• DirigibleProtein@aussie.zone
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Of course it’s avoidable! Phone spoofing has been known to be a vulnerability for years, yet so many companies still insist on using SMS for 2FA “for security”. ffs, if you are concerned about security, use a proper TOTP or HOTP, or a hardware token.

  • hey_frankie@aussie.zone
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    I think the fault lies squarely in the hands of telcos. They’re meant to send you an SMS or call you to confirm any port before it happens. If they’re not following those rules they should be held liable.

    On another note I wish banks and other financial institutions would provide other 2FA options in addition to SMS. It’s just crazy that I have better security tech on my Steam account than my bank account.

    • Gloomy Bagel 🥯 @aussie.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      but they call and pretend to be you and get the number ported to the SIM they have

      check out the Hot Swaps episode of Darknet Diaries

      • a1studmuffin@aussie.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        But shouldn’t part of that process involve verifying the customer on the phone is currently in possession of the number? ie. Sending a text with a code and having you read the code back to them. Perhaps they manage this by fooling the victim into giving them that info through some other method.

        Edit: thanks for the podcast recommendation btw, subscribed and downloading now!

  • surreptitiouswalk@aussie.zone
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    It’s funny in a sad way that 2FA was supposed to be real secure but like all other security, the human element is the biggest weak point, and the custodians of it (telcos) are asleep behind the wheel.

    • shirro@aussie.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      2FA works. It is supposed to be something you know (password) and something you control (like a secure hardware key or app). The problem is people don’t control their phone numbers, the telcos do.

    • Zagorath@aussie.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      It’s worth noting that 2FA is still a security improvement. Using SMS for 2FA doesn’t introduce any vulnerabilities compared to no 2FA. It’s just not nearly as good as doing 2FA using a TOTP app or dongle. Or using hardware security tokens like FIDO2.