SECURITY: SMS should NOT be used for 2FA

*** begin quote ***

“The company that routes SMS for all major US carriers was hacked for five years. It isn’t revealing whether or not messages were exposed, but it’s just another reason not to use SMS for 2FA.”

*** end quote ***

So for the average layman, it means that if any service provider texts codes to your phone as a way of security your account, they are at risk of a security breach.

I’ve begin communicating with the providers I use putting them on notice that (1) they are using a insecure technology to secure my account; and (2) when do they plan to switch to a phone based authentication technology or something better.

Now, if they say they use GOOGLE or APPLE authenticator, you can point out that those too are insecure by design.  Since a hack of either high profile target, will make you vulnerable.

Using the “home grown” authenticator, (something written by the service provider like IDME), doesn’t have the transparency of the source code to assure security.

Any “home grown” authenticator, Google, orApple authenticators does NOT separate the necessary sufficient controls for good Information Security.

Suggest you tell them support AUTHY or other third party authenticators.  This is more secure because the “key” is only held by them and by you locally on your phone.

Or if they really want to protect you, they can give you are hardware token like YUBIKEY or a hardware authenticator like SECURE_ID.

—30—

TECHNOLOGY: Texting sucks

2021-Jul-23 2148

Texts have been really screwed up on the TMobile network.  All sort of weird crap going on.  Texts to and from TMobile are just going into the bitbucket.

My work around is just to use the damn phone as a voice call.

All communications protocols SHOUD BE authenticated and error-resistant!

Argh!

—30—

SOFTWARE: iMessage on the MAC OS X doesn’t report completely

Found a confusing “use case” with iMessage on the MAC OS X:

Sent two texts this morning, one worked and one failed repeatedly.

Figured out why it was failing, duh.

I text from the mac because I like the full keyboard. I text X and Y every morning and night. (“I’m alive … still!”)

This morning X’s went through to her iPhone as usual, but Y’s didn’t.

Then I realized iMessage uses the iPhone to text Y with SMS. And my iPhone was out of power. And, the MAC version of iMessage just reports: “not sent”.

Which technically is true, but it should say something like “no response from your Iphone, dummy”. Argh!

Strike one for a poor design. Or is that “a feature”?

Argh!

# – # – # – # – #