Netflix the GaulSep 4, 2024
Josh the Blockaded
It's 2024, and this is the majority of 2FA in a nutshell:

Institution: I'm sending you a code I need you to put into this form.
Institution: Also don't give it to anyone.
Institution: Oh except me.
Institution: Oh except for these other codes which we'll send from the same shortcode but will never ask you for.
Institution: Don't get confused or hacked lol

#infosec #security
Sep 4, 2024 at 12:17amWeb
Show threadSiguzaSep 4, 2024

@josh

Institution: Also give me your phone number.
Institution: No, like, really, I won't let you continue without it.
Institution: Even though you already went through 2FA setup.
Institution: We need it for recovery purposes.
Institution: We definitely won't use it for marketing.
Institution: Oh, and by recovery we mean username, password and 2FA.
Institution: SMS is so secure.

Show threadSass, DavidSep 4, 2024
@siguza @josh the institution is #Microsoft, isn't it?
Show threadSiguzaSep 4, 2024
@sassdawe @josh I actually think I got away without giving Microsoft my phone number... but this is definitely Twitch, Google, Apple, a few government services, and then some.
Show threadJosh the BlockadedSep 4, 2024
@sassdawe @siguza No more like every bank ever. I don't know why banks love 2FA via SMS but not via security key or TOTP
Show threadMormegilSep 4, 2024

@siguza
@josh

Google: You did not login to this account for a long time. For security purposes, we need to make sure who you are: CAPTCHA: OK, alternate email address registered on the account: OK, and now give me your phone number (which was never set on the account). No, really, you are not "recovering" your account until you give me a phone number.

Show threadJosh the BlockadedSep 4, 2024
@mormegil @siguza Yeah that one I don't like. I think it's designed to ensure it's a real human (if I'm right, it's a dumb test) and you're right, it's weird that doing that neither updates the phone number on that account or really actually seems to serve any purpose whatsoever :/
Show threadSiguzaSep 4, 2024

@mormegil @josh

Apple: You've been inactive for 3 seconds. You need to log in again. Oh, that logging-in session has expired while you were logging in.

Google: To confirm your login, open this app on your phone where we can show you ads.

Microsoft: [incoherent eldritch screeching as the web server instructs an Xbox 360 to try and talk to Outlook via the Skype infrastructure for some fucking reason]

Show threadPseudo NymSep 4, 2024

@josh

#infosec life

Start the day, log in to machine.

Log in to password manager

Log in to SSO provider with password manager. Verify with push notification to phone for 2FA for SSO.

Use bookmark in SSO provider to non-SSO SaaS service.

User password manager to log into that service

Get email or SMS for 2FA for that service that doesn't support other 2FA methods

Biometric login to phone, again, which had locked for time out, to get code to type into browser

Your password has expired

Show threadaburka 🫣Sep 4, 2024
@josh Institution: The code expires ten minutes from now even though our buggy software will probably only send it in about seven minutes after you got distracted and started doing something else. No you can't have another code within 24 hours, only a hacker would want that.
Show threadUrzlSep 4, 2024

@josh Just the fact that no company makes any priority of registering their damn phone numbers is plenty to know they're not taking any of this seriously.

Giant companies with 10k consumer facing calls a day all from "Unknown Number" are still surprised that trust and customer responsiveness are declining.

Show threadJosh the BlockadedSep 4, 2024
@gooba42 It’s also still trivially easy to spoof. I get that there’s recourse if caught, but I could with my knowledge convince you that I’m the bank from caller id, or convince the bank that I’m you.
Show threadUrzlSep 4, 2024

@josh All of the challenges are imposed on consumers because it's so much easier for a company to disavow responsibility than for a consumer to do so when bad actors are involved.

I now need to put a freeze on my credit because the companies that traded, hoarded and purchased my data created an enormous honeypot made of my data and none of them will be held responsible for the consequences.

Show threadJosh the BlockadedSep 4, 2024
@gooba42 Yep, same, and I'm walking my parents through a freeze too. It's fun because they're mid-70's and are in a stage of life where they don't know how to do anything and also don't want anyone else to do or know anything about their life/health/banking info, which makes the theoretical guessing game to get their freezes correctly in place insane.

Pretty sure I said last night in a text thread "well can you give me a fucking clue?" <-- this is the stage where I'm at in the guessing game of "don't let mom get hacked" lol
Show threaddipSep 4, 2024

@josh one alternative is:

Institution: we use a shared 2FA provider or rolled our own, expect a code from one of 20000 different random numbers that may or may not be shared with your email provider, bank or doctor!

Show threadJosh the BlockadedSep 4, 2024
@finch Institution: Don't worry, we've shared them with your doctor, lawyer, housekeeper, babysitter, financial advisor, personal shopper, and parole officer.
Me: ... but I don't have a parole officer
Institution: heh not yet you don't, but you will...
Me: ...
Show threadCyberSecJamesSep 4, 2024
@josh
Also
Institution: oh, and we're going to send them the absolute least secure way we can find.
Show threadtaivlamSep 6, 2024
@josh Also include the required use of either Cisco's Duo Security or Microsoft Authenticator. 💀