Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

Two Factor Authentication

Investment discussion for beginners. Why you should invest your money, get help getting started
colin
Lemon Slice
Posts: 663
Joined: December 10th, 2016, 7:16 pm
Has thanked: 24 times
Been thanked: 114 times

Re: Two Factor Authentication

#294798

Postby colin » March 27th, 2020, 1:24 pm

88V8 wrote:Mobile?
Anything involving money?
Haha.

I get 2FA codes on email (PC with good security) or landline.

V8

How do you receive a security code via landline? Has your email provider not demanded that you provide a mobile phone number if you wish to have continued access to the account? Mine has.

colin
Lemon Slice
Posts: 663
Joined: December 10th, 2016, 7:16 pm
Has thanked: 24 times
Been thanked: 114 times

Re: Two Factor Authentication

#294802

Postby colin » March 27th, 2020, 1:33 pm

uspaul666 wrote:SIM swap fraud can be a problem. But 2FA like “Authy” or google’s authenticate avoid replying on the phone number or SIM. A J Bell use authenticate for example. It’s also worth adjusting the notification settings on the phone so that SMS messages are hidden until the phone is unlocked.

Thanks for the good idea of hidding notifications while locked, unfortunately no institution has yet offered me such an option, the serious vulnerability to me seems to be the ease with which some one can hijack email accounts using a 'stolen' phone number.

jonesa1
Lemon Slice
Posts: 263
Joined: May 27th, 2019, 9:47 am
Has thanked: 103 times
Been thanked: 142 times

Re: Two Factor Authentication

#294848

Postby jonesa1 » March 27th, 2020, 4:09 pm

colin wrote:
uspaul666 wrote:The safest way to access a financial institution is generally accepted to be via their app on a modern mobile phone, preferably via mobile data. Sorry.

Sorry the issue is other people accessing your financial institutions by hijacking your phone number, pay attention.


Cloning a SIM doesn't also give you access to the account used by a phone app. It could give you access to SMS messages, which might be one of the factors if the app uses two factor authentication. A hacker would still need to know, or be able to acquire, the account id and password.


colin wrote:
uspaul666 wrote:SIM swap fraud can be a problem. But 2FA like “Authy” or google’s authenticate avoid replying on the phone number or SIM. A J Bell use authenticate for example. It’s also worth adjusting the notification settings on the phone so that SMS messages are hidden until the phone is unlocked.

Thanks for the good idea of hidding notifications while locked, unfortunately no institution has yet offered me such an option


This is controlled by a 'phone setting, you don't need an institution to give you the option.

colin
Lemon Slice
Posts: 663
Joined: December 10th, 2016, 7:16 pm
Has thanked: 24 times
Been thanked: 114 times

Re: Two Factor Authentication

#294900

Postby colin » March 27th, 2020, 6:38 pm

jonesa1 wrote:
colin wrote:
uspaul666 wrote:The safest way to access a financial institution is generally accepted to be via their app on a modern mobile phone, preferably via mobile data. Sorry.

Sorry the issue is other people accessing your financial institutions by hijacking your phone number, pay attention.


Cloning a SIM doesn't also give you access to the account used by a phone app. It could give you access to SMS messages, which might be one of the factors if the app uses two factor authentication. A hacker would still need to know, or be able to acquire, the account id and password.


colin wrote:
uspaul666 wrote:SIM swap fraud can be a problem. But 2FA like “Authy” or google’s authenticate avoid replying on the phone number or SIM. A J Bell use authenticate for example. It’s also worth adjusting the notification settings on the phone so that SMS messages are hidden until the phone is unlocked.

Thanks for the good idea of hidding notifications while locked, unfortunately no institution has yet offered me such an option


This is controlled by a 'phone setting, you don't need an institution to give you the option.

Yes of coourse I was thinking of writing that no financial institution gave me the option of 2fa via a 2nd email but got distracted as I was writing, should've looked!

colin
Lemon Slice
Posts: 663
Joined: December 10th, 2016, 7:16 pm
Has thanked: 24 times
Been thanked: 114 times

Re: Two Factor Authentication

#294909

Postby colin » March 27th, 2020, 7:09 pm

jonesa1 wrote:
colin wrote:
uspaul666 wrote:The safest way to access a financial institution is generally accepted to be via their app on a modern mobile phone, preferably via mobile data. Sorry.

Sorry the issue is other people accessing your financial institutions by hijacking your phone number, pay attention.


Cloning a SIM doesn't also give you access to the account used by a phone app. It could give you access to SMS messages, which might be one of the factors if the app uses two factor authentication. A hacker would still need to know, or be able to acquire, the account id and password.
.

I am thinking of the situation where someone knows your email address and phone number, if they also know which phone company you are with they exploit lax security to pretend that they are you and claim to have left the phone on bus/dropped in river whatever, then request that 'their' old number be transfered to a new sim. So now your sim is deactivated so your phone does not work at all, now they type your email address into your mail providers sign in page click on forgot password and if you have a phone number linked to the account they receive the passcode which allows them to reset your email password. They can also use the same technique to access some online brokerage accounts if they have the name and account number and change your password, it used to be that finnancial institutions and emai
accounts relied on memorable names dates places etc to recover forgotten password accounts but the ones I use have all moved over to using sms messages with a code.
There have been many large scale hacks where personal information that was not considered to be security sensitive such as names, addresses email addresses was not encrypted and these data bases are for sale on the dark webb. Phone company employees have been bribed to provide the information needed to sim swap and some phone company employees have been so lax with security issues that 'mystery shoppers' have persuaded them to transfer someone elses number to a sim in their posession.

TUK020
Lemon Quarter
Posts: 2039
Joined: November 5th, 2016, 7:41 am
Has thanked: 762 times
Been thanked: 1175 times

Re: Two Factor Authentication

#294984

Postby TUK020 » March 27th, 2020, 10:33 pm

colin wrote:I am thinking of the situation where someone knows your email address and phone number, if they also know which phone company you are with they exploit lax security to pretend that they are you and claim to have left the phone on bus/dropped in river whatever, then request that 'their' old number be transfered to a new sim. So now your sim is deactivated so your phone does not work at all, now they type your email address into your mail providers sign in page click on forgot password and if you have a phone number linked to the account they receive the passcode which allows them to reset your email password.


If you are that concerned about this possibility, get a second PAYG phone that you only use for this purpose. Its number is only registered as the number for your account authentication, and it only gets turned on to reaload with credit, and when you wish to perform a bank transaction.
It would have to have a serious player (government security types) looking to connect all the dots to be able to unscramble all that - and they probably have easier ways of emptying your bank account if that was what they wanted to do

colin
Lemon Slice
Posts: 663
Joined: December 10th, 2016, 7:16 pm
Has thanked: 24 times
Been thanked: 114 times

Re: Two Factor Authentication

#294995

Postby colin » March 27th, 2020, 11:21 pm

TUK020 wrote:
colin wrote:I am thinking of the situation where someone knows your email address and phone number, if they also know which phone company you are with they exploit lax security to pretend that they are you and claim to have left the phone on bus/dropped in river whatever, then request that 'their' old number be transfered to a new sim. So now your sim is deactivated so your phone does not work at all, now they type your email address into your mail providers sign in page click on forgot password and if you have a phone number linked to the account they receive the passcode which allows them to reset your email password.


If you are that concerned about this possibility, get a second PAYG phone that you only use for this purpose. Its number is only registered as the number for your account authentication, and it only gets turned on to reaload with credit, and when you wish to perform a bank transaction.
It would have to have a serious player (government security types) looking to connect all the dots to be able to unscramble all that - and they probably have easier ways of emptying your bank account if that was what they wanted to do

This has happened several times already
https://www.thisismoney.co.uk/money/bea ... -bank.html
Just one example, there are more. Everyone should be concerned.

Lootman
The full Lemon
Posts: 18677
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6560 times

Re: Two Factor Authentication

#295228

Postby Lootman » March 28th, 2020, 9:51 pm

colin wrote: I was thinking of writing that no financial institution gave me the option of 2fa via a 2nd email

I know, this is starting to drive me nuts. Today I was somewhere with no phone signal and I tried to do an online transaction three times, with three different cards, and each one insisted in wanting to send a code to my phone.

It's also a problem in many places overseas where my UK phone won't work.

Just give me the option to have the code sent to my email!!!! If anyone knows a UK credit card that offers that please let me know. They will isntantly have all my business.

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: Two Factor Authentication

#412444

Postby XFool » May 16th, 2021, 1:06 pm

This (MFA) - from another thread - again:

XFool wrote:BTW. After being sent that nice new PINsentry card reader by Barcaycard (MFA), I have never yet been asked to use it for its intended purpose. It still seems like a watered down version of 'Verified by Visa' online. So far I've only ever used it to log on to my non Barclay bank account. Typical!

I am far from being a big user of CCs online, nevertheless, the above still remains true. If I remember correctly, I still get a version of the old 'Verified by Visa' screen pop up, it just doesn't really ask for any more information while it verifies all by itself. (Or is that with the debit card?)

So why did Barclays bother to send me their PinSentry machine if it isn't being used online with their credit cards? I do not have and have never had a Barclays bank account. What is others' experience of 2FA in the UK at present? (Perhaps now in the UK it's a Brexit thing!)

Lanark
Lemon Quarter
Posts: 1321
Joined: March 27th, 2017, 11:41 am
Has thanked: 595 times
Been thanked: 582 times

Re: Two Factor Authentication

#412453

Postby Lanark » May 16th, 2021, 1:49 pm

colin wrote:
jonesa1 wrote:
colin wrote:Sorry the issue is other people accessing your financial institutions by hijacking your phone number, pay attention.


Cloning a SIM doesn't also give you access to the account used by a phone app. It could give you access to SMS messages, which might be one of the factors if the app uses two factor authentication. A hacker would still need to know, or be able to acquire, the account id and password.
.

I am thinking of the situation where someone knows your email address and phone number, if they also know which phone company you are with they exploit lax security to pretend that they are you and claim to have left the phone on bus/dropped in river whatever, then request that 'their' old number be transfered to a new sim. So now your sim is deactivated so your phone does not work at all, now they type your email address into your mail providers sign in page click on forgot password and if you have a phone number linked to the account they receive the passcode which allows them to reset your email password. They can also use the same technique to access some online brokerage accounts if they have the name and account number and change your password, it used to be that finnancial institutions and emai
accounts relied on memorable names dates places etc to recover forgotten password accounts but the ones I use have all moved over to using sms messages with a code.
There have been many large scale hacks where personal information that was not considered to be security sensitive such as names, addresses email addresses was not encrypted and these data bases are for sale on the dark webb. Phone company employees have been bribed to provide the information needed to sim swap and some phone company employees have been so lax with security issues that 'mystery shoppers' have persuaded them to transfer someone elses number to a sim in their posession.

^ This
2FA is very much a good thing, but 2FA using insecure SMS text messages is no improvement over a simple username/password, in many ways it is worse.

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: Two Factor Authentication

#412461

Postby XFool » May 16th, 2021, 2:22 pm

Lanark wrote:
colin wrote:I am thinking of the situation where someone knows your email address and phone number, if they also know which phone company you are with they exploit lax security to pretend that they are you and claim to have left the phone on bus/dropped in river whatever, then request that 'their' old number be transfered to a new sim. So now your sim is deactivated so your phone does not work at all, now they type your email address into your mail providers sign in page click on forgot password and if you have a phone number linked to the account they receive the passcode which allows them to reset your email password. They can also use the same technique to access some online brokerage accounts if they have the name and account number and change your password, it used to be that finnancial institutions and emai
accounts relied on memorable names dates places etc to recover forgotten password accounts but the ones I use have all moved over to using sms messages with a code.
There have been many large scale hacks where personal information that was not considered to be security sensitive such as names, addresses email addresses was not encrypted and these data bases are for sale on the dark webb. Phone company employees have been bribed to provide the information needed to sim swap and some phone company employees have been so lax with security issues that 'mystery shoppers' have persuaded them to transfer someone elses number to a sim in their posession.

^ This
2FA is very much a good thing, but 2FA using insecure SMS text messages is no improvement over a simple username/password, in many ways it is worse.

There is another method, the reverse of the above.

At logon, instead of the service sending a PIN by phone to the service user to log on with, it is possible to display a random PIN on screen during logon. This pin then needs to be confirmed by the user via a phone call from the service provider to the users' registered phone.

Lanark
Lemon Quarter
Posts: 1321
Joined: March 27th, 2017, 11:41 am
Has thanked: 595 times
Been thanked: 582 times

Re: Two Factor Authentication

#412499

Postby Lanark » May 16th, 2021, 4:33 pm

XFool wrote:
Lanark wrote:
colin wrote:I am thinking of the situation where someone knows your email address and phone number, if they also know which phone company you are with they exploit lax security to pretend that they are you and claim to have left the phone on bus/dropped in river whatever, then request that 'their' old number be transfered to a new sim. So now your sim is deactivated so your phone does not work at all, now they type your email address into your mail providers sign in page click on forgot password and if you have a phone number linked to the account they receive the passcode which allows them to reset your email password. They can also use the same technique to access some online brokerage accounts if they have the name and account number and change your password, it used to be that finnancial institutions and emai
accounts relied on memorable names dates places etc to recover forgotten password accounts but the ones I use have all moved over to using sms messages with a code.
There have been many large scale hacks where personal information that was not considered to be security sensitive such as names, addresses email addresses was not encrypted and these data bases are for sale on the dark webb. Phone company employees have been bribed to provide the information needed to sim swap and some phone company employees have been so lax with security issues that 'mystery shoppers' have persuaded them to transfer someone elses number to a sim in their posession.

^ This
2FA is very much a good thing, but 2FA using insecure SMS text messages is no improvement over a simple username/password, in many ways it is worse.

There is another method, the reverse of the above.

At logon, instead of the service sending a PIN by phone to the service user to log on with, it is possible to display a random PIN on screen during logon. This pin then needs to be confirmed by the user via a phone call from the service provider to the users' registered phone.

Thats still not secure so would be vulnerable to a SIM swap.

There are lots of Secure number generators e.g. YubiKey etc https://www.theverge.com/2019/2/22/1823 ... an-key-u2f
Or you can get phone apps which do the same thing.

I do find it rather depressing the number of financial institutions who have obviously got the message that 2fa is good, but then continue pushing SMS given all its known problems, like how many times do you need to be hacked before you just implement this stuff properly?

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: Two Factor Authentication

#412504

Postby XFool » May 16th, 2021, 4:51 pm

Lanark wrote:
XFool wrote:There is another method, the reverse of the above.

At logon, instead of the service sending a PIN by phone to the service user to log on with, it is possible to display a random PIN on screen during logon. This pin then needs to be confirmed by the user via a phone call from the service provider to the users' registered phone.

Thats still not secure so would be vulnerable to a SIM swap.

How would it be vulnerable to a SIM swap as described? The original SIM would be in the user's phone: which would not then be called if it was not the registered number. If a hacker wanted to swap a user's number registered with the service provider to them they'd have to log on in the first place to do that. It could only work if the hacker somehow had the same number. Falsely changing the user's phone number registered via the phone provider wouldn't help as it would not be the number the service provider would ring.

Lanark
Lemon Quarter
Posts: 1321
Joined: March 27th, 2017, 11:41 am
Has thanked: 595 times
Been thanked: 582 times

Re: Two Factor Authentication

#412506

Postby Lanark » May 16th, 2021, 4:56 pm

XFool wrote:It could only work if the hacker somehow had the same number.

Thats how a SIM swap works, they contact vodaphone or whover and get your phone number ported to their phone running a different SIM, they then get all your phone calls and SMS messages.
What they wont get is secure messages e.g. iMessage, Signal etc

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: Two Factor Authentication

#412507

Postby XFool » May 16th, 2021, 5:02 pm

Lanark wrote:
XFool wrote:It could only work if the hacker somehow had the same number.

Thats how a SIM swap works, they contact vodaphone or whover and get your phone number ported to their phone running a different SIM, they then get all your phone calls and SMS messages.
What they wont get is secure messages e.g. iMessage, Signal etc

I get that. My point is: how does that help here?

They get your phone calls - on their phone number. But THEY don't get the security call from the bank, or whoever, which will be to the user's original number, as registered with the bank via their account.

Of course, that is assuming the bank only allows changes to the registered number via the account, not via a 'new' phone number. Unless their security checking is superior to the phone provider's!

Or am I mistaking the relationship between User, SIM, phone and phone number? i.e. They could end up with the original phone number on another SIM without a security check? Think I'll stick with the landline number for this!

scottnsilky
Lemon Slice
Posts: 255
Joined: November 9th, 2016, 8:07 pm
Has thanked: 91 times
Been thanked: 53 times

Re: Two Factor Authentication

#412537

Postby scottnsilky » May 16th, 2021, 7:31 pm

Lootman wrote:
colin wrote: I was thinking of writing that no financial institution gave me the option of 2fa via a 2nd email

I know, this is starting to drive me nuts. Today I was somewhere with no phone signal and I tried to do an online transaction three times, with three different cards, and each one insisted in wanting to send a code to my phone.

It's also a problem in many places overseas where my UK phone won't work.

Just give me the option to have the code sent to my email!!!! If anyone knows a UK credit card that offers that please let me know. They will isntantly have all my business.


I'm pretty sure my Nationwide card will send me an email. I think I remember a transaction with HL doing just that.

Lanark
Lemon Quarter
Posts: 1321
Joined: March 27th, 2017, 11:41 am
Has thanked: 595 times
Been thanked: 582 times

Re: Two Factor Authentication

#412542

Postby Lanark » May 16th, 2021, 7:46 pm

XFool wrote:Or am I mistaking the relationship between User, SIM, phone and phone number? i.e. They could end up with the original phone number on another SIM without a security check? Think I'll stick with the landline number for this!

Yes in a SIM card swap they steal your phone number, which is an additional pain if you are attached to the number.

AF62
Lemon Quarter
Posts: 3499
Joined: November 27th, 2016, 8:45 am
Has thanked: 131 times
Been thanked: 1277 times

Re: Two Factor Authentication

#412563

Postby AF62 » May 16th, 2021, 10:29 pm

Lanark wrote:I do find it rather depressing the number of financial institutions who have obviously got the message that 2fa is good, but then continue pushing SMS given all its known problems, like how many times do you need to be hacked before you just implement this stuff properly?


Perhaps you could explain how you think it could be implemented “properly”, keeping in mind the vast diversity of the customer group you are dealing with.

Text 2FA isn’t great, but on the upside it can actually be used by almost everyone.

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: Two Factor Authentication

#412670

Postby XFool » May 17th, 2021, 11:09 am

scottnsilky wrote:
Lootman wrote:I know, this is starting to drive me nuts. Today I was somewhere with no phone signal and I tried to do an online transaction three times, with three different cards, and each one insisted in wanting to send a code to my phone.

It's also a problem in many places overseas where my UK phone won't work.

Just give me the option to have the code sent to my email!!!! If anyone knows a UK credit card that offers that please let me know. They will isntantly have all my business.

I'm pretty sure my Nationwide card will send me an email. I think I remember a transaction with HL doing just that.

I would still like to know why Barclays bothered to send me (and presumably others) one of their PinSentry machines through the post, yet to date see no prospect of ever having to use it with their credit card.

Anyone?

tjh290633
Lemon Half
Posts: 8208
Joined: November 4th, 2016, 11:20 am
Has thanked: 913 times
Been thanked: 4096 times

Re: Two Factor Authentication

#412776

Postby tjh290633 » May 17th, 2021, 5:09 pm

XFool wrote:I would still like to know why Barclays bothered to send me (and presumably others) one of their PinSentry machines through the post, yet to date see no prospect of ever having to use it with their credit card.

Anyone?

I run an account with Barclays for a local group. I have a PinSentry which is fine for logging in. However for trying to set up a new payee it fails every time. They have looked into it 3 times now, replaced the card and the PinSentry, all to no avail. It does not generate the code that their algorithm is expecting when you use "Respond".

My wife has a Nationwide account, and they use the "Sign" button for that purpose. Works perfectly. My Lloyds account works differently, using a text message code. Also works perfectly.

Barclays have, of course, closed their local branches.

TJH


Return to “How Do I Invest”

Who is online

Users browsing this forum: No registered users and 3 guests