SoylentNews is people
SoylentNews
An article in TechCrunch describes changes that the National Institute for Standards and Technology (NIST) is considering to its Digital Authentication Guideline:
For now, services can continue with SMS as long as it isn't via a service that virtualizes phone numbers — the risk of exposure and tampering there might be considered too great. NIST isn't telling for now, but more info will come out as the comment period wears on. But before long all use of SMS will be frowned on, as the bolded passage clearly indicates.
Additional comments are available on Bruce Schneier's blog.
This discussion has been archived.
No new comments can be posted.
NIST Recommends Against Using SMS for 2-Factor Authentication
|
Log In/Create an Account
| Top
| 12 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Everything you know is wrong!
(Score: 2) by jmorris on Saturday August 06 2016, @02:10AM
I'd guess one of the things they worry about is number portability. For example when I ported my home phone from AT&T to h2o (a MVNO reselling AT&T) nobody from AT&T called to verify the request. Helped move another number from a Net10 cellphone and again nobody called to verify. Would be interested to hear if anybody here has moved a number and actually been contacted before your existing carrier released the number. And hijacking VOIP is going to be just as easy plus the voip switches are connected directly to the Internet and are vulnerable to all the usual attacks any *NIX system is subject to. Get root on one of those and you get a lot of customers.
Now consider how many VOIP providers and MVNO outfits are out there, and that they all have to be plugged directly into the phone system. All the security in the world on the link between the SIM card and the cell network won't help if the switch above the cell specific networking layers can be told to forward your number somewhere else for a couple of minutes. It doesn't take long for somebody to capture the OOB pin code to change the password on your bank account, brokerage account, or even an photobucket or instagram account if there is juicy stuff in it worth stealing.... celebrity nude selfies anyone? How easy is it to do that from top level access at a phone company? How many people even know? And how many zero day exploits are there in that inter-telco interface code that almost nobody has ever seen or audited? NIST is right to worry.
Now on the other hand, an SMS is much better than nothing and is probably good enough for a lot of use cases, especially if the user can't be talked into buying a security token or even installing a frickin' free (F-Droid, Google Play, Apple App Store) app like FreeOTP (formerly Google Authenticator).
(Score: 2) by theluggage on Saturday August 06 2016, @11:02AM
especially if the user can't be talked into buying a security token or even installing a frickin' free (F-Droid, Google Play, Apple App Store) app like FreeOTP (formerly Google Authenticator).
I'd love more services to try and talk me into using such things (and for less services to insist on knowing my first cat's maiden name).
Currently, my main bank account gives me a Chip & Pin reader for my debit card, and uses it for challenge-response checks for adding new payees; Apple offers a 2-factor system using newer iOS devices (but which still requires a SMS message to 'bootstrap' or to use on an older device) - and that's about it.
Personally, I'd rather not use a phone as my "token" anyway as its the personal possession I'm most likely to lose.
(Score: 0) by Anonymous Coward on Saturday August 06 2016, @12:11PM
> ... for my debit card, ...
Am I missing something here? When a card is needed instead of cash (eg., renting a car effectively requires a card), I thought debit cards were to be avoided and credit cards were the way to go?
(Score: 2) by Scruffy Beard 2 on Saturday August 06 2016, @03:33PM
Debit cards don't work for car rentals. Ask me how I know. :P
Credit card companies (banks) like it that way.
With debit cards, you are not going into debt with every purchase. That is why you pay the fees instead of the merchant.
(Score: 3, Informative) by theluggage on Saturday August 06 2016, @04:58PM
Am I missing something here?
Yes. This isn't about using the card for online shopping (where a credit card may have certain legal advantages): its about an additional authorisation factor for online banking & direct money transfers.
Basically, I can go online to get statements, move money between my accounts and make money transfers to registered payees with just the usual sort of password login, but if I want to register a new payee, the website sends me a challenge code: I need to plug my chip&pin debit card into the reader (think: cheap calculator with a card slot, not linked to the computer) unlock it with the card PIN, punch in the challenge and then type the resulting response into the computer. So, someone who hacks my online banking account can cause a fair amount of havoc but they can't add themselves as a payee and transfer out large sums without my card.
NB: "Chip & Pin" is the system that has been working nicely in the UK, EU and elsewhere for the last decade whereby all debit/credit cards now have an embedded chip that can do challenge/response authentication once unlocked by the users PIN (and therefore means that everybody has a handy token that could be used for 2-factor auth). I believe that, in the US, this system is known as "terminal out of order - please swipe card and sign", and PINs are somehow associated with the Number of the Beast - which is probably why the major online retailers don't support card readers (can't see why that would be hard - they already mostly re-direct you to the card company website for SecureCode/Verified By Visa/etc).
(Score: 2) by Scruffy Beard 2 on Saturday August 06 2016, @03:38PM
That may explain why I was not able to port my number from diamondcard.us: it had stopped working. That was why I was switching providers!