cross-posted from: https://lemmy.ml/post/46348914
TIL your phone apparently does no or easily spoofed authentication of the identity of the base station it decides to connect to. Anyone know more about this and how it’s possible?
I have zero trust in any company that uses 2FA over SMS.
A few years ago all banks were supposed to move to that, I was so unhappy with that. I sent so many emails to my back bencher do nothing MP the heads of the financial institutions I was using complaining about this saying how easy it was to spoof text messages or high jack peoples numbers, I considered doing some of the spoofing to them but decided better not.
Yesterday, or the day before, my Credit Union started offering TOTP I was so giddy and excited! I figured out how to add all my keys that I was using in Raivo, because the app has sorta gone to poop town, onto my self hosted Vaultlocker. You cannot believe how happy I was today the first time I needed to use one of those numbers and I was able to open up Bitlocker on my phone and use the number today.
My place flooded so a little more than half of my one level is to the sub floor my office has a lot off “stuff” stuff into it and I have been living out of my bedroom, home labing went from a hobby to something to keep me sane.
TOTP is both more secure and cheaper to implement since you don’t have to pay for text messages or directly communicate with the 2FA device in general. Honestly whenever some obsecure app or website demands my phone number as the only 2FA option I immediately assume it’s a front to get my phone number for data brokerage. Like no way does a random online game or something care so much about security to demand 2FA but then proceed to choose the least secure and hardest to implement option. There’s another reason.
My bank (RBC) does, but luckily they also give me other options to choose from.
Tangerine doesn’t, and they also can’t get their website to work on firefox lol.
If your website requires a specific browser then you do websites wrong
Should work. Although I’ve had authentication problems with Tangerine with Chrome and Firefox.
I’ve never had a problem with their website on Firefox. What issues do you have?
It says the service is unavailable after entering my username/account numbers.
Damn. That sucks.
Ditto
Only a problem if you follow random links you get in your messages. So old people and the technologically illiterate.
Maybe. There’s lots of ways to get someone to lower their guard though.
So old people and the technologically illiterate.
Or anyone else who has a distracted momentary lapse of judgement.
Plenty of tech savvy younger people who should know better fall victim to those scams too.
No one in the western world who has a smart phone is not aware of phone scams. Everyone has been told not to trust random links in text messages, usually by the banks and businesses that are being used in these scams, but 'just this time, it looks safe, they’ve always been safe before."
This kind of online-safety thinking needs to be drilled into people like wearing seatbelts and brushing your teeth.
No one in the western world who has a smart phone is not aware of phone scams.
Yet people still fall for them every day.
I don’t even click links from people I know!
You might be more paranoid than I am, but I check every unexpected link from messages claiming to be businesses if I open them at all. Usually I’ll go to their website and check for what the message claims if it seems plausible.
Especially when they spoof the phone number to be from official numbers. Your first instinct is probably to check if the number really belongs to CRA/Canada Post/etc, and while the idea of being asked for payment via text in general should set off your suspicision, a genuine number could easily convince enough people to make a profit. Basically like the social engineering version of spoofing a TLS identity via a compromised certificate authority.
If I have the time I waste those scammers time, it is so rare that I get one of those calls now a days, maybe once every few years.
If they have enough of your voice they can AI it though.
My number got black listed years ago on many of those scammer lists, the last time I had time to waste on one of those calls, they where calling a cell phone I had for work (Statistics Canada at the time, I sadly no longer work with there) and they where saying something had leaked and they where from the Government of Canada I so wanted to waste their time as I drove across town for a work meeting.
You might want to start here: https://en.wikipedia.org/wiki/OpenBTS
