Posted by:
admin
15 years, 11 months ago
The core problem is that you are relying on the security of the carriers for the security of your system. Once you cede that control, you are at their mercy. And their idea of security might not be the same as yours. Consider this recent post at Consumerist about how easy it is to hijack a Sprint Account:
Remember, all I knew about this guy was his cellphone number, that he was in his 20's, and that he lived in DC. That's it. That's all it took to completely hijack his entire Sprint account.There are implications beyond Sprint. Any system that uses credit bureau information is potentially susceptible. Security people knew this because, after all, credit bureaus sell this information, but the implementation makes it much, much worse:
In the comments on this post, a former Sprint rep says it's even worse than we thought. They say that every question about cars has three luxury models and one typical one. He says that "none of the above" for "which properties have you owned" was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. I was shocked at the number of times I was able to access an account by simply guessing the answers," he writes. "Fortunately I am an ethical person, but if I wasn't I could've done a LOT of damage very easily."
Companies make security decisions based on acceptable rates of false positives versus false negatives. The bigger the user base, the lower the tolerance for false negatvies. A cell phone company with 10 million subscribers will have a very low tolerance for false negatives. Do you want the same tolerance for your two-factor authentication? It seems highly unlikely.
More on SMS authentication issues
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)