Re: Malicious SS7 activity and why SMS should never by used for 2FA

[Tom Beecher <beecher () beecher cc>]

> Can you point out the specific data you think supports your claim?

I can, but I'm not going to, because that's not what this side discussion
has been based on.

You said :

These low-income people are not the targets of identity thieves, spear
> fishers, or data ransomers.


I just showed you data that shows they are, but now are trying to move the
goalposts with new quantifiers. I think this discussion has run its course
for me. Take care.

On Mon, Apr 19, 2021 at 10:45 AM Mel Beckman <mel () beckman org> wrote:

> I don’t see any data showing that poor people are *targets* of Account
> access attacks. Can you point out the specific data you think supports your
> claim?
>
> -mel via cell
>
> On Apr 19, 2021, at 7:33 AM, Tom Beecher <beecher () beecher cc> wrote:
>
> 
>
> https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf
>
> https://www.bjs.gov/content/pub/pdf/vit18.pdf
>
>
>
>
> On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <mel () beckman org> wrote:
>
> > Can you cite data? Or provide a rational argument other than “they are”?
> >
> > -mel via cell
> >
> > On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher () beecher cc> wrote:
> >
> > 
> >
> > > These low-income people are not the targets of identity thieves, spear
> > > fishers, or data ransomers.
> >
> > This is patently false. Low-income / disabled / minority / non-english
> > speakers are absolutely targets of scams like those, and in
> > significant numbers.
> >
> >
> >
> > On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel () beckman org> wrote:
> >
> > > Tom,
> > >
> > > Well, yes, not everyone can afford all technology options. That’s life.
> > > One has to wonder how someone who needs to protect online accounts cannot
> > > afford a $30 hardware token (which can be shared across several accounts).
> > > These low-income people are not the targets of identity thieves, spear
> > > fishers, or data ransomers. Unlike you, I AM arguing against something: SMS
> > > as a 2FA token. In this case I don’t think we have ignored low-income
> > > users, for the same reason that home alarm security aren't ignoring
> > > low-income users who can’t afford their products. It’s certainly no reason
> > > to hobble security for the rest of us.
> > >
> > >  -mel
> > >
> > >
> > > On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher () beecher cc> wrote:
> > >
> > > HW tokens are great, sure.
> > >
> > > Except there is a lot of overlap in the Venn diagram between those who
> > > still use feature phones and those that spending $30 on said hardware token
> > > is financially obtrusive. ( Not to mention that every hardware token I can
> > > remember looking at requires an app to set themselves up in the first
> > > place, and if this is for the people who can't install apps, that's an
> > > interesting circular dependency. )
> > >
> > > I'm not arguing for or against anything here honestly. I'm just pointing
> > > out that we ( as in the technical community we ) have a tendency to put
> > > forward solutions that completely ignore what might be reasonably feasible
> > > for those of lower income , or parts of the world not as technologically
> > > developed as we might be in ourselves, and we should try to shrink that gap
> > > whenever possible, not make it worse.
> > >
> > > On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel () beckman org> wrote:
> > >
> > > > Then they can buy a hardware token. Using SMS is provably insecure, and
> > > > for people being spear-phished (a much more common occurrence now that so
> > > > much net worth data has been breached), a huge risk
> > > >
> > > >  -mel
> > > >
> > > > On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher () beecher cc> wrote:
> > > >
> > > > 
> > > >
> > > > > As far as I know, authenticators on cell phone apps don’t require the
> > > > > Internet. For example, the Google Authenticator mobile app doesn't require
> > > > > any Internet or cellular connection
> > > >
> > > > Lots of people still use feature phones that are not capable of running
> > > > applications such as this.
> > > >
> > > > On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel () beckman org> wrote:
> > > >
> > > > > As far as I know, authenticators on cell phone apps don’t require the
> > > > > Internet. For example, the Google Authenticator mobile app doesn't require
> > > > > any Internet or cellular connection. The authenticated system generates a
> > > > > secret key - a unique 16 or 32 character alphanumeric code. This key is
> > > > > scanned by GA or can be entered manually and as a result, both the
> > > > > authenticated system and GA know the same secret key, and can compute the
> > > > > time-based 2nd factor OTP just as hardware tokens do.
> > > > >
> > > > > There are two algorithms: HOTP and TOTP. The main difference is in OTP
> > > > > expiration time: with HOTP, the OTP is valid until it hasn’t been used;
> > > > > TOTP times out after some specified interval - usually 30 or 60 seconds.
> > > > > For TOTP, the system time must be synced, otherwise the generated OTPs will
> > > > > be wrong. But you can get accurate enough clock time without the Internet,
> > > > > either manually using some radio source such as WWV, or by GPS or cellular
> > > > > system synchronization.
> > > > >
> > > > >  -mel
> > > > >
> > > > > > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
> > > > > >
> > > > > > 
> > > > > >
> > > > > > > On 4/18/21 05:18, Mel Beckman wrote:
> > > > > > >
> > > > > > > No, every SMS 2FA should be prohibited by regulatory
> > > > > certifications. The telcos had years to secure SMS. They did nothing. The
> > > > > plethora of well-secured commercial 2FA authentication tokens, many of them
> > > > > free, should be a mandatory replacement for 2FA in every security
> > > > > governance regime, such as PCI, financial account access, government web
> > > > > portals, etc.
> > > > > > While I agree that SMS is insecure at the moment, I think there
> > > > > still needs to be a mechanism that does not rely on the presence of an
> > > > > Internet connection. One may not be able to have access to the Internet for
> > > > > a number of reasons (traveling, coverage, outage, device, money, e.t.c.),
> > > > > and a fallback needs to be available to authenticate.
> > > > > > I know some companies have been pushing for voice authentication for
> > > > > their services through a phone call, in lieu of SMS or DTMF-based PIN's.
> > > > > > We need something that works at the lowest common denominator as
> > > > > well, because as available as the Internet is worldwide, it's not yet at a
> > > > > level that one would consider "basic access".
> > > > > > Mark.