Cybersecurity

7598 readers

66 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago

MODERATORS

[email protected]

Two Factor Insecurity: How Google, Amazon, Meta and thousands of other companies leave customers vulnerable over one-time codes to save time and money (www.lighthousereports.com)

submitted 6 days ago by [email protected] to c/[email protected]

6 comments fedilink hide all child comments

cross-posted from: https://scribe.disroot.org/post/3159641

Archived version

Across the world, phone networks carry billions of passwords and login codes on a daily basis. Tech companies need to keep their subscribers logged in to their apps and accounts with maximum efficiency, wherever they might be. So these security codes need to get from Silicon Valley to everywhere, as quickly (and as cheaply) as possible. For most people they are a necessary annoyance, until they are breached with damaging consequences.

Companies, including banks and Big Tech, don’t send login codes to their customers directly. This would be costly and inefficient. Instead they rely on a sprawling and opaque network of contractors and subcontractors, each of which promises to shave off a part of the sending cost in return for market share. This is what the industry calls “lowest cost routing”. The catch is that any of these middleman companies can see everything transmitted. The codes that come saying “Do not share with anyone” might in fact already have been shared with more or less anyone.

...

Lighthouse obtained a cache of almost 100 million data packets from a phone industry source. The data gave a unique insight into telecom traffic passing through the network of a controversial Swiss outfit. Millions of these packets contained “A2P” (application-to-person) SMS messages. We analysed these to identify senders, recipients and type of message content.

We found millions of sensitive security codes and logins getting sent via Fink Telecom Services. The logins related to services from some of the world’s largest tech companies – including Google, Meta and Amazon; banks and crypto exchanges; dating sites and online marketplaces; and messaging apps including WhatsApp, Viber and Signal. Overall we identified over 1000 companies sending logins to their customers via the network run by maverick telecom entrepreneur Andreas Fink. The text messages we were looking at often told us the account names as well as the login codes and phone numbers.

...

top 6 comments

sorted by: hot top controversial new old

[–] [email protected] 2 points 2 days ago

I'm tired with all the copy/pasting or typing codes. Let's switch to passkeys/passwordless and be done with it already.

[–] rekabis 12 points 6 days ago

Any and all transmission of either 2FA or login links over either SMS or eMail should be made completely illegal. Neither distribution method is secure to any degree.

Similarly, login confirmation or pseudo-2FA through a single vendor-owned app should also be made illegal. People should be able to use the 2FA app of their choice to provide one-time codes.

For the second paragraph, an ideal example would be Telus, a Canadian ISP. The only way to use 2FA is to use THEIR app. Well, what if I don’t want their app on my phone? Too bad, so sad, it’s their only way of providing 2FA. They’ve reinvented security, likely with plenty of flaws and pitfalls that wouldn’t exist with a public 2FA service.

[–] [email protected] 9 points 6 days ago (1 children)

What measures can we have to increase our independency on the se contractors but without skipping protection? Is a physical key enough?

[–] Album 15 points 6 days ago (1 children)

It's as simple as not getting OTPs via SMS or email.

Use a 2fa app where you manage the pre shared key and provide it once and then there's is no transmission of keys from the provider. A hard key is effectively the same.

[–] [email protected] 1 points 5 days ago

Great, thanks!

[–] [email protected] 7 points 6 days ago

This is precisely why all the banks I am with use their own app for 2FA rather than send codes via SMS. Even our government services system (myGov) has an app you can use instead of SMS.

Of course, none of these are completely secure, but it's a significant step up from plaintext SMS.