> I can't stress this enough but please enable OTP on your accounts. Facebook, gmail, and even your Windows system if you are paranoid enough. Yeah it adds some hassle - but the value of increased security far outweighs the hassle. Also backup the OTP codes somewhere.
It seems like the specific attack vector in this case was linking the gmail account with a cell phone number. Surely the most secure option is simply a very strong password with no TFA, OTP or any other auxilliary recovery options?
> It seems like the specific attack vector in this case was linking the gmail account with a cell phone number.
The whole story seems kind of farfetched really. If the attacker did get forwarding to work - it would only forward calls not text messages (which gmail would send a recovery code via text message). According to the story it was in the process of being ported which MAY send texts to the new number - but on most accounts that I've read with dealing with porting that takes at least 24 hours for them to start receiving text messages on the new provider. To my knowledge no carrier has implemented text message forwarding. Also it seemed my posts were downvoted right around the time of his responses.
There are certain holes in this story - first it was a gmail account, then it turned into a gmail + google apps account which are 2 completely different things.
Regardless - enable OTP period.
> Surely the most secure option is simply a very strong password
Arguably using a different strong (12+ characters) password for every site and service is a good approach - but then you should probably be generating those passwords and storing them into a password manager. Then that password manager becomes a target[1]. Using OTP is just a good layer of security.
> If Google thinks something is suspicious, it will decline your 2FA codes and recovery attempts—it will just tell you that you entered the wrong code.
Seriously! What! The! Hell!
I too have thought before that having 2FA (and linking a phone number, which I hate to do) would avoid tripping in such situations and that the systems would consider a different situation (like a different IP address/location, a different browser) as reliable enough with 2FA. But this irks me a lot.
I don’t really use Gmail much and have other paid alternatives, but I have some old stuff that may be mildly inconvenient if I were to lose them. Need to download the data and dump these accounts.
> Note that, among other requirements, even when using phone- and SMS-based OTPs, the agency also has to verify that the OTP is being directed to a phone and not an IP address, such as with VoIP, as these accounts are not typically protected with multi-factor authentication."
Unbelievable. My email address is protected with multi-factor authentication (and given the popularity of Gmail, I'd wager that this isn't all that uncommon!); my main phone line isn't.
> Are you sure about that? I couldn't activate 2FA in my Google account for years because they didn't enable the option without giving a phone number first.
Just checked, and yes, no phone or email recovery methods configured.
>They will ask you to verify via phone? Isn't that mandatory today.
A suggestion I would make to anyone who is uncertain of how this works, and since it's a moving target: once a year, test what it takes to compromise your own account. Ensure that you're comfortable with a recovery scenario of "I can demonstrate control over X to the automated recovery service."
I did it a few years ago with my personal GMail account, which I had thought was well-secured, and it caused me to make significant changes to my security settings.
I know this is really sloppy of me but I'd argue my Gmail is as important if not more important than my bank account. If you have access to my bank, you have access to one bank account of mine but if you have control of my Google account, you now have access to all my bank accounts.
I agree though. I opted into two step authentication for a reason. If I give you both my password and two step code, add this entry to an append only table and move on.
I guess Facebook and Twitter will have this problem where people will take over someone's account and lock them out. Without going into too many details, I saw this happen to someone close to me. It is wild that there are scammers who do this for a living.
> "the only protection is to not give them your phone number in the first place."
That has its own risks. If you don't provide it to google and your account gets hacked, it's extremely hard to get it back. (My wife lost her original gmail account that way about 2 years ago. And of course there was no way to get any live support to try & fix it)
Basically if you don't provide your number, you're more open to the more prevalent traditional hacking. If you do provide a number, you're more open to a slightly less prevalent type of hacking. It doesn't leave much to choose from.
The account recovery process should be setup at the start of the 2FA setup - e.g., you get emailed a bunch of backup codes (easiest way imho).
The site should not be using their own 2FA app, but use a standard OTP implementation, and let the user use their own OTP app (most people default to google's authy, but there's a couple out there that are common too).
Or, as an alternative, delegate the login to email and use a password-less login mechanism (effectively delegating the account security to the email's security). I argue this is actually more convenient, but some people (esp. young people?) have an aversion to email which i don't understand.
>> Basically, the ability for someone to log into my account by brute forcing or obtaining my credentials
> you ensure that people cannot log in with credentials, even if they have them.
Except that you left out the second part of that sentence:
>> or being able to bypass the log on process by using the conventional second auth factor against me (by doing the same thing to my email account and/or my cell phone provider).
In that case, the person was a victim of a SIM swap scam which redirected password reset messages to the attacker's cell phone, which then allowed them to access the account.
Regardless of how I initially termed it, having another factor just local to the device one is using rather than a 3rd party service that can be compromised in a way that you may not immediately realize is a far better way of doing multi-factor or multi-step auth.
But this solution should not just be limited to the HTTP application level protocol. It should also be available for other application level protocols (IMAP, SMTP, NNTP, IRC, etc). That means that U2F needs to account for this, or we should have more support for using client-side TLS certificates as part of the authentication process.
> Google does let you have 2 factor setup without a phone number as a factor, but strangely you need a phone number temporarily.
I finally set up 2FA on my Google account this weekend.
It struck me as incredibly odd that Google requires a phone number to enable 2FA. NIST recently advocated against using SMS for OoB auth. [0]
If I had been an account hijacker with the password (e.g. obtained via phishing) it would have been ludicrously simple for me to enable 2FA on someone else's account.
I don't understand, I already have an Android phone with Google Play Services installed. Why isn't pressing "Okay" on my phone sufficient? It's certainly not any more insecure than an SMS.
What I view as even worse is on the first attempt the SMS didn't go through, so I asked Google to give me a call. Evidently my provider blocks whatever number they're using to call out of, so my phone never rang. But Google left the verification code anyway, AS A VOICEMAIL!
My inner tin foil hat says Google wants a phone number for other purposes.
> That's not as I understand it. Why would SMS OTP be used? 100% of accounts today will already have a password, that's how you would login if you lose your only passkey device.
If we continue to do this, don't we then still just have all the same problems with passwords?
It's no harder than if someone steals your laptop. The same measures you would use on a laptop (FDE, TLS) are available on phones. The argument can certainly be made that SMS is an insecure form of 2-factor auth, since they can be easily intercepted in transport (though if you use TextSecure someone who steals your phone can't get them!), but that's why we have the google authenticator app.
> It strikes me as easier to target a specific user, and try to steal their email credentials (phishing is still ridiculously successful), and then basically get access to all of their online accounts.
Yes - this is absolutely the case.
> I would tend to agree that if I did lose my password, then upon change of said password, I should still provide the 2FA challenge when actually logging in. Alternatively, the password change flow should not be started unless I provide the 2FA challenge itself. After all, what are the odds I lost both the password and the 2FA device?
The problem is not that the odds are high (although they are higher than you'd expect). The problem is that the odds are not zero. So you have to either fall back to a much more expensive verification method, or you have to accept that this account is a now a zombie account with an unhappy user.
In many cases - the cost to a business of dealing with a small number of compromised accounts is much lower than the cost of having a real verification system for identity and recovery for failed 2fa.
It's not even that unreasonable a stance, since identity verification is a Hard (with a fucking capital H) problem. At best you tend to be praying that the local government (or bank) for that user's region has a decent identification system and good records, or that the user has a preponderance of evidence in their favor.
So... long story short, this is a hard problem. Lots of businesses would still prefer the government take a more active role even in the US (ex: https://www.cfr.org/report/solving-identity-protection-post-... and I've been hearing about similar plans to use the USPS as identity verification for at least a decade now)
> With two-factor authentication you are happily providing gmail with your phone number.
Which I also provide to Google because all of my phone numbers are forwarding numbers for my GVoice account, so that's not a big deal.
> They say they need this to send you a verification code when you log into your gmail account.
Sure.
> Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways..
How can they determine its valid without the second factor the first time you log on from a particular device? That's a key feature of 2FA (plus, if you ever use a shared computer, you don't want to choose the option to never ask for a code again on that computer!)
Today Google/Gmail suddenly logged me out and asked me for the hardware key, and I thought no problem as I have OTP with my Password Manager, but OTP didn't work. I had the key somewhere else. Luckily after insisting a bit Google gave me the option to use my mobile Gmail app to verify it's me (note it was not Google Authenticator, why did they made me install it?). All this hassle even though I've been on the same ISP/IP range and computer for weeks. No VPN or anything.
On top of the multiple authentication options, I'm going to add a second hardware key in case I lose my main one and Google decides it's the only way to log in.
Edit: the OTP option is not there anymore in my Google account 2-Step Verification, but it did ask for it and it failed.
> It seems like every time I read about how SMS2FA was hacked it was done by some state level power...
It seems to be a lot more vulnerable than that. Perhaps the biggest problem is that the phone companies do not treat your phone number as being a component of a 2FA system (and, to be fair, that was never the intent).
I think this sums up the problem.
BUT
SMS is likely the most convenient way for non geeks to use. And, as far as I am concern it seems only ( or especially ) Telecoms in US are vulnerable. In places like China / Hong Kong / Japan / Korea, you cant change your recovery code or what ever without your personal ID.
> Well, not. I called them and with a procedure that took some 3 days and numerous phone calls, id photos, etc. But I finally got the access to my account back.
And the point of 2FA in the first place is thought by many to prevent social engineering.
All you needed was an id photo and be able to talk on the phone?
That and account history etc. will probably be in many peoples email. Thus access to the email only would allow you to get access to 2FA services too.
> If you can reroute SMS auth codes, it's game over.
Except it's absolutely trivial to do so, just bribe a low ranking employee of the phone company, and it's done. This has been done thousands/millions of times, usually targeting Bitcoin holders. Just google "Simjacking"
I absolutely loathe when companies make me use SMS as 2FA. I flat out refuse to use the service if they force SMS for account recovery, because at that point you might as well just be sending plaintext passwords over the internet, because you clearly don't care about your customers safety.
Oh, and the amount of hoops you have to jump through to make Gmail NOT use SMS for account recovery is insane.
It seems like the specific attack vector in this case was linking the gmail account with a cell phone number. Surely the most secure option is simply a very strong password with no TFA, OTP or any other auxilliary recovery options?
reply