FBI warns against using text message based 2FA.texting-dangers-the-scary-reason-to-stop-using-two-factor-authentication-
https://nypost.com/2024/12/19/tech/feds-issue-another-warning-about-
The temporary recommendation is that users switch their 2FA if possible
to encrypted apps (such as WhatsApp) or email-based 2FA. The text message-based 2FA is transmitted in plaintext, making them susceptible
to interception.
Now that the OSA 2023 has received Royal Assent, such encrypted apps are potentially under threat, and the app that is unencrypted (SMSes) is a threat.
It is conceivable that the original warnings against weakening
encryption, i.e. that it would in fact make users less safe, may well be correct.
What do you think?
On Sat, 21 Dec 2024 12:45:40 +0800, J Newman wrote:
FBI warns against using text message based 2FA.texting-dangers-the-scary-reason-to-stop-using-two-factor-authentication-
https://nypost.com/2024/12/19/tech/feds-issue-another-warning-about-
now
The temporary recommendation is that users switch their 2FA if possible
to encrypted apps (such as WhatsApp) or email-based 2FA. The text
message-based 2FA is transmitted in plaintext, making them susceptible
to interception.
Now that the OSA 2023 has received Royal Assent, such encrypted apps are
potentially under threat, and the app that is unencrypted (SMSes) is a
threat.
It is conceivable that the original warnings against weakening
encryption, i.e. that it would in fact make users less safe, may well be
correct.
What do you think?
SMS has long been deprecated for grown up 2FA. This is nothing new.
On 22/12/2024 19:20, Max Demian wrote:
On 21/12/2024 10:32, Jethro_uk wrote:
On Sat, 21 Dec 2024 12:45:40 +0800, J Newman wrote:
FBI warns against using text message based 2FA.texting-dangers-the-scary-reason-to-stop-using-two-factor-authentication- >>> now
https://nypost.com/2024/12/19/tech/feds-issue-another-warning-about-
The temporary recommendation is that users switch their 2FA if possible >>>> to encrypted apps (such as WhatsApp) or email-based 2FA. The text
message-based 2FA is transmitted in plaintext, making them susceptible >>>> to interception.
Now that the OSA 2023 has received Royal Assent, such encrypted apps are >>>> potentially under threat, and the app that is unencrypted (SMSes) is a >>>> threat.
It is conceivable that the original warnings against weakening
encryption, i.e. that it would in fact make users less safe, may well be >>>> correct.
What do you think?
SMS has long been deprecated for grown up 2FA. This is nothing new.
What else is there (that everyone can be assumed to have access to)?
And why is "email-based 2FA" suggested? Emails aren't (by default)
encrypted, and senders can be spoofed.
Emails are encrypted in transit. SMSes are not.
The attack surface for a phone is generally much larger than that of a properly secured computer.
On 22/12/2024 19:20, Max Demian wrote:authentication-
On 21/12/2024 10:32, Jethro_uk wrote:
On Sat, 21 Dec 2024 12:45:40 +0800, J Newman wrote:
FBI warns against using text message based 2FA.texting-dangers-the-scary-reason-to-stop-using-two-factor-
https://nypost.com/2024/12/19/tech/feds-issue-another-warning-about-
Emails are encrypted in transit. SMSes are not.now
The temporary recommendation is that users switch their 2FA if
possible to encrypted apps (such as WhatsApp) or email-based 2FA. The
text message-based 2FA is transmitted in plaintext, making them
susceptible to interception.
Now that the OSA 2023 has received Royal Assent, such encrypted apps
are potentially under threat, and the app that is unencrypted (SMSes)
is a threat.
It is conceivable that the original warnings against weakening
encryption, i.e. that it would in fact make users less safe, may well
be correct.
What do you think?
SMS has long been deprecated for grown up 2FA. This is nothing new.
What else is there (that everyone can be assumed to have access to)?
And why is "email-based 2FA" suggested? Emails aren't (by default)
encrypted, and senders can be spoofed.
The attack surface for a phone is generally much larger than that of a properly secured computer.
On 21/12/2024 18:32, Jethro_uk wrote:authentication-
On Sat, 21 Dec 2024 12:45:40 +0800, J Newman wrote:
FBI warns against using text message based 2FA.texting-dangers-the-scary-reason-to-stop-using-two-factor-
https://nypost.com/2024/12/19/tech/feds-issue-another-warning-about-
nowIt is still being used by many banks, email services, etc.
The temporary recommendation is that users switch their 2FA if
possible to encrypted apps (such as WhatsApp) or email-based 2FA. The
text message-based 2FA is transmitted in plaintext, making them
susceptible to interception.
Now that the OSA 2023 has received Royal Assent, such encrypted apps
are potentially under threat, and the app that is unencrypted (SMSes)
is a threat.
It is conceivable that the original warnings against weakening
encryption, i.e. that it would in fact make users less safe, may well
be correct.
What do you think?
SMS has long been deprecated for grown up 2FA. This is nothing new.
My emails are not encrypted in transit.
Whose are?
Roger Hayter wrote:
My emails are not encrypted in transit.
You might be surprised, @portfast does support TLS
Whose are?
A lot of transit encryption happens opportunistically these days, a hell
of a lot of mail routes through google/microsoft for starters.
On 22/12/2024 19:20, Max Demian wrote:
On 21/12/2024 10:32, Jethro_uk wrote:
On Sat, 21 Dec 2024 12:45:40 +0800, J Newman wrote:
FBI warns against using text message based 2FA.texting-dangers-the-scary-reason-to-stop-using-two-factor-authentication- >>> now
https://nypost.com/2024/12/19/tech/feds-issue-another-warning-about-
The temporary recommendation is that users switch their 2FA if possible >>>> to encrypted apps (such as WhatsApp) or email-based 2FA. The text
message-based 2FA is transmitted in plaintext, making them susceptible >>>> to interception.
Now that the OSA 2023 has received Royal Assent, such encrypted apps are >>>> potentially under threat, and the app that is unencrypted (SMSes) is a >>>> threat.
It is conceivable that the original warnings against weakening
encryption, i.e. that it would in fact make users less safe, may well be >>>> correct.
What do you think?
SMS has long been deprecated for grown up 2FA. This is nothing new.
What else is there (that everyone can be assumed to have access to)?
And why is "email-based 2FA" suggested? Emails aren't (by default)
encrypted, and senders can be spoofed.
Emails are encrypted in transit. SMSes are not.
The attack surface for a phone is generally much larger than that of a properly secured computer.
Roger Hayter wrote:
My emails are not encrypted in transit.
You might be surprised, @portfast does support TLS
Whose are?
A lot of transit encryption happens opportunistically these days, a hell
of a lot of mail routes through google/microsoft for starters.
On 22 Dec 2024 at 17:35:15 GMT, "Andy Burns" <usenet@andyburns.uk> wrote:
Roger Hayter wrote:
My emails are not encrypted in transit.
You might be surprised, @portfast does support TLS
Whose are?
A lot of transit encryption happens opportunistically these days, a hell
of a lot of mail routes through google/microsoft for starters.
Much of my outgoing mail goes direct from home via smtp, and I haven't bothered to implement TLS on that. But even if encrypted on some hops it's available unencrypted on each server it passes.
On 23/12/2024 02:17, Jon Ribbens wrote:
On 2024-12-22, Roger Hayter <roger@hayter.org> wrote:
On 22 Dec 2024 at 17:35:15 GMT, "Andy Burns" <usenet@andyburns.uk> wrote: >>>> Roger Hayter wrote:
My emails are not encrypted in transit.
You might be surprised, @portfast does support TLS
Whose are?
A lot of transit encryption happens opportunistically these days, a hell >>>> of a lot of mail routes through google/microsoft for starters.
Much of my outgoing mail goes direct from home via smtp, and I haven't
bothered to implement TLS on that. But even if encrypted on some hops it's >>> available unencrypted on each server it passes.
Indeed. Which makes it *at best* the same as SMS rather than better than
SMS. Although we're ignoring the fact that almost all of the time it
won't verify who it is communicating with, so the encryption doesn't
actually mean what it should.
Respectfully, you are mistaken.
SMS has long been deprecated for grown up 2FA. This is nothing new.
What else is there (that everyone can be assumed to have access to)?
And why is "email-based 2FA" suggested? Emails aren't (by default)
encrypted, and senders can be spoofed.
Emails are encrypted in transit. SMSes are not.
According to Max Demian <max_demian@bigfoot.com>:
SMS has long been deprecated for grown up 2FA. This is nothing new.
What else is there (that everyone can be assumed to have access to)?
TOTP, see my recent message
And why is "email-based 2FA" suggested? Emails aren't (by default) >>encrypted, and senders can be spoofed.
a) People don't understand the threat model very well.
2) E-mail has different security issues, not necessarily better, but different.
Your mail provider can read your mail, but the connection between them
and the mail program on your PC or phone is encrypted unless you're
using a very old or misconfigured mail program.
Some people say that mail should be "end to end" encrypted, but in a
world where most people use webmail or an app managed by their mail
provider, I do not know where the "end" is and neither does anyone else.
Some people say that mail should be "end to end" encrypted, but in a world where most people use webmail or an app managed by their mail provider, I
do not know where the "end" is and neither does anyone else.
On 22/12/2024 22:52, Jethro_uk wrote:
On Sun, 22 Dec 2024 21:06:45 +0800, J Newman wrote:
On 22/12/2024 19:20, Max Demian wrote:
And why is "email-based 2FA" suggested? Emails aren't (by default)Emails are encrypted in transit. SMSes are not.
encrypted, and senders can be spoofed.
Generally emails in transit are *not* encrypted. They may be transmitted
over SSL/TLS but underneath they are plaintext.
TLS encrypts emails in transit between servers. They may be stored on
servers in plaintext but that's something else.
According to Max Demian <max_demian@bigfoot.com>:
SMS has long been deprecated for grown up 2FA. This is nothing new.
What else is there (that everyone can be assumed to have access to)?
TOTP, see my recent message
And why is "email-based 2FA" suggested? Emails aren't (by default)
encrypted, and senders can be spoofed.
a) People don't understand the threat model very well.
2) E-mail has different security issues, not necessarily better, but different.
Your mail provider can read your mail, but the connection between them and the
mail program on your PC or phone is encrypted unless you're using a very old or misconfigured mail program.
Some people say that mail should be "end to end" encrypted, but in a world where most people use webmail or an app managed by their mail provider, I
do not know where the "end" is and neither does anyone else.
On 22/12/2024 21:13, John Levine wrote:
According to Max Demian <max_demian@bigfoot.com>:
SMS has long been deprecated for grown up 2FA. This is nothing new.
What else is there (that everyone can be assumed to have access to)?
TOTP, see my recent message
And why is "email-based 2FA" suggested? Emails aren't (by default)
encrypted, and senders can be spoofed.
a) People don't understand the threat model very well.
2) E-mail has different security issues, not necessarily better, but
different.
Your mail provider can read your mail, but the connection between them
and the
mail program on your PC or phone is encrypted unless you're using a
very old
or misconfigured mail program.
Some people say that mail should be "end to end" encrypted, but in a
world
where most people use webmail or an app managed by their mail provider, I
do not know where the "end" is and neither does anyone else.
The "ends" are the sender and the recipient.
Presumably webmail would be impossible if there is end to end encryption.
Maybe a mailing app could be encrypted all the way. I don't know if they
are.
On 2024-12-23 12:01, Max Demian wrote:
On 22/12/2024 21:13, John Levine wrote:
According to Max Demian <max_demian@bigfoot.com>:
SMS has long been deprecated for grown up 2FA. This is nothing new.
What else is there (that everyone can be assumed to have access to)?
TOTP, see my recent message
And why is "email-based 2FA" suggested? Emails aren't (by default)
encrypted, and senders can be spoofed.
a) People don't understand the threat model very well.
2) E-mail has different security issues, not necessarily better, but
different.
Your mail provider can read your mail, but the connection between them
and the mail program on your PC or phone is encrypted unless you're
using a very old or misconfigured mail program.
Some people say that mail should be "end to end" encrypted, but in a
world where most people use webmail or an app managed by their mail
provider, I do not know where the "end" is and neither does anyone
else.
The "ends" are the sender and the recipient.
Presumably webmail would be impossible if there is end to end
encryption.
There are browser extensions that work with webmail systems that can
enable PGP encryption on the body of the e-mail, I played with one a
little while back and proved it could communicate with PGP on
Thunderbird at the other end.
On Mon, 23 Dec 2024 12:24:12 +0000, nib wrote:
On 2024-12-23 12:01, Max Demian wrote:
On 22/12/2024 21:13, John Levine wrote:
Some people say that mail should be "end to end" encrypted, but in a
world where most people use webmail or an app managed by their mail
provider, I do not know where the "end" is and neither does anyone
else.
The "ends" are the sender and the recipient.
Presumably webmail would be impossible if there is end to end
encryption.
There are browser extensions that work with webmail systems that can
enable PGP encryption on the body of the e-mail, I played with one a
little while back and proved it could communicate with PGP on
Thunderbird at the other end.
I implemented one on an Windows Server 2008 Exchange setup. Total waste
of time as none of the recipients (IT departments in major insurers) had
a clue what to do.
It is the lack of any universal encryption for email (with it's
associated ability to authenticate) that keeps most organisations
dependence on POTS going. Allegedly.
On 23/12/2024 13:38, Jethro_uk wrote:
On Mon, 23 Dec 2024 12:24:12 +0000, nib wrote:
On 2024-12-23 12:01, Max Demian wrote:
On 22/12/2024 21:13, John Levine wrote:
Some people say that mail should be "end to end" encrypted, but in a >>>>> world where most people use webmail or an app managed by their mail
provider, I do not know where the "end" is and neither does anyone
else.
The "ends" are the sender and the recipient.
Presumably webmail would be impossible if there is end to end
encryption.
There are browser extensions that work with webmail systems that can
enable PGP encryption on the body of the e-mail, I played with one a
little while back and proved it could communicate with PGP on
Thunderbird at the other end.
I implemented one on an Windows Server 2008 Exchange setup. Total waste
of time as none of the recipients (IT departments in major insurers)
had a clue what to do.
It is the lack of any universal encryption for email (with it's
associated ability to authenticate) that keeps most organisations
dependence on POTS going. Allegedly.
PGP is conceptually hard to understand, and how can you reliably get
hold of other people's public keys?
On Mon, 23 Dec 2024 17:39:45 +0000, Max Demian wrote:
On 23/12/2024 13:38, Jethro_uk wrote:
On Mon, 23 Dec 2024 12:24:12 +0000, nib wrote:
On 2024-12-23 12:01, Max Demian wrote:
On 22/12/2024 21:13, John Levine wrote:
Some people say that mail should be "end to end" encrypted, but in a >>>>>> world where most people use webmail or an app managed by their mail >>>>>> provider, I do not know where the "end" is and neither does anyone >>>>>> else.
The "ends" are the sender and the recipient.
Presumably webmail would be impossible if there is end to end
encryption.
There are browser extensions that work with webmail systems that can
enable PGP encryption on the body of the e-mail, I played with one a
little while back and proved it could communicate with PGP on
Thunderbird at the other end.
I implemented one on an Windows Server 2008 Exchange setup. Total waste
of time as none of the recipients (IT departments in major insurers)
had a clue what to do.
It is the lack of any universal encryption for email (with it's
associated ability to authenticate) that keeps most organisations
dependence on POTS going. Allegedly.
PGP is conceptually hard to understand, and how can you reliably get
hold of other people's public keys?
The clue is in the name "public"
Jethro_uk <jethro_uk@hotmailbin.com> wrote:
[quoted text muted]
If you have one of the keys of an asymmetric cryptography key pair, how
do you know who has access to the other key of the pair? Calling one ‘public’
and the other ‘secret’ does not in itself make them conform to those labels. Even if the counterpart to the one you have is closely guarded
and known only to one person, how do you know who they are?
On Mon, 23 Dec 2024 17:39:45 +0000, Max Demian wrote:
On 23/12/2024 13:38, Jethro_uk wrote:
It is the lack of any universal encryption for email (with it's
associated ability to authenticate) that keeps most organisations
dependence on POTS going. Allegedly.
PGP is conceptually hard to understand, and how can you reliably get
hold of other people's public keys?
The clue is in the name "public"
On 23/12/2024 18:18, Jethro_uk wrote:
On Mon, 23 Dec 2024 17:39:45 +0000, Max Demian wrote:
On 23/12/2024 13:38, Jethro_uk wrote:
It is the lack of any universal encryption for email (with it's
associated ability to authenticate) that keeps most organisations
dependence on POTS going. Allegedly.
PGP is conceptually hard to understand, and how can you reliably get
hold of other people's public keys?
The clue is in the name "public"
How do I know it's *your* public key, and not that of an imposter? If I
know you personally, you could hand it to me on a USB stick, or put it
on a website and hand me a scribbled note with the URL of the site.
If we've only communicated by email, how do I know that an email I
receive containing the key is really from you? It's easy enough to
change the "From" line of an email.
On Tue, 24 Dec 2024 10:38:56 +0000, Max Demian wrote:
On 23/12/2024 18:18, Jethro_uk wrote:
On Mon, 23 Dec 2024 17:39:45 +0000, Max Demian wrote:
On 23/12/2024 13:38, Jethro_uk wrote:
It is the lack of any universal encryption for email (with it's
associated ability to authenticate) that keeps most organisations
dependence on POTS going. Allegedly.
PGP is conceptually hard to understand, and how can you reliably get
hold of other people's public keys?
The clue is in the name "public"
How do I know it's *your* public key, and not that of an imposter? If I
know you personally, you could hand it to me on a USB stick, or put it
on a website and hand me a scribbled note with the URL of the site.
If we've only communicated by email, how do I know that an email I
receive containing the key is really from you? It's easy enough to
change the "From" line of an email.
Well quite.
However MD5 hashes are used to guarantee the provenance of software in various forms on the internet. And you could apply the same challenges to that.
There are ways to verify a public key belongs to the person claiming it,
by the way. Although I admit they increase complexity. However it is
Pretty Good Privacy, not Pretty Simple Privacy ....
On Mon, 23 Dec 2024 22:01:47 +0000, Owen Rees wrote:
Jethro_uk <jethro_uk@hotmailbin.com> wrote:
[quoted text muted]
If you have one of the keys of an asymmetric cryptography key pair, how
do you know who has access to the other key of the pair? Calling one
‘public’
and the other ‘secret’ does not in itself make them conform to those
labels. Even if the counterpart to the one you have is closely guarded
and known only to one person, how do you know who they are?
All of which applies to phone calls, SMS and indeed written
correspondence.
On 21/12/2024 10:32, Jethro_uk wrote:
On Sat, 21 Dec 2024 12:45:40 +0800, J Newman wrote:
FBI warns against using text message based 2FA.texting-dangers-the-scary-reason-to-stop-using-two-factor-authentication-
https://nypost.com/2024/12/19/tech/feds-issue-another-warning-about-
now
The temporary recommendation is that users switch their 2FA if possible
to encrypted apps (such as WhatsApp) or email-based 2FA. The text
message-based 2FA is transmitted in plaintext, making them susceptible
to interception.
Now that the OSA 2023 has received Royal Assent, such encrypted apps are >>> potentially under threat, and the app that is unencrypted (SMSes) is a
threat.
It is conceivable that the original warnings against weakening
encryption, i.e. that it would in fact make users less safe, may well be >>> correct.
What do you think?
SMS has long been deprecated for grown up 2FA. This is nothing new.
What else is there (that everyone can be assumed to have access to)?
And why is "email-based 2FA" suggested? Emails aren't (by default)
encrypted, and senders can be spoofed.
On Tue, 24 Dec 2024 10:36:56 -0000 (UTC), Jethro_uk <jethro_uk@hotmailbin.com> wrote in <vke2s8$m2hq$11@dont-email.me>:
On Mon, 23 Dec 2024 22:01:47 +0000, Owen Rees wrote:
Jethro_uk <jethro_uk@hotmailbin.com> wrote:
[quoted text muted]
If you have one of the keys of an asymmetric cryptography key pair,
how do you know who has access to the other key of the pair? Calling
one ‘public’ and the other ‘secret’ does not in itself make them
conform to those labels. Even if the counterpart to the one you have
is closely guarded and known only to one person, how do you know who
they are?
All of which applies to phone calls, SMS and indeed written
correspondence.
You seem to be suggesting that using asymmetric cryptography is little
better than sending messages in cleartext.
On Sat, 28 Dec 2024 15:01:54 +0000, Owen Rees wrote:
On Tue, 24 Dec 2024 10:36:56 -0000 (UTC), Jethro_uk
<jethro_uk@hotmailbin.com> wrote in <vke2s8$m2hq$11@dont-email.me>:
On Mon, 23 Dec 2024 22:01:47 +0000, Owen Rees wrote:
Jethro_uk <jethro_uk@hotmailbin.com> wrote:
[quoted text muted]
If you have one of the keys of an asymmetric cryptography key pair,
how do you know who has access to the other key of the pair? Calling
one ‘public’ and the other ‘secret’ does not in itself make them
conform to those labels. Even if the counterpart to the one you have
is closely guarded and known only to one person, how do you know who
they are?
All of which applies to phone calls, SMS and indeed written
correspondence.
You seem to be suggesting that using asymmetric cryptography is little
better than sending messages in cleartext.
No. I am stating that the problem of verifying you are using the correct
key for the person you wish to securely communicate doesn't just go away
when you find a better method. A fact a lot of rather dim criminals will
have discovered when they were convicted because it turned out their
messages were going direct to Plod Central.
All of which being said, have a system where you can openly publish your
key and invite others to use it to send you messages does seem quite
robust if you are 100% sure the key you are using belongs to the person
you are messaging. And asymmetric encryption does allow for a sender to
be verified in the first place if you want to verify the keys provenance.
My preferred 2FA is an authenticator app as I can use it wherever I am
as not all locations have brilliant mobile coverage (to receive an SMS)
or 4/5G coverage to receive e-mail / WhatsApp - something not everyone
seems to appreciate.
They've called me on my mobile, which I've answered using my name. They
ask me if I am the person they were trying to call, thereby telling me
the name of the person for whom they are looking if I didn't know it,
and then send a four-digit PIN to a phone they already know I have in
my possession and control because I've just answered a call on it. How
is that supposed to make me feel secure or verify anything? At best it
is a tick box exercise, at worst it is security theatre or no practical
use and a waste of everyone's time.
On 21/12/2024 04:45, J Newman wrote:
FBI warns against using text message based 2FA.
https://nypost.com/2024/12/19/tech/feds-issue-another-warning-about-
texting-dangers-the-scary-reason-to-stop-using-two-factor-
authentication-now
The temporary recommendation is that users switch their 2FA if possible
to encrypted apps (such as WhatsApp) or email-based 2FA. The text
message-based 2FA is transmitted in plaintext, making them susceptible
to interception.
Now that the OSA 2023 has received Royal Assent, such encrypted apps
are potentially under threat, and the app that is unencrypted (SMSes)
is a threat.
It is conceivable that the original warnings against weakening
encryption, i.e. that it would in fact make users less safe, may well
be correct.
What do you think?
I think the article is click bait and of little, if any, practical
benefit.
My preferred 2FA is an authenticator app as I can use it wherever I am
as not all locations have brilliant mobile coverage (to receive an SMS)
or 4/5G coverage to receive e-mail / WhatsApp - something not everyone
seems to appreciate.
But an authenticator app works without being permanently connected to
the network and should be, IMO, the default option proffered.
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 498 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 41:59:28 |
| Calls: | 9,799 |
| Calls today: | 1 |
| Files: | 13,751 |
| Messages: | 6,189,575 |