Submitted via IRC for Fnord666
If hackers can convince your phone company to turn over your number to them, they can defeat two-factor authentication that relies on text messaging.
Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company’s negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He’s also seeking punitive damages.
Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin.
The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin’s account without providing the code or a “scannable ID” as AT&T requires, he says.
Related Stories
New York Teen Masterminds $23.8m Crypto Heist:
An American cryptocurrency investor is suing a New York high school senior over the theft of $23.8m in digital currencies.
Michael Terpin has filed a civil complaint against 18-year-old Ellis Pinsky alleging that in 2018, at the tender age of 15, Pinsky masterminded a plot to defraud Terpin out of millions.
Pinsky was allegedly the leader of what Terpin described as a "gang of digital bandits" who stole from multiple victims after using SIM swapping to gain control of their smartphones.
[...] In May last year, Terpin won a $75.8m civil judgement in a California state court in a related case against an alleged associate of Pinsky, Nicholas Truglia, who has faced criminal hacking charges. Now Terpin is gunning for Pinsky, seeking triple damages of $71.4m.
According to Reuters, court records show that Terpin is also suing his carrier AT&T Mobility in Los Angeles for $240m.
To his classmates at Irvington High School, Pinsky was an unremarkable individual who achieved decent grades and liked playing soccer.
At the time of the alleged crypto-heist, Pinsky was living in a $1.3m home he shared with his family. An anonymous insider told the New York Post that Pinsky explained his newfound wealth to his parents by saying that he had gotten lucky making Bitcoin online through video games.
The teen allegedly used the stolen money to travel by private jet, purchase an Audi R8, and splash out on the latest sneakers.
Previously:
(2018-08-20) AT&T Gets Sued Over Two-Factor Security Flaws and $23M Cryptocurrency Theft
(Score: 3, Insightful) by AndyTheAbsurd on Monday August 20 2018, @04:53PM (6 children)
This is why you should use hash-based message authentication codes (HMAC); and preferably HMAC-based one time pads.
These do require the sharing of a secret key, but it only needs to be shared once per device that will be generating one-time passwords, limiting the attack vectors.
Doing "two-factor authentication" via something so easily socially-engineered as a phone (even a text message) just seems...I don't know...sketchy?
Please note my username before responding. You may have been trolled.
(Score: 2) by Thexalon on Monday August 20 2018, @05:13PM (3 children)
It's an improvement over not doing any alternate verification at all. For instance, the Clinton 2016 campaign probably really wishes they had had even the text-message-based 2-factor authentication, because their staff's passwords were compromised via a spearphishing attack which wouldn't have worked had the text-message-code requirement been in place.
A much better solution is a hardware keyfob device, e.g. SecurID [rsa.com], where the code is changing every minute or so and in order to log in you need both that code and the user-generated password, and the system doesn't make it obvious to someone who wasn't told how to combine the password and the keyfob code. An intercepted or captured password still doesn't get you in, and it's relatively easy to replace a missing keyfob. It would of course get really inconvenient to have a separate keyfob for every single thing you need to be able to log into, though.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Monday August 20 2018, @05:28PM
It took a pretty spectacular, but ultimately rather basic, hack to own secureid. Are there any tokens around that do not need below mentioned gatekeeper scum to operate?
(Score: 3, Informative) by nitehawk214 on Monday August 20 2018, @06:06PM
I have always considered email or phone-based two-factor as "fake two-factor" authentication. It relies on something you know (your password) and something else you know (your phone password or your email address password).
A phone does not count as "something you have", as messages sent to it can be redirected pretty easily.
http://thedailywtf.com/articles/WTF-Factor-Authentication [thedailywtf.com]
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by legont on Tuesday August 21 2018, @01:24AM
There is an app for this https://play.google.com/store/apps/details?id=com.rsa.securidapp&hl=en_US [google.com]
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 3, Informative) by KiloByte on Monday August 20 2018, @05:28PM (1 child)
The guy had multiple extra layers of protection above that. And, as even the summary states:
The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin’s account without providing the code or a “scannable ID” as AT&T requires, he says.
So AT&T ignored all the specifically requested and enabled protections, just because some random punk without any proof of identity came into a store, in a different state.
Ceterum censeo systemd esse delendam.
(Score: 0) by Anonymous Coward on Monday August 20 2018, @07:03PM
And how do you know that? Maybe he already had multiple IDs? It only says no "scannable ID", but it doesn't mean no ID.
(Score: -1, Troll) by Anonymous Coward on Monday August 20 2018, @05:16PM
what kind of asshat keeps 24 million of his crypto in an web wallet? also, these 2 factor auth systems are all just ways of making you go through these gatekeeper scum like google and authy. they all want your phone numbers so they can track and control you. they could just as easily let you use a random string but nooo, they want your phone company phone number. i wonder why... also, their security and procedures are shit (even if they weren't running a surveillance and control op), as this asshat found out.
(Score: 0) by Anonymous Coward on Monday August 20 2018, @05:23PM (1 child)
Don't give them your phone number then. You know that phone numbers are gold to marketers. Use an obscure email address instead.
(Score: 2) by RS3 on Monday August 20 2018, @05:42PM
Generally I agree and do just that- don't give out my phone number. I don't consider the phone a secure thing AT ALL. Too easily lost or stolen. Some absolutely require a phone number and that you respond to a "text". Of course those people don't get my business, but they don't care because there are enough sheep who will hand theirs out.
(Score: 2) by Knowledge Troll on Monday August 20 2018, @05:35PM (24 children)
Is this really AT&T's fault or is this the fault of a company using SMS for 2FA irresponsibly? No phone company I know of gets this right so is suing AT&T for damages the place it belongs or does it belong with the exchange that doesn't require actually secure communication?
Where is the contractual obligation for AT&T to provide that kind of secure services? Is it reasonable to think that phones can be this secure in any way since they can be hacked outside the phone company and get the same result?
Fuck AT&T while they die in a fire but even if AT&T gets account ownership under control, hell even if every phone company does, a cell phone still is not fit for this purpose.
(Score: 0) by Anonymous Coward on Monday August 20 2018, @06:00PM (4 children)
Get to Europe.
Here any account related interaction with a phone company/bank/insurance company/etc starts with an identification. If they can't positively identify you, you can't do jack shit. They will politely tell you that they'd love to help, but "for your own good" there is nothing they can do. See? They assume it is you when they talk to you, but they still need the successful identification.)
If this is over phone, you need to tell them your passcode. No passcode? "Please use the web or get into one of our stores."
If this is face to face, "papers please".
If you try to do stuff with an account registered to a business/other org, you need to present an authorization from someone who has the right to sign for the org and they will (should) check the signature on the authorization against a pre-filed signature of the same person.
I find it fascinating that in the USA a random dude 4 states over can hijack your stuffs by looking sincere.
(Score: 2, Funny) by nitehawk214 on Monday August 20 2018, @06:12PM (2 children)
I had an employee of my bank give a personal thank you for my security question answers.
Her: "Uhh, what is your mothers maiden name?"
Me: "Reads off 32 byte hex number."
Her: "Ok, and where did you go to high school?"
Me: "Reads another 32 byte hex number."
Her: "Wow that is correct, this is awesome, thanks!"
I must be the only customer of the bank that doesn't have an easily hackable account.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 0) by Anonymous Coward on Monday August 20 2018, @08:31PM
I do the same.
(Score: 4, Interesting) by schad on Tuesday August 21 2018, @12:36PM
Yeah, I do that too, though not with things I have to read aloud. In many cases, the call center employees... for whatever reason, they're not capable of entering what I tell them. Maybe it's poor call quality, maybe it's poor command of the language, maybe it's something else. But they genuinely struggle just to get a phone number down correctly. There's no hope I'd ever get a 32-character string of numbers and letters through to them. There are few things as frustrating as trying to teach an Indian call center employee a phonetic alphabet.
I've had far better luck using a bytes-to-words algorithm, like RFC 2289's [ietf.org]. Words survive crappy high-latency VOIP-to-India connections, accents, and language barriers much better.
(Score: 2) by Knowledge Troll on Monday August 20 2018, @06:19PM
I would like that - it can be done in the US but only with pre-paid carriers who work off PIN - if you can't give them the PIN you can't do anything but pay your bill.
(Score: 3, Insightful) by urza9814 on Monday August 20 2018, @06:03PM (18 children)
1) Yes, if they get hacked because they failed to properly secure their network, it is ABSOLUTELY their fault. If you call a doctor and request some random patients' medical records, you really think the doctor isn't going to get in trouble for violating HIPAA just because he didn't bother to verify your identity? Even if the patient specifically warned the doctor not to disclose those records? Why do these kinds of rules suddenly go out the window when we're discussing a computer program rather than a human being's training program? The computer obeys the rules you give it without fail, it doesn't have off days, it doesn't get sick, it ought to be perfect. If it's not, it's only because you explicitly told it not to be.
2) AT&T did make specific promises about the security of this account -- they allowed the user to specify a password, and assured him that changes could not be made to his account without that password. Apparently, that was a lie. The customer has every right to sue for damages resulting from that lie.
(Score: 4, Interesting) by Knowledge Troll on Monday August 20 2018, @06:17PM (14 children)
I don't see this as AT&T failing to meet their security obligations for the specific reason that this is a consumer level telecommunications service and the contract probably says explicitly that damages are going to be capped at some value with that value being low because AT&T has lawyers on staff to handle issues like liability. I hate AT&T but I also recognize that this specific vector is one of many inside the world wide telephone network some of which can't be remedied by the individual Telcos at all. Which is why communicating this kind of security information with out additional protections is itself irresponsible and falls squarely on the service provider.
Do you apportion any blame to the service provider in this case?
I think there is a reasonable argument to be made that standard consumer level telecommunications service is not suitable for security 10s of millions of dollars worth of funds.
There is the significant difference here: HIPPA is required by law and it clearly specifies what a violation is. Where is the law and if it exists what is the nature of it that requires AT&T to secure the individual accounts of their customers? Maybe such a law should exist but I don't know of it existing currently.
(Score: 3, Insightful) by urza9814 on Monday August 20 2018, @07:06PM
Yeah, I wouldn't say they should be liable for the entire amount, and I'm sure there's some wording in their contract to that effect...but they ought to be liable for SOMETHING considering that they outright lied to their customers about the security of their product. You can't guarantee 100% perfect security, but you sure as shit can guarantee that your employees are actually providing the product that you've sold as promised. If you can't even do that, you have no right to be in business at all.
(Score: 2) by urza9814 on Monday August 20 2018, @07:09PM (5 children)
Sorry for the double-post, missed this part when I wrote my first one. But yes, there are laws about this too -- fraud, implied warranty, false advertising, and other consumer protections. They blatantly lied to their customer about the security products which they sold to that customer. That is absolutely illegal, and there's probably nothing they can put in their contracts to protect them entirely. They aren't responsible for the customer storing their money in stupid places, but they're absolutely responsible for their own employees failing to provide the service as advertised.
(Score: 2) by Knowledge Troll on Monday August 20 2018, @07:45PM (4 children)
I think we actually agree but my view is just from how jaded I am. AT&T deserves to be held accountable for this and I don't like the current state of affairs so I'm not arguing for not fixing this. I think proving fraud on the part of AT&T will be unduly difficult, Comcast is still in business and they are much more prone to outright lying. Lets run with something easier to prove: negligence on the part of AT&T.
However suing AT&T even into the ground won't make SMS fit for this purpose. It still won't be fit for purpose if every US carrier shit bricks and fixed their user authentication as well. The are many flaws in SS7 which can only be corrected by replacing the entire system and that's quite the chore for a global protocol.
Lets get the telcos to actually authenticate users but also that's not going to make SMS 2FA secure.
And I still say that trusting 10s of millions of dollars worth of funds to normal consumer level security systems firmly falls into "I told you so", "you should have known better" and "blame the victim" territory even if the general public isn't astute enough to understand it. There just isn't any other alternative I can imagine.
(Score: 2) by All Your Lawn Are Belong To Us on Monday August 20 2018, @09:13PM (3 children)
Kreskin hat says the case will settle for an undisclosed sum (nowhere near $23 mil but still hefty) and AT&T will go on its' merry with some in-house re-education on phishing for its associates. No need to expend the money to actually secure the system (even marginally). AT&T Free Cash Flow in 2017 of $17.6 bn on $160.5 bn consolidated revenue. One percent on their free cash flow is $176 mn. They can pay this guy off completely and won't even feel it as an interest blip.
The other interesting thing..... I know there were other paths to go down than hold $23 mil live, but when it comes to cryptocurrency what methods and levels of security are acceptable when weighed against the need to be able to move fast when prices spike or drop? Maybe that's a condemnation of cryptocurrency all on its own: nothing stops you or indemnifies you from being robbed or cheated from it and therefore it is stupid to invest those kinds of sums in it. (Well, invest sums you can't afford the hit on, anyway - this still reads like AT&T could probably do this and not notice the loss). But what would acceptable security for high-dollar cryptocurrency accounts look like?
This sig for rent.
(Score: 3, Interesting) by Knowledge Troll on Monday August 20 2018, @09:57PM (2 children)
I wish I was rich enough to know the details of what multi million dollar checking accounts look like but I'm only privileged enough to know a little about them. I do know that people with that much money put them into accounts that are tailored to that specific use case - these are not standard consumer level accounts (also they don't cost more, they tend to pay interest even). I imagine that part of these high stake accounts include additional fraud protection and security. I'm just pointing this out as an existing case where normal consumer things do not do justice to gigantic piles of money.
For myself I would not want millions of dollars available and liquid at all - not in a checking account, a savings account or a hot wallet at any exchange. That just sounds like it is asking for trouble and I don't exchange funds enough to require that kind of liquid access.
Two factor authentication is a must but I would elect to keep the shared secret off line - it wouldn't even go on my cell phone because that can still be exfiltrated. U2F would be an extremely good choice with a hardware dongle or USB gumstick. Everyone will have to make a decision about the amount of risk they are willing to tolerate with having their funds stolen vs the risk they would tolerate for having the funds be unavailable because they can't use the authentication credentials for any specific reason.
Perhaps the TL;DR is: when it comes to $20 million one needs to have the minimal trust possible in other actors. In this case the person trusted their security to both the exchange and the telephone company when none of them deserved it. I wouldn't expose myself to that risk in the first place.
Though now if people know you have $20 million guarded by a USB gumstick on premsis they have lots of incentive to pay you a visit and have a "chat" about that gumstick. Even if you store it in a safe deposit box in a bank there is still the problem of being walked down to the bank with a gun in your back.
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday August 21 2018, @04:51PM (1 child)
Interesting, and will mod that way too...
I think the other thing it takes when it comes to $20 million is to have a system around it to protect it. Not just physical and data security as you mention but insurance and diversification of sources of deposit and an industry structure that has standards of acceptable practice and contingencies...... All the stuff that cryptocurrency isn't because it's a system based on trust not being necessary.
Now the question is will those structures be developed around the cryptocurrency world. Without it my guess is that cryptocurrency will always stay in the extreme-speculation/junk-bond level of investing confidence, entirely aside from volatility. And it puts me into the, "I'm sympathetic but dude throws mulitmillions into risky system dude has little right to complain." Sue, maybe - there may still be merit here based on AT&T's alleged failure to follow their procedure. But if you're already walking the dark streets at midnight can you sue when the flashlight you're sold goes out and you get mugged?
This sig for rent.
(Score: 3, Insightful) by Knowledge Troll on Tuesday August 21 2018, @05:49PM
Bingo! And the fact that the end user in this case didn't do those things places a large portion of the blame on them for not performing due diligence in securing their pile of money. In this instance a very small portion of that $20 million could have gone to hiring a consultant that could have warned them about this. It's not good that users have to be so careful but in the absence of regulations and defined best practices that is how it has to be.
Though, objectively: there is no blocking issue for insuring cyptocurrency though the insurance companies may charge a lot to insure it because of the risk involved and no standard policy may exist for this, possibly yet. Additionally where this user went wrong was placing trust in two actors: AT&T and the exchange. They could have instead managed their own wallet and kept it all offline and relied only on themselves and the integrity of Bitcoin which is the lowest trust of other people possible in that system. Now we are squarely at the balance of risk based on theft vs risk based on being unable to use the funds because you can't authenticate yourself any longer.
That is a question with nuanced answers: there are cases where it makes sense to sue in that situation and where it does not and additionally: sue or not sue the end result has to also be evaluated.
Lets up the stakes more: if that flashlight stops working you could die. When is that a problem? Cave diving. Anyone that cave dives and does not carry a very high quality flashlight with them is an epic idiot or suicidal. Since this flashlight is now keeping people alive the standard consumer level flashlight you pluck off the shelf at the supermarket being mass manufactured to help people find a light socket in a dark corner doesn't cut the mustard. What you need instead is something manufactured with quality materials, a robust and overbuilt design, and a very strong quality control process that accounts for errors all the way from the suppliers to getting stuff out the door. You need someone who knows your life is on the line and builds the product for that use case.
Even with such a flashlight in cave diving you carry 3 of them because shit happens. Even the best QC process can let stuff slip through as a legitimate mistake. Nothing can ever be made perfect so you can't just reasonably sue every time something goes wrong even when using purpose built equipment. Personal responsibility comes down to understand the space you are operating in as well as the consequences.
Lets say all 3 flashlights fail, they are built specifically for cave diving, someone dies, and the family sues the manufacturer. Lets say the manufacturer is even liable here because they clearly made a mistake and manufactured it wrong. The family sues, the manufacturer improves their process and this doesn't happen again: that's the best case scenario I can think of.
But the diver is still dead. Suing doesn't bring him back. If they had 3 flashlights from different manufacturers they would not have had that single point of failure and could still be alive.
Even when the blame quite clearly lands exactly on someone else it still does not help the dead person.
(Score: 2) by sjames on Tuesday August 21 2018, @07:12AM (6 children)
At the same time, AT&T certainly bears some responsibility to secure user accounts from hijacking, and even moreso since they agreed to an additional security procedure which they then ignored entirely. As for limiting liability, just because it's in the contract doesn't mean the courts are obligated to follow it. Courts throw out contract terms as unconscionable all the time.
(Score: 2) by Knowledge Troll on Tuesday August 21 2018, @03:24PM (5 children)
I don't disagree with that but I don't feel like it's going to happen. Here is one reason why: no one really cares. Here's how to prove it:
Given that AT&T is enormous, slow to change, and one staff member making a legitimate mistake can ruin this whole thing (ie this problem exists even if AT&T improves) and they don't have a culture of security to draw from, how many people would pay more money to a telecommunications provider to get features such as strong authentication of users?
When I ran into this exact problem with my previous cell provider I canceled the service and moved to a pre-paid option where the agents have no access to the account with out a PIN. This was the only thing I could find that would meet my requirements for account takeover.
AT&T was wrong, AT&T needs to improve, but that does not mean that personal responsibility here does not stand. Complaining about AT&T and trying to get that fixed is admirable but does nothing to help protect $20 million.
(Score: 2) by sjames on Tuesday August 21 2018, @05:35PM (4 children)
If the courts decide not caring will cost substantial money. they'll start caring.
(Score: 2) by Knowledge Troll on Tuesday August 21 2018, @06:02PM (3 children)
Let me ask a question here: what is the correct procedure for authenticating a customer when they are dealing with something like AT&T?
Think it all out - what is the burden of proof for the customer? How is this information transmitted? Are they going to have to show up in person with a driver's license? Who is responsible for forged documents? What about evaluation of quality of forgery? Which documents? Is a drivers license good enough or do you need a passport? How about the case where a fraudster convinces the government to issue an ID that allows them to impersonate you?
The reason I ask is because I have heavily considered trying to create a company that would "correctly" and "strongly" authenticate the customers and I can tell you this is entirely non-obvious and highly non-trivial.
So if the courts decide AT&T needs to be punished for not meeting an undefined metric what is that metric to be defined as?
As long as the metric remains undefined the only means for resolution is deciding what is and is not reasonable in a court in front of a judge and possibly jury. In that situation even I would argue consumer level things are not reasonable fit for something like securing $20 million worth of funds.
So what does the "Telecommunication Providers Must Authenticate Users Worth A Shit And Puppies Are Cute" bill that Congress needs to pass going to say?
On the surface it seems like they could all do at least as good as the average bar with an ID scanner but that means you always go to a physical location for every customer service anything that involves authentication.
Do you see why a second class of service is a more appropriate fit for this? The vast majority of people don't need this level of security and aren't going to be interested in that. For a large portion of people there will not be any convenient physical location to go to. For many getting to a physical location is going to be very very difficult. There is also the cost of implementation which will cause prices to go up.
I would personally like a service that has that kind of security but I'm fucking weird.
(Score: 2) by sjames on Tuesday August 21 2018, @06:22PM (2 children)
In the case at hand, as pre-arranged with the customer, knowledge of a password was the criterion. Had the AT&T employee actually asked for the password as AT&T and the customer agreed, this wouldn't have happened.
An alternative that might be offered if agreed with the customer is that a letter is sent to the billing address containing a password that will then be accepted for changing the service. That way when the customer fails to keep track of the password, there remains a way to make a needed change.
It isn't perfect security, but it would make any shenanigans much more hands-on and add a clear felony for tampering with U.S. mail.
(Score: 2) by Knowledge Troll on Tuesday August 21 2018, @06:45PM (1 child)
Considering part of the claim is that someone went down to the location in person yet AT&T didn't use a "scanable" ID is part of the claim and we are talking $20 million here I don't think that password was going to stand in the way.
Of all the things to fault I suggest that showing up in person and not checking the ID is the biggest fuck up because someone can always go "well I forgot my password" and the CS agents are going to be happy to help them get access again. In cases like this the physical presence with physical ID is a requirement and AT&T, if we take the plantif's word for it, did not follow their own policy for the ID.
I suggest though that even that ID check is not obvious on how to handle it and it is not going to tolerate very good forgeries very well.
The idea of having a password sent in the mail is pretty good. Though for $20 million I bet it is easy to afford paying someone to steal the mail for 5 days in a row.
(Score: 2) by sjames on Tuesday August 21 2018, @07:13PM
Actually, if the lack of the password had prevented intercepting the 2FA, it absolutely would have foiled the theft. It was an integral party of the theft.
It was explicitly agreed to by AT&T and then they didn't do it. As a direct result, the phone was hijacked and the 2FA was defeated.
And I already suggested a mechanism for password recovery for the likely case that someone forgets their password. It would actually be harder to scam than creating a fake ID good enough to fool a poorly paid representative in a store.
(Score: 2) by legont on Tuesday August 21 2018, @01:41AM (2 children)
To be fair, doctor's records are usually protected by a $10 lock that is pick-able in under 5 minutes. However, the doctor is not responsible for an outright robbery of client's data. What AT&T needs is to move the liability to the state. It will sure happen one day - happening now - because without it capitalism can not work.
How that liability moving works in Internet days? Government forces regulations on companies and as long as the company in questions complies with the letter of the regulation, it is off the hook no matter how stupid the protection is.
All of them, especially finance, are working on it right now.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday August 21 2018, @02:19PM (1 child)
If there's enough money in it.
Then you've got the other side of the spectrum like PCIDSS that moves the liability straight onto the shoulders of the merchant and away from the industry or the government. If a credit card breach happens it will be invariable that the merchant will have violated PCIDSS somehow. And the merchant will be responsible, no matter how many layers of consultants or auditors they hire.
This sig for rent.
(Score: 2) by legont on Thursday August 23 2018, @12:56AM
True, there is a triage between businesses, and the governments did not finish their job either. However, the main point still stays - liability got to be reasonably moved from businesses or there will be no businesses.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 0) by Anonymous Coward on Tuesday August 21 2018, @03:22PM (2 children)
Why don't we all have one?
(Score: 2) by Knowledge Troll on Tuesday August 21 2018, @03:26PM
From what I've seen after enabling 2FA most places are completely happy to still allow account recovery via a mechanism such as a registered email address which then devolves 2FA into single factor authentication based on access to the email account.
CS agents are also notoriously happy to help out and reset authentication credentials so customers can access their account.
The only place that I know of that would go "sorry you are locked out, we can't help you, we will not reset the authentication information, this is for your account protection" was the place I worked at previously.
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday August 21 2018, @04:54PM
Cause you lose your dongle or it is stolen and then you're just as screwed to get at your data as if it had been stolen?
This sig for rent.