Maybe I'm missing something ... but it doesn't seem like "we" have any say in the matter. The banks and financial institutions just decide what security they will use, and we accept it or don't...
Maybe I'm missing something ... but it doesn't seem like "we" have any say in the matter. The banks and financial institutions just decide what security they will use, and we accept it or don't use their service.
This is correct. I really want banks to up their security (preferably UTF or yubikey support). But what I really want is financial institutions to adopt OAuth. It’s really frustrating to have to...
This is correct. I really want banks to up their security (preferably UTF or yubikey support). But what I really want is financial institutions to adopt OAuth. It’s really frustrating to have to give your exact login details to a service like YNAB or Mint just to import read only data. That isn’t to mention how often those services break because the bank changes something.
The idea of giving my full banking login details to a third party so that they can screen-scrape the interface is terrifying. It seems like the liability on those services would be huge, no?
The idea of giving my full banking login details to a third party so that they can screen-scrape the interface is terrifying. It seems like the liability on those services would be huge, no?
Questions might arise though is they change their terms of services after we've sign the contract with them. The essence of a contract is that it cannot be changed by one party alone. Also, while...
we accept it or don't use their service
Questions might arise though is they change their terms of services after we've sign the contract with them. The essence of a contract is that it cannot be changed by one party alone.
Also, while we do use services provided by banks, the basis of the deal is that we lend them our money.
SMS is awful. I wish I could get my friends and family on a decent alternative. But no one wants to download and install another app on their phone when the built in messaging app works great for...
SMS is awful. I wish I could get my friends and family on a decent alternative. But no one wants to download and install another app on their phone when the built in messaging app works great for them already. And a lot of my friends and family are on iPhones so they're getting iMessage when chatting with each other. I have a few friends on Signal, but not enough.
This is more about SMS in 2-factor, rather than messaging. For messaging, SMS has its pro and cons. It is quite antiquated, and well, bad, as a messaging service, but to its benefit, it is an open...
This is more about SMS in 2-factor, rather than messaging.
For messaging, SMS has its pro and cons. It is quite antiquated, and well, bad, as a messaging service, but to its benefit, it is an open standard. Apart from the US, which is still heavily SMS + mixed bag of internet messaging services, you get into
Zuck's World (i.e the absolute dominance of WhatsApp in the world minus China)
WeChat (in China)
Better service in terms of chatting experience, but you are, of course, sacrificing other things.
Oh I know it's more about 2-factor. I just wanted to point out that SMS sucks all around. And you're right about a lot of those. But Signal has been great for everyone I've managed to convince to...
Oh I know it's more about 2-factor. I just wanted to point out that SMS sucks all around. And you're right about a lot of those. But Signal has been great for everyone I've managed to convince to give it a try.
It’s really upsetting how many large companies in 2021 still rely on SMS as their sole 2FA option, if they even have an option at all which is the scariest. I’ve had numerous attacks over the...
It’s really upsetting how many large companies in 2021 still rely on SMS as their sole 2FA option, if they even have an option at all which is the scariest.
I’ve had numerous attacks over the years, none successful thankfully with my email 2FA keeping me safe most of the time but I fear all it’s going to take is one determined SMS attack to screw me because of all the little holes.
The US is the only country relying completely on SMS. They were among the last to ditch CDMA networks. Most of the world relies on more (albeit not perfectly) secure messaging protocols.
I don't think it's a geographic thing, it's entirely up to the organisation running the service what sort of 2FA system they use. The reason many use SMS is due to it being ubiquitous. What other...
I don't think it's a geographic thing, it's entirely up to the organisation running the service what sort of 2FA system they use. The reason many use SMS is due to it being ubiquitous. What other service is there available which a person is almost guaranteed to have access to?
I use TOTP personally, and do so on every service that offers it. But there is the tradeoff between security and usability which are taken into account. It's why it's cheaper for credit card companies + banks to pursue and/or swallow fraud than to enable stronger security.
SMS is definitely not secure at all, but I guess what I am saying is that there generally isn't a much better solution available in a way that is usable for 99% of users.
Presumably 99% of users that can receive SMS messages get them on a device that can run Microsoft Authenticator, Authy, or any number of similar tools all based on the same standard. Obviously...
Presumably 99% of users that can receive SMS messages get them on a device that can run Microsoft Authenticator, Authy, or any number of similar tools all based on the same standard.
Obviously that will never have quite the same coverage as plain old SMS, but companies should at the very least allow users to switch to an authenticator instead of requiring SMS.
Yes, websites should support these tools. It's not easy to teach people to use them. The tricky thing with tools like that is that many people don't back up the codes properly, so if you lose your...
Yes, websites should support these tools. It's not easy to teach people to use them. The tricky thing with tools like that is that many people don't back up the codes properly, so if you lose your cell phone, you're screwed.
Unless they provide another way to get in, and then that's another weakness.
Nope. As of 2021, 72.7% of the US population had a smartphone. Admittedly, the percentage of minors in the US is 24%, but that still leaves roughly 7.5% of adults in the US without a smartphone. I...
Nope. As of 2021, 72.7% of the US population had a smartphone. Admittedly, the percentage of minors in the US is 24%, but that still leaves roughly 7.5% of adults in the US without a smartphone.
I do definitely agree with the value of offering more secure options and think that every company should consider taking on that cost in the name of customer security, but if you want one system that's available to absolutely everyone, SMS is the current best choice.
SMS would lock out my mother altogether. (She has a cell phone that she rarely uses because there's no cell phone service at her house.) Not to worry, we find workarounds. Most places that use SMS...
SMS would lock out my mother altogether. (She has a cell phone that she rarely uses because there's no cell phone service at her house.)
Not to worry, we find workarounds. Most places that use SMS can also do email or a voice call. My point here is that there is no one system that works for everyone. if you really want to reach everyone, you need to have multiple ways to do things.
When my brother and I visit, our cell phones do work over WiFi. Mom doesn't care about this enough to make it worth getting a new cell phone and subscription.
When my brother and I visit, our cell phones do work over WiFi. Mom doesn't care about this enough to make it worth getting a new cell phone and subscription.
If your device supports voice over LTE, it should technically be able to have voice+sms over any IP connection. This is the native calling functionality of the phone, not voip services over apps....
If your device supports voice over LTE, it should technically be able to have voice+sms over any IP connection. This is the native calling functionality of the phone, not voip services over apps.
The carrier does have to check the box on their end though to enable it, so it isn't universal yet.
That doesn't say anything about the people without smartphones, though. Do they have non-smart cell phones (thus able to receive sms)? Or do they only have a home phone, or no phone at all?
That doesn't say anything about the people without smartphones, though. Do they have non-smart cell phones (thus able to receive sms)? Or do they only have a home phone, or no phone at all?
Maybe I'm missing something ... but it doesn't seem like "we" have any say in the matter. The banks and financial institutions just decide what security they will use, and we accept it or don't use their service.
This is correct. I really want banks to up their security (preferably UTF or yubikey support). But what I really want is financial institutions to adopt OAuth. It’s really frustrating to have to give your exact login details to a service like YNAB or Mint just to import read only data. That isn’t to mention how often those services break because the bank changes something.
The idea of giving my full banking login details to a third party so that they can screen-scrape the interface is terrifying. It seems like the liability on those services would be huge, no?
Yes, very much so. Most companies offload the actual secret keeping and scraping to other services. The biggest one i have seen is Plaid.
Questions might arise though is they change their terms of services after we've sign the contract with them. The essence of a contract is that it cannot be changed by one party alone.
Also, while we do use services provided by banks, the basis of the deal is that we lend them our money.
SMS is awful. I wish I could get my friends and family on a decent alternative. But no one wants to download and install another app on their phone when the built in messaging app works great for them already. And a lot of my friends and family are on iPhones so they're getting iMessage when chatting with each other. I have a few friends on Signal, but not enough.
This is more about SMS in 2-factor, rather than messaging.
For messaging, SMS has its pro and cons. It is quite antiquated, and well, bad, as a messaging service, but to its benefit, it is an open standard. Apart from the US, which is still heavily SMS + mixed bag of internet messaging services, you get into
Zuck's World (i.e the absolute dominance of WhatsApp in the world minus China)
WeChat (in China)
Better service in terms of chatting experience, but you are, of course, sacrificing other things.
Oh I know it's more about 2-factor. I just wanted to point out that SMS sucks all around. And you're right about a lot of those. But Signal has been great for everyone I've managed to convince to give it a try.
It’s really upsetting how many large companies in 2021 still rely on SMS as their sole 2FA option, if they even have an option at all which is the scariest.
I’ve had numerous attacks over the years, none successful thankfully with my email 2FA keeping me safe most of the time but I fear all it’s going to take is one determined SMS attack to screw me because of all the little holes.
From a comment underneath the article:
I don't think it's a geographic thing, it's entirely up to the organisation running the service what sort of 2FA system they use. The reason many use SMS is due to it being ubiquitous. What other service is there available which a person is almost guaranteed to have access to?
I use TOTP personally, and do so on every service that offers it. But there is the tradeoff between security and usability which are taken into account. It's why it's cheaper for credit card companies + banks to pursue and/or swallow fraud than to enable stronger security.
SMS is definitely not secure at all, but I guess what I am saying is that there generally isn't a much better solution available in a way that is usable for 99% of users.
Presumably 99% of users that can receive SMS messages get them on a device that can run Microsoft Authenticator, Authy, or any number of similar tools all based on the same standard.
Obviously that will never have quite the same coverage as plain old SMS, but companies should at the very least allow users to switch to an authenticator instead of requiring SMS.
Yes, websites should support these tools. It's not easy to teach people to use them. The tricky thing with tools like that is that many people don't back up the codes properly, so if you lose your cell phone, you're screwed.
Unless they provide another way to get in, and then that's another weakness.
Nope. As of 2021, 72.7% of the US population had a smartphone. Admittedly, the percentage of minors in the US is 24%, but that still leaves roughly 7.5% of adults in the US without a smartphone.
I do definitely agree with the value of offering more secure options and think that every company should consider taking on that cost in the name of customer security, but if you want one system that's available to absolutely everyone, SMS is the current best choice.
SMS would lock out my mother altogether. (She has a cell phone that she rarely uses because there's no cell phone service at her house.)
Not to worry, we find workarounds. Most places that use SMS can also do email or a voice call. My point here is that there is no one system that works for everyone. if you really want to reach everyone, you need to have multiple ways to do things.
What about SMS over WiFi?
When my brother and I visit, our cell phones do work over WiFi. Mom doesn't care about this enough to make it worth getting a new cell phone and subscription.
Is that a thing, outside of Apple and Google's proprietary apps?
If your device supports voice over LTE, it should technically be able to have voice+sms over any IP connection. This is the native calling functionality of the phone, not voip services over apps.
The carrier does have to check the box on their end though to enable it, so it isn't universal yet.
I can't imagine dumbphones support this though.
Can't dumbphones still run J2ME apps? An authenticator would be pretty trivial to implement there.
EDIT: Looks liks SAASPASS did it.
A separate gadget could do it too. But then you might as well get a Yubikey.
Huh, thank you. I didn't know that was possible.
That doesn't say anything about the people without smartphones, though. Do they have non-smart cell phones (thus able to receive sms)? Or do they only have a home phone, or no phone at all?