2FA over SMS considered harmful

Victor Odhner vodhner at cox.net
Fri Jul 29 00:42:46 MST 2016


I’m just glad we have a Social Security office here in our northeast Phoenix neighborhood. I have never used “My Social Security” and don’t mind once every few years spending 45 minutes in their waiting room.

I have also actively rejected my medical providers’ offers of handy online access to our medical data. Their user-facing security is hilarious. They assured me that the interface doesn’t get loaded with my records if I don't activate my account. I’d like to believe that, but if it’s not true there’s not much I can do about it. But get this: BY SIGNING UP TO ONLINE MEDICAL RECORDS, YOU WAIVE HIPAA RESTRICTIONS ON YOUR DATA, because the online provider is outside the medical field or something. It says that in black and white. My own medical record has nothing embarrassing, but I figure it’s the duty of a geek to act a little paranoid. Again, I’m close enough that I can march into the provider’s office to take care of any questions or requests, and I prefer face-to-face interaction anyway.

Technology is great, but keeping some things primitive is refreshing. Most of my phone contacts are on a non-Google provider; my GPS is turned off almost all the time (to save my 3.5 year old battery); and location is (nominally) denied to all the apps most of the time. Our air conditioner’s thermostat lost its LCD and we never used the programming features anyhow, so I replaced it with a $12 mechanical thermostat. It won’t break. For $150+ I could have added my thermostat to the Internet of Things.

But our house has close to a dozen WIFI nodes, including our Vizio 3D TV which I’m sure is watching and listening. My phone and macbook have open camera and microphones. If we’re on the Grid, we should not fool ourselves about privacy.
:)

Victor
____________________

On Jul 28, 2016, at 22:24:21, der.hans <PLUGd at LuftHans.com> wrote:

Am 28. Jul, 2016 schwätzte Tom Roche so:

moin moin,

Wow! That's just wrong even if there weren't any security issues.

They shouldn't require access to a cell phone or access to a pay for use
service.

I hope there are still non-digital forms of interaction.

ciao,

der.hans

> Hans Kugler[1]
>>> web sites should not be given your phone number for 2 factor authentication. First of all, they don't need your phone number :). Secondly, it's not secure. Now the NIST agrees.
> 
> So, as if on cue,
> 
> Date: Fri, 29 Jul 2016 04:43:49 +0000
> From: Social Security Administration <subscription.service at subscriptions.ssa.gov>
> Subject: New step to protect your privacy using my Social Security
> 
>> Starting in August 2016, Social Security is adding a new step to protect your privacy as a my Social Security user.  This new requirement is the result of an executive order for federal agencies to provide more secure authentication for their online services.
> 
> ...
> 
>> When you sign in at ssa.gov/myaccount with your username and password, we will ask you to add your text-enabled cell phone number.
> 
> ...
> 
>> Each time you sign into your account, you will complete two steps:
> 
>> Step 1:  Enter your username and password.
>> Step 2:  Enter the security code we text to your cell phone (cell phone provider's text message and data rates may apply).
> 
> ...
> 
>> If you do not have a text-enabled cell phone or you do not wish to provide your cell phone number, you will not be able to access your my Social Security account.
> 
> FWIW, Tom Roche <Tom_Roche at pobox.com>
> 
> [1]: http://lists.phxlinux.org/lurker/message/20160727.071321.f24aaba8.en.html
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> 

-- 
#  http://www.LuftHans.com/        http://www.PhxLinux.org/
#  Intelligence without compassion is a waste.  -- der.hans---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20160729/3e342c02/attachment.html>


More information about the PLUG-discuss mailing list