artyom

@artyom@piefed.social

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Remedy's new CEO is a former sports betting guy and EA executive who aims to 'scale Remedy in a way that builds lasting value'⁩ ⁨⁨21⁩ ⁨hours⁩ ago⁩:
Fuuuuuuck 😭
⁨Comment⁩ on ⁨[meta] Wanted: Bad Bunny's Super Bowl halftime show, with English subtitles _and_ cultural refernce notes⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
I mean I often can’t understand English lyrics either.
⁨Comment⁩ on ⁨GOG caught using AI tools, head of product tweeting AI Instagram scams⁩ ⁨⁨3⁩ ⁨days⁩ ago⁩:
tl;dw?
⁨Comment⁩ on ⁨Donald Trump just shared an AI video to Truth Social depicting Barack and Michelle Obama as monkeys⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
I love how everything Donnie does is a 4D strategy “to distract us” from the last shitty thing he did. No, it’s not a distraction, he’s just a piece of shit.
⁨Comment⁩ on ⁨Meet UpScrolled, the anti-censorship TikTok alternative⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Ok so they’re just lying then.
⁨Comment⁩ on ⁨Video games, random friend requests, and scammers!⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
That doesn’t sound random at all and if they were a scammer they’d probably have tried to scam you by now.
⁨Comment⁩ on ⁨Meet UpScrolled, the anti-censorship TikTok alternative⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:

It claims to be a platform with “no censorship”

So they don’t censor CSAM?
⁨Comment⁩ on ⁨Clickbait is Unreasonably Effective⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
YT allows for A/B testing of titles and thumbnails but a couple hours later, that testing ends and the title remains the same.
⁨Comment⁩ on ⁨Clickbait is Unreasonably Effective⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
This video is actually not clickbait. The entire thing is exactly what the title describes.
⁨Comment⁩ on ⁨A bullet-proof safe room designed to protect students during school shootings⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Your kids are like 10k times more likely to die in a car collision but no one seems concerned about that…
⁨Comment⁩ on ⁨Alex Honnold free-solos Taipei 101 skyscraper in Taiwan⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
This looks like it was probably the easiest climb of his life haha
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

so it does that job

It does, really poorly, for the reasons I’ve listed, and for the reasons in the OP.

With the issue in the article you dont even need to intercept sms meant for a particular user to get access to random users’ accounts, thus totally different issue.

Not a different issue at all. Exact same issue, with lower risk.

I asked, what is better for a second factor than SMS?

I answered this like 12 comments ago.

We’re going around in circles now so I’ll bid you good night.
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

If you dont have the username and password, what good does an sms code do for anything?

The entire point of MFA is to protect against someone who does have your username and password…
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

The way TOTP works

Okay I thought you were still talking about SMS.

The messages aren’t encrypted at rest but, the connections are. You need a key in the physical sim card to intercept anything

No you do not. Most phones don’t even have this anymore.

And sim swap only works if you also have the person’s username and password for 2fa

Yes, and for the 3rd time, all the same vulnerabilities exist in MFA.
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

That’s the thing though, with SMS 2FA you don’t have the keys at all, so you can’t generate codes

I don’t understand what you mean by “keys” here. Nothing in encrypted. You generate codes by initiating the login process.

Plus the issues with SMS not being encrypted only really exists on 2G services

There is no encryption in SMS…

hack the cell provider

They don’t usually hack anything except the humans working at the carrier’s service provider.

archived message caches aren’t useful.

You don’t need archived messages. The most common method is sim swap. Where they stay receiving your sms messages.

These are links that you can log in without needing to even know a username, much less a password, associated with that code

Yes but all those same attacks are vulnerabilities mfa as well, as I said previously.
⁨Comment⁩ on ⁨⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
What about it
⁨Comment⁩ on ⁨How GOG fixed Cold Fear | GOG Tech Talk⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Is this something that you know, or just a best guess?
⁨Comment⁩ on ⁨How GOG fixed Cold Fear | GOG Tech Talk⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Not technologically, legally.
⁨Comment⁩ on ⁨How GOG fixed Cold Fear | GOG Tech Talk⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I know they do but always wondered how but that’s a good guess!
⁨Comment⁩ on ⁨How GOG fixed Cold Fear | GOG Tech Talk⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I think they meant that they wish Valve would also do this.
⁨Comment⁩ on ⁨How GOG fixed Cold Fear | GOG Tech Talk⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Yeah but how? Haha
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

SMS 2FA is TOTP

You know what I meant.

And if you store passkeys or TOTP generating keys in the cloud, then the factor is no longer “something you have” because anyone can get the keys if they get the password

And anyone can get the keys to your phone number much more easily using the methods detailed in the OP.
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
TOTP or passkey are my preferred MFA options
⁨Comment⁩ on ⁨How GOG fixed Cold Fear | GOG Tech Talk⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Someone explain how gog is about to patch software that they don’t own?
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
It’s pretty bad everywhere but people don’t realize the level of surveillance in China is on a whole other fucking level.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
They keep out other options so that they can support American businesses.
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
All of the same reasons for single factor also apply to MFA.

It’s also dependent on other services, is a privacy violation, and a giant fucking pain in the ass if you ever want to change your phone number, or like me, you have service issues.

There are many other alternate, more secure, more convenient, more resilient options.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
All the Chinese EV OEMs got a huge uplift after Elon was dumb enough to open a factory there…
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Same. Most of them don’t allow it.
⁨Comment⁩ on ⁨Millions of people imperiled through sign-in links sent by SMS⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

2FA via SMS is a perfectly fine solution

Completely disagree