Authentication with account payment history was also insecure. We found that an attacker could purchase a small refill card, apply it to the victim’s account without authentication, and then use the amount and timing of the refill to carry out a SIM swap attack!
-
-
Good advice… except with many providers (including financial institutions), the ONLY form of 2FA offered is via SMS. (Is SMS-based 2FA better than no 2FA at all? Better than email-based 2FA?) Also, even when yubikeys/apps are allowed, SMS is sometimes forced as a backup method.
-
Frankly as long as the target email is one of the big providers like gmail or Office365, and the sending service isn’t totally incompetent, I’d take the email option every time if the options are only SMS or email. TOTP above either of those. FIDO/WebAuthn/U2F above that.
- Još 3 druga odgovora
Novi razgovor -
-
-
Messaging providers like Telesign will tell you if a SIM swap recently occurred. Any chance ya'll tested the efficacy of that API? I have always been curious and wonder how many providers don't even tell Telesign that a SIM was recently ported (e.g., https://www.telesign.com/blog/post/sim-swap-the-ultimate-con/ …)
- Još 1 odgovor
Novi razgovor -
-
-
Move the 2FA to a Google voice phone and problem solved
-
I was just thinking this....would this really be better?
Kraj razgovora
Novi razgovor -
-
-
Tweet je nedostupan.
-
As part of responsible disclosure. When a vulnerability is found, a reasonable amount of time is given for the broken vendor to fix their system. Disclosing the exploit early means an attacker could make educated attacks knowing their success rate would be better.
- Još 6 drugih odgovora
-
-
-
Relying on a standalone Authenticator App has it's own issues, for example, if you lost your phone. Use the
@bitwarden type of app, which serves two purpose. Keep safe your passwords and can be used as a 2FA. Keeping a screenshot of every QR code for 2FA is another security risk. - Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
