Don't give your phone number to Facebook. Or Google. Or Microsoft. Or Apple. OR...

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,900
Alexandria, VA
Lots of websites have started asking for your phone number so they can text you a PIN as a security measure when logging in. There are a bunch of reasons not to do this. For starters, the value of keeping your phone number secure often outweighs the value of the account you're protecting. And tying many different accounts to one 2-factor token (the same phone) is idiotic by most standards. Moreover, the phone isn't an effective 2-factor token and can be spoofed by hackers.

Thankfully NIST is on the case and is finally moving on the issue.

Short story, though: When some Internet site keeps popping up a screen saying "You're almost done! Tell us your phone number to help secure your account!", you should ignore it; it's primarily a marketing ploy that's not going to actually make things more secure. Never disclose your phone number to someone you don't want calling you.
 
Dec 21, 2015
1,410
That's great, but my company's Google For Work requires SMS verification every 30 days as a matter of security policy.

It's as embedded a stupid practice as the CVVs on credit cards. "they've already stolen a 16-digit account number, 4-digit exp date and 5-digit billing zip, but this 3 digit code, there's no way they'd ever get that by packet snooping!"
 

amarshal2

Member
SoSH Member
Oct 25, 2005
4,913
If it's google for work you should be able to use the google app instead of an email or sms
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,900
Alexandria, VA
Yeah, the app both protects your phone number and has some other safeguards built in. Much better solution.
 

djbayko

Member
SoSH Member
Jul 18, 2005
25,897
Los Angeles, CA
That's great, but my company's Google For Work requires SMS verification every 30 days as a matter of security policy.

It's as embedded a stupid practice as the CVVs on credit cards. "they've already stolen a 16-digit account number, 4-digit exp date and 5-digit billing zip, but this 3 digit code, there's no way they'd ever get that by packet snooping!"
You're correct that the CVV isn't foolproof, but it does help curb credit card fraud. Most scammers aren't going to be sophisticated enough to use your method. The CVV is not contained in the magnetic stripe, so full CC info cannot be obtained through skimmers only and requires people to take an additional risk of viewing and noting the CVV on the physical card. Also, merchants are not allowed to store the CVV, so if a database of CC info is compromised, the information is less valuable. Of course, not all merchants require CVV for "card not present" transactions, so that's another loophole.
 

soxfan121

JAG
Lifetime Member
SoSH Member
Dec 22, 2002
23,043
Lots of websites have started asking for your phone number so they can text you a PIN as a security measure when logging in. There are a bunch of reasons not to do this. For starters, the value of keeping your phone number secure often outweighs the value of the account you're protecting. And tying many different accounts to one 2-factor token (the same phone) is idiotic by most standards. Moreover, the phone isn't an effective 2-factor token and can be spoofed by hackers.

Thankfully NIST is on the case and is finally moving on the issue.

Short story, though: When some Internet site keeps popping up a screen saying "You're almost done! Tell us your phone number to help secure your account!", you should ignore it; it's primarily a marketing ploy that's not going to actually make things more secure. Never disclose your phone number to someone you don't want calling you.
File this under: Things I wish you told me before Nip asked for my phone number.
 

Red Sox Physicist

Well-Known Member
Gold Supporter
SoSH Member
Jul 15, 2005
296
Natick, MA
Wait, two-step authentication is required for many sites (financial ones mainly). What is the alternative?
NIST is just banning the use of SMS as the out-of-band verification method. They recommend using hardware or software tokens instead like RSA SecurID, Time-based One-time Password Algorithm (TOTP) or HMAC-based One-time Password Algorithm (HOTP). Google Authenticator uses TOTP and HOTP.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,900
Alexandria, VA
NIST is just banning the use of SMS as the out-of-band verification method. They recommend using hardware or software tokens instead like RSA SecurID, Time-based One-time Password Algorithm (TOTP) or HMAC-based One-time Password Algorithm (HOTP). Google Authenticator uses TOTP and HOTP.
Yeah. The whole point is that using SMS is a terribly insecure method of doing two-factor authentication; it never should have been used in the first place.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,900
Alexandria, VA
I mean, it's not less secure than password-only. But it shouldn't really be classified as two-factor in any meaningful sense, and it's often an excuse to get you to cough up your phone number (moreso at social media sites; financial sites usually have real-world contact info already anyway, for legal reasons).
 

uncannymanny

Member
SoSH Member
Jan 12, 2007
9,081
With the phones we have now, something like Duo (which I believe is TOTP?) is not only better than SMS, it's easier to authenticate with (pressing "approve" v having to read/enter a code in a form).

Takes me less time to get into my work VPN than my personal Gmail.
 

Time to Mo Vaughn

RIP Dernell
SoSH Member
Mar 24, 2008
7,204
I'm going to go ahead and disagree with Sumner and say that if it's an account that you care about (financial, primary personal e-mail, major social media like Twitter and Facebook) that you should absolutely enable SMS, if there's no other alternative to a second factor authentication. Google Authenticator is the best option for any service that offers it.

There are a few different ways that your SMS can be compromised. The most common is going to be by hacking or socially engineering your cell phone provider. (Make sure that you've got whatever security options available enabled by your carrier). Once they can make changes to your account whether via browser or by calling into a call center they can change the SIM or ESN associated with your account to send SMS to another device. There are some pieces of mobile malware (mainly on Android requiring the user to turn off protection around 3rd party or non signed applications) which will intercept SMS based on the sending number, forward it and delete it without a notification. I've got a copy of the iBanking android malware and the command & control server, and while it's fun to play with, it's a lot less common than previous method. There is a physical device that can intercept SMS messages, but it requires both expensive (and illegal) equipment plus proximity to the user. For the sake of this conversation, let's assume that you're not a nation state target or that if you are your more sensitive information is already protected by something more secure than SMS.

The problem with not using SMS when offered is that you're otherwise left to fall back on either security questions or e-mail as both your step up authentication or, more importantly, for account recovery. How many of your accounts are tied back to your e-mail? If your e-mail is compromised, an attacker has access to every one of those accounts as well if you don't have additional recovery options configured. If your Facebook or Twitter are compromised, then there's a very direct line of access to your personal contacts under your identity.

Websites are generally embarrassingly (and often negligently) slow to implement security controls, and it's likely going to be a significant period of time until every site is following a best practices. They are by no means required to follow NIST 800 standards either. The FFIEC guidance that dictates security to your financial accounts is just as designed around user experience more than it is perfect security. (Most of you would switch banks to one with less security, when given an option of the former) If you're going to spite your security by "keeping your phone number secure", then you're going to open yourself up to a lot more risk.

Oh and we should probably also note that your authentication into SoSH is completely insecure and if you're using a password on SoSH that you're using on any other website then you should go ahead and change all of those accounts immediately.
 

JimBoSox9

will you be my friend?
SoSH Member
Nov 1, 2005
16,667
Mid-surburbia
There will never be a time where every site is following best practices. The rate of BP change is slower than the rate of implementation change, at median.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,900
Alexandria, VA
I'm going to go ahead and disagree with Sumner and say that if it's an account that you care about (financial, primary personal e-mail, major social media like Twitter and Facebook) that you should absolutely enable SMS, if there's no other alternative to a second factor authentication. Google Authenticator is the best option for any service that offers it.
The insecurity is only half of the calculus--as I said in my first post, the value of your phone number is pretty often greater than the value of the account you're protecting. Even if it were totally secure, there's no way in hell that I'd give Facebook, Google, or Twitter my real phone number, both out of annoyance (spam/marketing crap) and privacy (linking the account to other databases) concerns. It's like shelling out $100 for a lock on a box that has $20 worth of stuff in it. Places like Facebook know this and use the two-factor bogeyman as a means of getting even more personal info they can monetize.

For a bank, sure. Not only is the value there higher, but they've already got real contact info and have a legitimate reason to have it (though I'd greatly prefer real two-factor).
 

Time to Mo Vaughn

RIP Dernell
SoSH Member
Mar 24, 2008
7,204
And I'm arguing that you've got the calculus wrong. I'll absolutely grant you privacy concerns, but compared with all the other places where your phone number is already in a database I think you may be over blowing that. I've never had a single Spam or Marketing phone call or SMS from any of the three companies that you mention or Microsoft or Apple. These major corporations have far more profitable things to do then get into issues around the Can't Spam act that could ensue. I also think that you're undervaluing your account if compromised. Attackers would much rather have access to that than your phone number. Think of all the opportunities to send links with drive by downloads, attachments, etc. to your trusted contacts. Social media is one of the primary way these spread and it's often due to requiring only passwords without any step up authentication.
 

crystalline

Member
SoSH Member
Oct 12, 2009
5,771
JP
That's great, but my company's Google For Work requires SMS verification every 30 days as a matter of security policy.

It's as embedded a stupid practice as the CVVs on credit cards. "they've already stolen a 16-digit account number, 4-digit exp date and 5-digit billing zip, but this 3 digit code, there's no way they'd ever get that by packet snooping!"
Related - is there any large CC issuer that will give you disposable card numbers for online purchases? For example, to be used with MLB.TV and their obnoxious auto-renew policy?
 
Dec 21, 2015
1,410
I don't know of one (a major issuer, anyway), but I've been of the opinion for some time that one-time-use numbers (which are only linked to your 'real' account number at the issuer's gateway) are the future of meaningful fraud-prevention in payments, and EMV is merely window-dressing at best, a potemkin village at worst. So if you learn of one - and frankly, Mastercard's partner banks will probably be the first to do so - I'd be very interested to learn it.
 

NortheasternPJ

Member
SoSH Member
Nov 16, 2004
19,272
I used to love that on MBNA card. I used it all the time. I ditched them when BoA bought them, but I'd love to have that feature back.
 

NortheasternPJ

Member
SoSH Member
Nov 16, 2004
19,272
And I'm arguing that you've got the calculus wrong. I'll absolutely grant you privacy concerns, but compared with all the other places where your phone number is already in a database I think you may be over blowing that. I've never had a single Spam or Marketing phone call or SMS from any of the three companies that you mention or Microsoft or Apple. These major corporations have far more profitable things to do then get into issues around the Can't Spam act that could ensue. I also think that you're undervaluing your account if compromised. Attackers would much rather have access to that than your phone number. Think of all the opportunities to send links with drive by downloads, attachments, etc. to your trusted contacts. Social media is one of the primary way these spread and it's often due to requiring only passwords without any step up authentication.
This is where I'm at. I have one phone, my cell, and have used it for everything. I get maybe 1 call a month that's a robo/solicitor. I can't remember the last time I got a text that was from a SPAM site or something from marketing.

My phone number is all over the place including every email i send from work.
 

Hambone

will post for drinks
SoSH Member
Jul 15, 2005
2,822
I don't know of one (a major issuer, anyway), but I've been of the opinion for some time that one-time-use numbers (which are only linked to your 'real' account number at the issuer's gateway) are the future of meaningful fraud-prevention in payments, and EMV is merely window-dressing at best, a potemkin village at worst. So if you learn of one - and frankly, Mastercard's partner banks will probably be the first to do so - I'd be very interested to learn it.
Why do you think MasterCard will be first? Just curious since Visa has been pushing their tokenization service to all the banks the last couple of years. Apple pushed hard for more tokenization and one time use numbers with ApplePay to the point they were fairly pissed when they learned the payment ecosystem wasn't at a point it could handle it yet. There are so many legacy systems and networks that I think we're still a few years out from doing that outside of niche markets.
 
Dec 21, 2015
1,410
MasterCard has been way more willing the last few years to try shit that V/AX/D would consider crazy - like selling transaction-level data from their network, not worrying about whether issuers (who own the customer relationship, of course) gave the OK, and adopting an "ask forgiveness not permission" approach. Given their financial performance, my bet is, new high-margin lines of business have a higher priority with them than even compliance risks. They're also doing a lot with Paydiant, who would probably be the ones to operationalize a pilot with a real issuer (likely internationally, for the reasons you said). Discover would be my 2nd bet - they've been making a real BD push on data services lately, and their technical debt, while awful, is like an order of magnitude less bad than the others. But yeah, the legacy systems and house-of-cards nature of all the applications depending on the ancient core systems are the real problem, which is why my bet would be against Visa or Amex.

If we want to geek out any more over payment networks, though, we should probably get our own thread.
 

DrBlinky

Member
SoSH Member
Jun 18, 2002
825
Cranston, RI
The BoA process is called ShopSafe and is accessed through the online banking site. Just specify the card limit and the number of months it you want it to be valid. I haven't yet run into an issue using it.