> > These low-income people are not the targets of identity thieves, spear > fishers, or data ransomers. >
This is patently false. Low-income / disabled / minority / non-english speakers are absolutely targets of scams like those, and in significant numbers. On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <[email protected]> wrote: > Tom, > > Well, yes, not everyone can afford all technology options. That’s life. > One has to wonder how someone who needs to protect online accounts cannot > afford a $30 hardware token (which can be shared across several accounts). > These low-income people are not the targets of identity thieves, spear > fishers, or data ransomers. Unlike you, I AM arguing against something: SMS > as a 2FA token. In this case I don’t think we have ignored low-income > users, for the same reason that home alarm security aren't ignoring > low-income users who can’t afford their products. It’s certainly no reason > to hobble security for the rest of us. > > -mel > > > On Apr 19, 2021, at 6:07 AM, Tom Beecher <[email protected]> wrote: > > HW tokens are great, sure. > > Except there is a lot of overlap in the Venn diagram between those who > still use feature phones and those that spending $30 on said hardware token > is financially obtrusive. ( Not to mention that every hardware token I can > remember looking at requires an app to set themselves up in the first > place, and if this is for the people who can't install apps, that's an > interesting circular dependency. ) > > I'm not arguing for or against anything here honestly. I'm just pointing > out that we ( as in the technical community we ) have a tendency to put > forward solutions that completely ignore what might be reasonably feasible > for those of lower income , or parts of the world not as technologically > developed as we might be in ourselves, and we should try to shrink that gap > whenever possible, not make it worse. > > On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <[email protected]> wrote: > >> Then they can buy a hardware token. Using SMS is provably insecure, and >> for people being spear-phished (a much more common occurrence now that so >> much net worth data has been breached), a huge risk >> >> -mel >> >> On Apr 19, 2021, at 5:44 AM, Tom Beecher <[email protected]> wrote: >> >> >> >>> As far as I know, authenticators on cell phone apps don’t require the >>> Internet. For example, the Google Authenticator mobile app doesn't require >>> any Internet or cellular connection >>> >> >> Lots of people still use feature phones that are not capable of running >> applications such as this. >> >> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <[email protected]> wrote: >> >>> As far as I know, authenticators on cell phone apps don’t require the >>> Internet. For example, the Google Authenticator mobile app doesn't require >>> any Internet or cellular connection. The authenticated system generates a >>> secret key - a unique 16 or 32 character alphanumeric code. This key is >>> scanned by GA or can be entered manually and as a result, both the >>> authenticated system and GA know the same secret key, and can compute the >>> time-based 2nd factor OTP just as hardware tokens do. >>> >>> There are two algorithms: HOTP and TOTP. The main difference is in OTP >>> expiration time: with HOTP, the OTP is valid until it hasn’t been used; >>> TOTP times out after some specified interval - usually 30 or 60 seconds. >>> For TOTP, the system time must be synced, otherwise the generated OTPs will >>> be wrong. But you can get accurate enough clock time without the Internet, >>> either manually using some radio source such as WWV, or by GPS or cellular >>> system synchronization. >>> >>> -mel >>> >>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <[email protected]> wrote: >>> > >>> > >>> > >>> >> On 4/18/21 05:18, Mel Beckman wrote: >>> >> >>> >> No, every SMS 2FA should be prohibited by regulatory certifications. >>> The telcos had years to secure SMS. They did nothing. The plethora of >>> well-secured commercial 2FA authentication tokens, many of them free, >>> should be a mandatory replacement for 2FA in every security governance >>> regime, such as PCI, financial account access, government web portals, etc. >>> > >>> > While I agree that SMS is insecure at the moment, I think there still >>> needs to be a mechanism that does not rely on the presence of an Internet >>> connection. One may not be able to have access to the Internet for a number >>> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a >>> fallback needs to be available to authenticate. >>> > >>> > I know some companies have been pushing for voice authentication for >>> their services through a phone call, in lieu of SMS or DTMF-based PIN's. >>> > >>> > We need something that works at the lowest common denominator as well, >>> because as available as the Internet is worldwide, it's not yet at a level >>> that one would consider "basic access". >>> > >>> > Mark. >>> >> >
