“The opaque ID is unique to the relationship between the customer's Apple ID and the business’s business ID. A customer has a different opaque ID for every chat they have using Messages for Business.” https://register.apple.com/resources/messages/messaging-documentation/faq …
-
-
Replying to @patricktoomey @colmmacc and
Hmm “The Opaque ID is unique to the relationship between the user’s Apple ID and the business’s Business ID. A user has a different Opaque ID for every business they contact using Business Chat.”..so maybe durable per user:business tuple https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf …
1 reply 0 retweets 0 likes -
Replying to @patricktoomey @colmmacc and
For what it’s worth, the effective attack I’ve seen on SMS 2FA is much dumber than all this stuff. It’s “Hi, this is Althea from the security team at FooCorp. We’re running a test of our security systems. You just got a text message; can you repeat to me the code you got?”
2 replies 2 retweets 9 likes -
Replying to @tqbf @patricktoomey and
“Don’t worry, we won’t ever ask you to log in for us, and you should never respond to a text by anyone claiming to be us by logging in or doing anything in the application.”
1 reply 0 retweets 1 like -
Replying to @tqbf @patricktoomey and
Is SMS 2FA better than nothing? I guess (unless you worry that people who enable it feel free to reuse passwords). But it’s bad. It mitigates dragnet attacks, but is pitiful against targeted attacks against normal users (the most important kind).
3 replies 0 retweets 3 likes -
Strong agree…the issue is that the dumbest drive by password reuse attack is like 98% of what most sites see. Hence, there is a strong incentive to support SMS. We need to better classify the folks more likely for targeted attacks and steer them to stronger options.
1 reply 0 retweets 0 likes -
Replying to @patricktoomey @colmmacc and
I’m biased by having worked on an oddball niche fraud target application used entirely by ordinary people, where there was lots of room for extra attacker effort because of high monetary payout. But that mirrors the campaign situation!
1 reply 0 retweets 1 like -
Replying to @tqbf @patricktoomey and
There’s all the other reasons to lobby against SMS 2FA (porting attacks are real, &c) but in reality it’s even less effective than it’s given credit for, and I have something like contempt for attempts to dunk on the critique.
1 reply 0 retweets 1 like -
Replying to @tqbf @patricktoomey and
I kind of don’t even understand the dunk at the root of this thread though. Wendy Nather went somewhere that uses a lot of SMS 2FA. Checkmate, athiest!
1 reply 0 retweets 1 like -
Replying to @tqbf @patricktoomey and
I'm also kind of baffled to be called out for a position I never held. In the campaign context, the way we presented this was as a range from less safe to more safe, and the goal was to get people to move one step further towards safety from wherever they were, without shaming.
2 replies 0 retweets 2 likes
For most campaigns, that meant moving from [Candidate Name][Year] as the default password for everything to at least a variety of unique bad passwords. If people were willing to turn on any form of 2FA I practically had the champagne ready.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.