this post was submitted on 16 Jun 2023
21 points (100.0% liked)

Australia

3605 readers
63 users here now

A place to discuss Australia and important Australian issues.

Before you post:

If you're posting anything related to:

If you're posting Australian News (not opinion or discussion pieces) post it to Australian News

Rules

This community is run under the rules of aussie.zone. In addition to those rules:

Banner Photo

Congratulations to @Tau@aussie.zone who had the most upvoted submission to our banner photo competition

Recommended and Related Communities

Be sure to check out and subscribe to our related communities on aussie.zone:

Plus other communities for sport and major cities.

https://aussie.zone/communities

Moderation

Since Kbin doesn't show Lemmy Moderators, I'll list them here. Also note that Kbin does not distinguish moderator comments.

Additionally, we have our instance admins: @lodion@aussie.zone and @Nath@aussie.zone

founded 1 year ago
MODERATORS
top 16 comments
sorted by: hot top controversial new old
[–] hey_frankie@aussie.zone 13 points 1 year ago (2 children)

I think the fault lies squarely in the hands of telcos. They're meant to send you an SMS or call you to confirm any port before it happens. If they're not following those rules they should be held liable.

On another note I wish banks and other financial institutions would provide other 2FA options in addition to SMS. It's just crazy that I have better security tech on my Steam account than my bank account.

[–] GloomyBagel@aussie.zone 7 points 1 year ago (1 children)

but they call and pretend to be you and get the number ported to the SIM they have

check out the Hot Swaps episode of Darknet Diaries

[–] a1studmuffin@aussie.zone 3 points 1 year ago* (last edited 1 year ago) (1 children)

But shouldn't part of that process involve verifying the customer on the phone is currently in possession of the number? ie. Sending a text with a code and having you read the code back to them. Perhaps they manage this by fooling the victim into giving them that info through some other method.

Edit: thanks for the podcast recommendation btw, subscribed and downloading now!

[–] T156@lemmy.world 2 points 1 year ago (1 children)

They usually do the latter, by pretending to have lost their phone, and verifying through some other means, whether that be from the code, or questions.

[–] a1studmuffin@aussie.zone 3 points 1 year ago

Yeah I listened to the podcast recommended a few replies back, great episode if you haven't listened already - it's hilarious how easily they can social engineer their way into accounts once they know the process:

https://darknetdiaries.com/episode/118/

[–] a1studmuffin@aussie.zone 6 points 1 year ago

This has baffled me for years - why don't they allow MFA through Google Authenticator or equivalent? Especially when this has been a known security issue for so long. Aussie banks are really behind the times on this one.

[–] DirigibleProtein@aussie.zone 8 points 1 year ago (1 children)

Of course it’s avoidable! Phone spoofing has been known to be a vulnerability for years, yet so many companies still insist on using SMS for 2FA “for security”. ffs, if you are concerned about security, use a proper TOTP or HOTP, or a hardware token.

[–] Zagorath@aussie.zone 5 points 1 year ago

Hear, hear! SMD 2FA is absolutely better than not having any 2FA, but it's still pretty fucking bad. TOTP, or even better FIDO2, should be used as the default standard.

[–] Sternhammer@aussie.zone 7 points 1 year ago

That's frightening.

Mr Lowe said there were some precautionary measures people could take, like taking their birthday off Facebook and limiting sharing of their personal mobile phone number.

"Don't put your physical address on things when you're buying things online, get a PO box," Mr Lowe recommended.

"When you're going to a website and entering your information, stop and think, 'What happens when this information gets leaked?'

One more thing you can do is, when given the option by a site or service, choose one-time passwords (OTP) for two-factor authentication instead of SMS.

[–] surreptitiouswalk@aussie.zone 6 points 1 year ago (2 children)

It's funny in a sad way that 2FA was supposed to be real secure but like all other security, the human element is the biggest weak point, and the custodians of it (telcos) are asleep behind the wheel.

[–] shirro@aussie.zone 4 points 1 year ago

2FA works. It is supposed to be something you know (password) and something you control (like a secure hardware key or app). The problem is people don't control their phone numbers, the telcos do.

[–] Zagorath@aussie.zone 3 points 1 year ago (1 children)

It's worth noting that 2FA is still a security improvement. Using SMS for 2FA doesn't introduce any vulnerabilities compared to no 2FA. It's just not nearly as good as doing 2FA using a TOTP app or dongle. Or using hardware security tokens like FIDO2.

[–] macrocephalic@lemmy.fmhy.ml 4 points 1 year ago (1 children)

Unless the "2FA" channel is what they use to verify password resets.

[–] Zagorath@aussie.zone 3 points 1 year ago

Sure, but that's separate from 2FA and is pretty common even in places that don't offer any 2FA.

[–] MiddleWeigh@lemmy.world 1 points 1 year ago

"Homosapiens have outgrown their use"

[–] Arcanus@lemmy.world 0 points 1 year ago
load more comments
view more: next ›