Comment on Millions of people imperiled through sign-in links sent by SMS
artyom@piefed.social 2 days agoSMS 2FA is TOTP
You know what I meant.
And if you store passkeys or TOTP generating keys in the cloud, then the factor is no longer “something you have” because anyone can get the keys if they get the password
And anyone can get the keys to your phone number much more easily using the methods detailed in the OP.
irotsoma@piefed.blahaj.zone 1 day ago
That’s the thing though, with SMS 2FA you don’t have the keys at all, so you can’t generate codes, you only get the code you intercept. Same with email based, but with sms, the message has to be intercepted in a timely manner, which is much more difficult for SMS than if they already have your password that’s used for your email account. Plus the issues with SMS not being encrypted only really exists on 2G services which they really need to get rid of, or at least disable at the account level so 2G only works for emergency calls. 4G and up are significantly more secure (not perfect but requires much more complex hardware and knowledge of secrets from the cell company) and generally require the hacker to be masquerading as the user on the cellular network. Otherwise, hack the cell provider which is how a lot of the archived messages they mentioned are retrieved, because, yeah, they usually aren’t stored encrypted. But if the TTL of the TOTP code is 10-60minutes and single use as well as invalidated once a new code is sent like a bank or really any decent system should, archived message caches aren’t useful.
The issue mentioned in the article is totally separate. These are links that you can log in without needing to even know a username, much less a password, associated with that code. Guessing a random code generated for a specific account is much more difficult, not to mention needing the password. The article is more hypothetical in the actual security of the SMS messages going to a particular phone for a particular account and more about how bad the links being generated are since if you get one link from any insecure sms message you can access many random accounts as well as the one you intercepted and no other factor, even user id, is needed to use the links. So you can send one code just to your own account and then use that to hack others without even having to intercept anything nefariously.
artyom@piefed.social 1 day ago
I don’t understand what you mean by “keys” here. Nothing in encrypted. You generate codes by initiating the login process.
There is no encryption in SMS…
They don’t usually hack anything except the humans working at the carrier’s service provider.
You don’t need archived messages. The most common method is sim swap. Where they stay receiving your sms messages.
Yes but all those same attacks are vulnerabilities mfa as well, as I said previously.
irotsoma@piefed.blahaj.zone 1 day ago
The way TOTP works is there is a key (usually in the form of a QR code) for TOTP apps. That key is stored in your TOTP app locally, but also often stored I’m the cloud of you use Google’s app. Codes are generated using that key and the current timestamp. Otherwise a valid code can’t be generated.
The messages aren’t encrypted at rest but, the connections are. You need a key in the physical sim card to intercept anything. You can’t just intercept and duplicate a sim card’s identifier like with 2G. No casual hacker is going to hack LTE or newer technologies, only professionals like governments and government backed spy agencies. Not saying it’s as secure as OT should be, but the effort and cost is not worth it most of the time.
And sim swap only works if you also have the person’s username and password for 2fa. For the issue mentioned in the article it does work because you dont need any knowledge or other factor other than the message itself to login. Single factor logins with not even needing to have a username, much less a password, are obviously going to be an issue, which is why I’m emphasizing, I’m interested in 2FA like a bank might use, not the issue mentioned in the article which is totally different.
artyom@piefed.social 1 day ago
Okay I thought you were still talking about SMS.
No you do not. Most phones don’t even have this anymore.
Yes, and for the 3rd time, all the same vulnerabilities exist in MFA.