Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 16 Dec 2017, 05:27
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Never use smartphone for two-factor authentication
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [4 Posts]  
Author Message
belham2

Joined: 15 Aug 2016
Posts: 1362

PostPosted: Thu 04 May 2017, 07:29    Post subject:  Never use smartphone for two-factor authentication  

Hi all,

A few of us on here have been warning over the past years to never use your smartphone for two-factor authentification. Even for email via smartphone (i.e. for example, if you are using GMail, get a Yubikey instead of getting the possibly compromised 2fa text code from Google----this is something I've been endlessly repeating for 2 years now: get some Yubikeys and take 2 mins to set them up!). Anyhow, read this article and it should give you pause looking at your smartphone/cellphone:


" Security
After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts
O2 in Germany confirms online thefts from sour krauts

3 May 2017 at 20:02, Iain Thomson

Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other.

These shortcomings can be potentially abused to, for example, redirect people's calls and text messages to miscreants' devices. Now we've seen the first case of crooks exploiting the design flaws to line their pockets with victims' cash.

O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.

In other words, thieves exploited SS7 to........"



https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/
Back to top
View user's profile Send private message 
perdido


Joined: 09 Dec 2013
Posts: 720
Location: ¿Altair IV , Just north of Eeyore Junction.?

PostPosted: Fri 05 May 2017, 12:13    Post subject:  

I agree 100% with what you wrote. I would go so far as to recommend never use it for anything except communicating.

The "smartphone" is too smart. Most users do not care about security, most do not even know what security is.

I have an android, I use it for phone calls and texting only. I do not trust either Apple or Google with any personal info. No browser, no email, no music, no angry birds. Nada.

My carrier has my personal info, google no doubt archives the text messages, the state no doubt archives the phone calls.

I have never received an unwanted text message or any kind of advertisement on my android. I hate the thing and what it represents but it is a useful tool,

.

_________________
.
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1497
Location: Italy

PostPosted: Fri 05 May 2017, 13:44    Post subject:  

Will the banks refund the frauded customers? Is SS7 the same protocol for GSM phones? Are GSM phones more or less secure than smartphones? I do not care about these security holes: there are many out there. Even the SWIFT and central bank of Bangladesh have been frauded for much money. We must ask for a sure refund in case of fraud when the customer has not been "negligent".
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1692

PostPosted: Fri 05 May 2017, 14:39    Post subject:  

This is no surprise to me. I have both Yubikeys and VIP tokens. Next problem, getting a bank or PayPal to admit they can support 2FA with a hardware token. Maybe someone can tell me why they refuse to support these measures when we know they have already used them earlier. Presumably, those earlier customers are now "grandfathered" in, but new customers are either out of luck, or need to pay for a business account to be reasonably secure. Security should not be an extra cost option.

A conspiracy theorist would suspect they actually like being able to blame a transaction on unknown criminals if they want to deny it. I suspect they are also padding bills with the cost of investigating possible fraudulent transactions. This is a huge business, and prosecutions are surprisingly rare. When it is not worth the effort to prosecute a $5000 fraud, as in one case I learned about, what is worth the effort?

Meanwhile, what are our national leaders doing about this important subject? Check on staff of U.S. Senators.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [4 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0347s ][ Queries: 14 (0.0053s) ][ GZIP on ]