majority, even those that are security conscious ignore it, simply due to it being not convenient.  

It all comes down to the risk associated, and your personal threat model as I mentioned above. If you are a pretty low target, aren't someone famous, then your unlikely to be targeted, and that might be a reason to lower your threat model. That's just one of the examples I could think of off the top of my head, but I'm sure there's plenty more.

I think each, and everyone one of us at some point has ignored some sort of security concern, this might be due to laziness, not fully understanding the issue at hand or simply because you didn't deem the risk high enough to take action.

I absolutely second the idea of a hardware key though. It's specifically designed for it, and it somewhat removes the inconvenience that you might run into with other methods.

Heh. At least you're honest.

This is a key thing that a lot of people, maybe even most people, don't appreciate with 2FA. It must require the compromise of two different factors to actually be 2FA. If you think as the second factor as just an additional password or something like that, then why not just set two passwords and store them both in the same password manager. If both your password and your 2FA can be compromised by the compromise of a single physical device or a single email account, then it isn't 2FA at all.

Do you log in to your exchange account from your phone, and have the login details saved in your phone's browser or password manager? If so, then anything involving that phone is not a second factor, be that SMS, receiving emails to that phone, or a 2FA app on that phone.* If you log in from your computer, then receiving emails to an account you also log in from the same computer is not secure. This is part of the reason that a hardware key is such a good 2FA method, because it is by design a second factor, and cannot possibly be part of a single point of failure (unless you do something stupid like leave it permanently plugged in to your laptop).

*This is all obviously separate from the fact that SMS is never secure as a 2FA method.

A centralized phone app controlled by the organization, sending encrypted data could be a good solution.  If you're already doing business with the organization your trust is implied.  It's certainly more secure than using SMS or email 2FA.  The only trouble is if you lose your phone, you're screwed.


*Hand Raised.  As o_e_l_e_o is apt to do, he gave some really good advice about using multiple devices.  Most of us here are aware of many security pitfalls that we face every day, yet we continue to take shortcuts for the sake of convenience.  It's a choice we all need to make for ourselves.

For a while my bank REQUIRED their phone app to be able to log into their web portal.
Don't know if it really was secure or how the phone app worked, but it seemed like a good idea.

Phone apps are really the downfall of a lot of security, Google auth, Authy, Email, SMS whatever since for too many people your phone does have it all.

Going back to the Coinbase hack.
Lets assume that to change you CB password or do certain transactions you need ALL of the following

1) Email access
2) Google / Authy access
3) SMS access

Raise your hands if all of those are on one device.

PGP works to a point, but too many people use it and assume they are safe, when if the PC that you have it on is compromised it's just a bad as any other authentication. Could be worse, if you are doing everything on that 1 PC.

For your own wallet, a HW wallet is the only way to go. For 2FA stuff, there are only going to be 'less bad' answers. I can't really think of a good one.

-Dave

Once upon a time there was a bitcoin mixer that used PGP to generate a one-time password.  I can't remember their name (bitcoin blender?,) but they shutdown a couple of years ago when there was a law enforcement crack-down on mixers.  I thought that was probably the most secure 2FA process I had ever used.

PGP may not be ready for main-stream adoption, or maybe it's more accurate to say that the "Main-Stream" aren't ready for PGP adoption, but this is crypto!  You would think that more businesses involved in crypto would at least provide PGP as one of the 2FA options.  I can't wait for the day when MainStreet Bank implements PGP security options for those of who use it.

Easily done if the user's details have been part of a database leak from the exchange or from any other site where they have signed up using their email address and phone number in the same account. And then you can potentially exploit an SMS account recovery process as was done in the Coinbase hack.

Most TOTP are generated using an authenticator app such as Aegis, andOTP, or (shudder!) Google Authenticator. And regardless, TOTP refers only to the process of generating the code, which is completely secure provided you don't leak the shared secret. It is the mode of delivery - SMS instead of on an app - which is insecure.

This shares more light on how the Sim splitting scammer was able to scam their victim, cause I once thought it was an error from a crypto holder who set 2fa that led to their wallet/account been hacked.

In my view, TOTP is also not better since most TOTP are send as SMS.

Intercepting is one thing, matching it with the account in question is a different thing altogether for a service that receives hundreds of logins per minute and routes them through different providers like the large exchanges or banks, you are simply looking at a list and lists of codes, you need to also know the phone number of the victim, the password, the login. Of course, SMS 2FA is not really the best choice but it's way better than nothing, and let's be clear, at this point, there is only speculation that hackers had access to the content of the messages, one random source that said the hackers could have gained access, not that they did.

Others have taken this to another level, my bank asks for a security pin every time I change the IP from which I log in, even for the app, that one can't be changed and the option can't be removed unless you go to a physical bank and submit a request, unlike the 6 numbers 2FA that is used only to validate transactions.

Ahh right, so with 2FA for wallets, you mean 2FA for exchanges. I didn't know they still allow to use SMS for 2FA, that's really bad, and should not be changed today, it should have been changed actually years ago!

I agree, most people are more worried about Facebook being down for a few hours than their 2FA setups

Exchanges, use 2fa all the time. Some use Google or similar many use SMS.
And even if you live by the don't leave your coins on an exchange idea. If you do want to move fiat in and out or do trading, you are going to one sooner or later.

On top of that, no matter how you look at it, it's really surprising that the fact that a hack of this magnitude went on for so long and nobody is really talking about it.

-Dave

I guess you read something about the EFAIL vulnerability like it's explained in this article.

According to the article, it is possible to decrypt a PGP encrypted email if it gets intercepted or stolen from a computer or a server. But to do that, a custom HTML modification would need to be inserted in the encrypted email before it gets sent back to the attacker. If performed successfully, this tricks the email software to send back an unencrypted version of the encrypted email back to the attackers. The problem lies in the email clients, and not directly in PGP. The article mentions Outlook and Thunderbird as two email clients vulnerable to this type of attack. At least they were back in 2018.   

The article suggests a mitigation technique. Disable HTML rendering in your email software.

Oh, well, SMS based 2FA should not be used anyway. I was under the assumption that it's insecure and not to be used for years.
If you use something like FIDO U2F your chances are better.
However, no system is 100% secure, and almost everything will probably be hacked sooner or later. Even with a perfectly secure cryptosystem, you'll have flaws in the implementation for example.
I don't see how 2FA is used in a wallet though. Would this be for online wallets? Because those shouldn't be used in the first place either

It actually might mean it's not better than nothing. In the case of the recent Coinbase hack, due to an vulnerability in their SMS system, attackers which could intercept users' SMS message (which we know is very easy to do) were able to gain access to their Coinbase accounts and steal all their coins.

2FA should be mandatory on all your online accounts which hold anything sensitive or valuable, especially any accounts holding bitcoin. But that 2FA should never be either SMS or email based. As we've seen, SMS messages are sent unencrypted through an unknown number of intermediaries before they reach you, can be intercepted at any point along the way, and your phone number can easily be transferred to an attacker with a SIM swap attack. Email also isn't secure, as if someone compromises your email account then they can both reset your exchange account password and receive any 2FA email, meaning both your factors have the same single point of failure. 2FA should be at a minimum a 2FA app, preferably on a phone you never use to access the accounts in question (since again, if an attacker unlocks your phone, they can log in to your account through the saved credentials and access the relevant 2FA code, meaning both your factors have the same single point of failure). The best option is to use a hardware key such as a yubikey. Some hardware wallets also offer this function.

Interesting but in my experience these insecurities almost always related to the implementation of the algorithm not the algorithm itself. Otherwise the underlying cryptography is secure, it is using RSA and ECC and the last one is basically what we are using in bitcoin too and is secure when used correctly (choose secure EC curve, a strong hash algorithm, etc.).

Sim swapping has been an issue forever.

It still bothers me that there are services that insist of using either email or SMS as part of a 2FA system, as they're so easily exploitable. I really wish more services would use TOTP as standard. While not perfect, they are much better than email or SMS.

Let's not even mention those "hacks" done with the actual help of carriers by replacing the real owner's SIM card with a perpetrator's new one as well. SIMs are never safe. I think that anything going through a centralized method is going to have a flaw found sooner or later. Just the fact that those carriers know your 2FA before actually sending it to you is scary enough. Use offline as much as possible for security, and by offline I mean anything that sits only in your local storage and never communicates with external servers/satellites/whatever.

It's not 100% safe and that has been proven but that doesn't mean that it's not better than nothing. I have also read back in 2018 that there was something wrong with PGP and it was crackable. Can't claim the actual title to be fair but remember that the article was stating that PGP isn't safe option.
We live in the era of IT and still we are new in it, it's full of surprises and will even be!

That's not the end! Can you remember how secure houses were decades ago? And can you remind how secure they are right now? There is a huge difference, right? At past you could burn any house, right now elite houses have superior protections. Again, it's not the end! Very sad but what's done, is done. 2FA is better than nothing, if someone hacks our account, I hugely, hugely doubt that that will be a person who had access on that company's database.

Signal for messages. Doesn't protect your wallet, though. This is proof that 2FA is just annoying.

It never was. And no matter how much you want to think otherwise YOU were probably part of this breach.
That's correct, billions of messages over 5 years.

https://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked


Go ahead, send nudes to your partner. I'll just download them and look at them later. I am busy taking some money out of your accounts at the moment.

-Dave