For what it’s worth, the effective attack I’ve seen on SMS 2FA is much dumber than all this stuff. It’s “Hi, this is Althea from the security team at FooCorp. We’re running a test of our security systems. You just got a text message; can you repeat to me the code you got?”
-
-
Replying to @tqbf @patricktoomey and
“Don’t worry, we won’t ever ask you to log in for us, and you should never respond to a text by anyone claiming to be us by logging in or doing anything in the application.”
1 reply 0 retweets 1 like -
Replying to @tqbf @patricktoomey and
Is SMS 2FA better than nothing? I guess (unless you worry that people who enable it feel free to reuse passwords). But it’s bad. It mitigates dragnet attacks, but is pitiful against targeted attacks against normal users (the most important kind).
3 replies 0 retweets 3 likes -
Strong agree…the issue is that the dumbest drive by password reuse attack is like 98% of what most sites see. Hence, there is a strong incentive to support SMS. We need to better classify the folks more likely for targeted attacks and steer them to stronger options.
1 reply 0 retweets 0 likes -
Replying to @patricktoomey @colmmacc and
I’m biased by having worked on an oddball niche fraud target application used entirely by ordinary people, where there was lots of room for extra attacker effort because of high monetary payout. But that mirrors the campaign situation!
1 reply 0 retweets 1 like -
Replying to @tqbf @patricktoomey and
There’s all the other reasons to lobby against SMS 2FA (porting attacks are real, &c) but in reality it’s even less effective than it’s given credit for, and I have something like contempt for attempts to dunk on the critique.
1 reply 0 retweets 1 like -
Replying to @tqbf @patricktoomey and
I kind of don’t even understand the dunk at the root of this thread though. Wendy Nather went somewhere that uses a lot of SMS 2FA. Checkmate, athiest!
1 reply 0 retweets 1 like -
Replying to @tqbf @patricktoomey and
I'm also kind of baffled to be called out for a position I never held. In the campaign context, the way we presented this was as a range from less safe to more safe, and the goal was to get people to move one step further towards safety from wherever they were, without shaming.
2 replies 0 retweets 2 likes -
Replying to @Pinboard @patricktoomey and
I think you got dragged into snark that was really directed at me and had nothing to do with you. We have different opinions on this!
1 reply 0 retweets 1 like -
I’ll untag you from this thread, which I should have done earlier, sorry.
1 reply 0 retweets 2 likes
The top of this thread is public shaming of an imaginary me for an imaginary dunk on someone I agree with, so I'm right at home in this thread.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.