Log In
Register
Home
Topic RSS
Facebook
Twitter
Email this10:51 am
July 5, 2019
Offline
https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf
Migrate away from Short Message Service (SMS)-based MFA. Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals.
I don't know if Canadian telecom has been infiltrated, but this is a scary warning. It took a long time for banks to move to SMS MFA, so it would probably take a long time for them to implement FIDO2 or whatever is necessary.
8:31 pm
September 29, 2017
Offline
This is only one reason why I do not use MFA, nor perform any banking on a cellphone. Far more security risks than on a computer. There are far less ways to mitigate risks on a phone than a computer. In some ways, it is like driving with eyes closed (try it and see (pardon the pun) what it feels like). These things are simply not acknowledged enough.
Also, MFA has become a convenient way to tie down your identity and track you online, initially just for marketing purposes, but for far more than that too. Ripe with abuse potential, with actual exploits.
9:21 pm
November 18, 2017
Offline
smayer97: Ditto. I'm on a hardened Linux desktop. And it only deals with my online stuff; other computers handle all my other stuff. My financials are on an air-gapped machine.
Folks, listen to the paranoid. If there's one thing we've learned since the web was privatized by Al Gore, it's that we are never paranoid enough. We only find out what to avoid years after it's been done to us for a good while.
(Your car is now telling insurance companies how you drive. Not a joke.)
RetirEd
5:12 am
February 6, 2019
Offline
smayer97 said
This is only one reason why I do not use MFA
How are you achieving nowadays not to use MFA when (pretty much) all FIs force you to do it?
There are a couple FIs which allow you to use email for MFA (and I always choose that, as opposed to SMS, when allowed to)
Remember ING's security (when initially you chose a few images that they would then show you every time when you logged in)? That was brilliant! The best I have ever seen. It was 25 years ago...
10:46 am
April 27, 2017
Offline
smayer97 said
Also, MFA has become a convenient way to tie down your identity and track you online, initially just for marketing purposes, but for far more than that too. Ripe with abuse potential, with actual exploits.
That’s a particularly good point (among many). Never ever let your bank know your identity.
3:02 am
September 29, 2017
Offline
rk said
smayer97 said
This is only one reason why I do not use MFAHow are you achieving nowadays not to use MFA when (pretty much) all FIs force you to do it?
There are a couple FIs which allow you to use email for MFA (and I always choose that, as opposed to SMS, when allowed to)
Remember ING's security (when initially you chose a few images that they would then show you every time when you logged in)? That was brilliant! The best I have ever seen. It was 25 years ago...
My comment was MFA on a phone. Hard to get away from MFA. Though still not ideal, I opt for email, or landline, where still possible.
5:28 am
February 6, 2019
Offline
smayer97 said
My comment was MFA on a phone. Hard to get away from MFA. Though still not ideal, I opt for email, or landline, where still possible.
Thanks for clarifying. I try not to use my phone for banking at all. The only exception is to deposit cheques (once or twice per year, when I get an unsolicited cheque)
6:39 am
April 27, 2017
Offline
Email has to be the least secure form of Two-Factor Authentication.
Email accounts get compromised. Emails are usually sent as unencrypted text and can be intercepted.
There are far superior methods, eg a one-time code can be generated using apps such as the Microsoft or Google Authenticator apps, where a new code is generated every 30 seconds.
1:31 pm
September 29, 2017
Offline
rk said
Thanks for clarifying. I try not to use my phone for banking at all. The only exception is to deposit cheques (once or twice per year, when I get an unsolicited cheque)
I'd rather deposit via ATM. I do not install bank apps, so there is no connection with my phone.
1:56 pm
September 29, 2017
Offline
mordko said
Email has to be the least secure form of Two-Factor Authentication.Email accounts get compromised. Emails are usually sent as unencrypted text and can be intercepted.
There are far superior methods, eg a one-time code can be generated using apps such as the Microsoft or Google Authenticator apps, where a new code is generated every 30 seconds.
unencrypted email interception in general yes, but associating that email to anything is a tricky thing, which would require a high level of sophistication. That kind of effort is too great to target an individual. Interception of MFA tied to phone is easier. So, less worried about that. BUT, it is all relative.
You are right that there are better ways. It just takes more effort (time, learning curve, etc) to incorporate these, and they are not ubiquitous, so can get complicated to even make them work in all, or at least enough, circumstances. But need the time to figure it out.
Please write your comments in the forum.