Comment on Millions of people imperiled through sign-in links sent by SMS
artyom@piefed.social 1 day agoThat’s the thing though, with SMS 2FA you don’t have the keys at all, so you can’t generate codes
I don’t understand what you mean by “keys” here. Nothing in encrypted. You generate codes by initiating the login process.
Plus the issues with SMS not being encrypted only really exists on 2G services
There is no encryption in SMS…
hack the cell provider
They don’t usually hack anything except the humans working at the carrier’s service provider.
archived message caches aren’t useful.
You don’t need archived messages. The most common method is sim swap. Where they stay receiving your sms messages.
These are links that you can log in without needing to even know a username, much less a password, associated with that code
Yes but all those same attacks are vulnerabilities mfa as well, as I said previously.
irotsoma@piefed.blahaj.zone 1 day ago
The way TOTP works is there is a key (usually in the form of a QR code) for TOTP apps. That key is stored in your TOTP app locally, but also often stored I’m the cloud of you use Google’s app. Codes are generated using that key and the current timestamp. Otherwise a valid code can’t be generated.
The messages aren’t encrypted at rest but, the connections are. You need a key in the physical sim card to intercept anything. You can’t just intercept and duplicate a sim card’s identifier like with 2G. No casual hacker is going to hack LTE or newer technologies, only professionals like governments and government backed spy agencies. Not saying it’s as secure as OT should be, but the effort and cost is not worth it most of the time.
And sim swap only works if you also have the person’s username and password for 2fa. For the issue mentioned in the article it does work because you dont need any knowledge or other factor other than the message itself to login. Single factor logins with not even needing to have a username, much less a password, are obviously going to be an issue, which is why I’m emphasizing, I’m interested in 2FA like a bank might use, not the issue mentioned in the article which is totally different.
artyom@piefed.social 1 day ago
Okay I thought you were still talking about SMS.
No you do not. Most phones don’t even have this anymore.
Yes, and for the 3rd time, all the same vulnerabilities exist in MFA.
irotsoma@piefed.blahaj.zone 1 day ago
I was talking about sms. All types of cryptographic code generation uses one or more keys. The sms type just uses one that only the sender holds, it’s never shared with anyone which can cause it to be more easily lost.
The sim cards and their cryptographic keys are just built into the phones, and the codes are swapped when you sign up, same concept as renovable sim cards.
And again, it doesn’t matter of a sms code is intercepted as much as the entire login method. If you dont have the username and password, what good does an sms code do for anything? The issue in the article is that there’s nothing else to know, just the current format of the set of codes being generated by the system. Then you can randomly guess a similar code and get access to a random person’s account. Much, much different from the use MFA which is worthless without ALL of the factors, not just a single one.
artyom@piefed.social 1 day ago
The entire point of MFA is to protect against someone who does have your username and password…