Feds Warn SMS Authentication Is Unsafe After ‘Worst Hack in Our Nation’s History’

return2ozma@lemmy.world · 4 months ago

Feds Warn SMS Authentication Is Unsafe After ‘Worst Hack in Our Nation’s History’

Cornelius_Wangenheim@lemmy.world · 4 months ago

NIST has been saying since 2016 not to use SMS for MFA. It’s always been horribly insecure.

Uriel238 [all pronouns]@lemmy.blahaj.zone · edit-2 4 months ago

Oh it turns out we needed NSA to do its actual fucking job after all rather than holding onto exploits for the surveillance state.

Now — for the second time — we have an adversarial administration eager to weaponize government departments while Americans are vulnerable. Why? Because America is the good guys and would never abuse its extrajudicial powers (say, by detaining, rendering and torturing Americans with names similar to those of POIs.)

We could have had twenty-four years of robust communications security developments if NSA didnt sell the public out like Judas.

sugar_in_your_tea@sh.itjust.works · 4 months ago

rendering

Wait, are they melting people down to make soap now? Fight Club wasn’t just a meme then…

Uriel238 [all pronouns]@lemmy.blahaj.zone · 4 months ago

Extraordinary Rendition is the euphemism from the aughts from which the movie Rendition was titled. It means taking your detainee somewhere else, often across national borders, to a black site, usually to do things there for plausible deniability (e.g. we don’t torture in the United States )

sugar_in_your_tea@sh.itjust.works · 4 months ago

Looks like I missed that movie, I’ll have to check it out.

And I don’t think I’ve ever heard the term “rendering” used in that context, I guess we just used other terminology. Thanks!

randon31415@lemmy.world · 4 months ago

Authentication for my work email: Enter 28 character password, receive sms, enter message, log in

Authentication for my Battle.net account:

-Enter email made before 2000 because they don’t let you change email

-Enter password

-Get rejected

-Solve CAPTCHA

-Try backup passwords, get rejected

-Request new password

-Send request to 24 year old email

-Try to log on to 24 year old email, email is suspicious and sends Authentication request to my newer email

-Open newer email, Authenticate older email

-open old email, Put in code to battle.net

-Battle.net requests Authenticator code from Battle.net app

-Open battle.net app (no requests)

-Try manual code, doesn’t work

Realize Battle.net app Authenticator not connected

-Try to connect Battle.net app Authenticator to account

-Realize you cannot connect Authenticator without signing in AND signing in requires Authenticator

-Close Battle.net app

-Open Blizzard Authenticator

-Close warning that this app got depreciated in January

-Enter manual code

-it works

-Attempt to change password to password I first attempted

-Won’t let me use same password

-Try logging in using that password

-Still doesn’t work - Solve one more CAPTCHA

-Change password to backup password and back to original password - have to solve 2 more Captchas

-Finally works

-Log in

λλλ@programming.dev · 4 months ago

That just kept going. I feel you, but maybe try a password manager? You open it up, type blizzard and it tells you exactly what password you used. Even better, it can generate really good passwords for you.

I use bitwarden.

WordBox@lemmy.world · 4 months ago

It didn’t accept the password that was set.

JoeKrogan@lemmy.world · 4 months ago

Always has been

Imgonnatrythis@sh.itjust.works · 4 months ago

Didn’t this happen quite awhile ago? I don’t see anything new in this article

phoneymouse@lemmy.world · edit-2 4 months ago

Thank god, give me my HMAC hash please.

Nothing more terrifying than losing your phone number these days because of all the accounts tied to it via 2FA.

finitebanjo@lemmy.world · edit-2 4 months ago

The end of an era.

Or actually, probably not until we redo whole cellular phone technology works and kick out all the bad actors using SS7 vulnerabilities for stuff like spoofing numbers and stealing messages. We really shouldn’t be using a 45 year old system for almost all communications.

Agent641@lemmy.world · edit-2 4 months ago

Use Telegram.

Not the app, the 200 year old wire radio messaging system based on Morse code, E2EE (Elderly man to Elderly man Enciphered)

finitebanjo@lemmy.world · 4 months ago

I guarantee you that is the opposite of a solution, old man encryption is very easily hacked by other old men for spoofing, redirecting, or listening.

mPony@lemmy.world · 4 months ago

if you count whiskey and cigars as hacking

Cocodapuf@lemmy.world · edit-2 4 months ago

Since when was sms ever secure? My understanding is that messages are sent in the clear, meaning your carrier and the recipient’s carrier both have the opportunity to intercept messages.

I mean that’s the message content, not the authentication, but still, sms is the opposite of secure, always has been.

brie@programming.dev · 4 months ago

Not true. SMS is encrypted in 3G, LTE, 5G. Block cyphers like Kasumi and A/9 are used. SMS is reasonably secure, because it’s hard to infiltrate telecom systems like S7