Either by sending a code to SMS or Email, you are able to sign into your account without ever needing to or being able to add a password. Why has this become a thing recently?
Either by sending a code to SMS or Email, you are able to sign into your account without ever needing to or being able to add a password. Why has this become a thing recently?
Side rant:
To make it worse, SMS is incredibly insecure. Nothing should send you codes via SMS, and if you have the option to use an authenticator app, do that. It’s atrocious so many banks only have SMS as an option.
The really dumb part is, the SMS codes are literally the same authenticator algorithm, but running on their servers and sent to you via an insecure medium.
And one little lapse in not paying a cell phone bill can cause you to lose your phone number, which then means you can no longer authenticate.
This shit drives me nuts. I’ve put in a lot of effort to secure my accounts but a number of them require SMS without any opt out. We have known about the risks of SMS plenty long enough at this point.
I never understood why SMS is insecure, are you saying it’s easy to intercept someone’s number? How would that even work without the SIM?
Veritasium did a great video on it. Anything I can say about it will be 10x worse than that video.
Getting a replacement SIM from the phone company is often shockingly easy, just a tiny bit of social engineering. And then you have access to the number and everything that 2FA “protects”
It is but only if you are targeted. I completely disagree with people who say it’s insecure because most attacks are remote and in bulk. Which your password they can login from any browser but are stopped by the SMS code.
For the SMS code they can use mostly automated social engineering to trick a certain percentage into giving it up.
However while A SIM attack may be easy enough for a targeted individual, I don’t think it scales: they have to do work that only helps with one user. It’s too “expensive” compared to automated social engineering against a million vulnerable users
its also very inconvenient if you are outside of the country and dont want to pay for roaming. Cellphone providers should offer a way to forward sms messages to an email address, their own webpage or an app.