this post was submitted on 20 Dec 2024
632 points (98.8% liked)

Technology

60058 readers
2807 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
(page 3) 50 comments
sorted by: hot top controversial new old
[–] [email protected] 16 points 2 days ago

Hollywood hacking has nothing on real hacking it seems.

[–] [email protected] 102 points 2 days ago (1 children)

NIST has been saying since 2016 not to use SMS for MFA. It's always been horribly insecure.

[–] [email protected] 67 points 2 days ago (8 children)

The problem for me is that most Canadian Banks give you the choice of SMS or their shitty adware filled bank app that relies on Google Play Services and wont implement TOTP so I can use a true MFA app. And Im done with being forced to accept user policies I don't agree with to do shit, and most of all done with Google Play Services on my device 😑

[–] [email protected] 13 points 2 days ago (11 children)

This is the main reason I switched to Fidelity here in the US. It's a brokerage, but it does basic bank things, like checks, debit card, etc, and they support SymantecVIP, which works w/o Google Play Services. TOTP support really isn't that hard, I don't understand why banks are so slow in adopting it...

[–] [email protected] 4 points 2 days ago* (last edited 2 days ago) (3 children)

Thanks for this...I might be opening a Fidelity account....

load more comments (3 replies)
load more comments (10 replies)
[–] [email protected] 5 points 2 days ago (3 children)

Even Bank of America doesn't support MFA apps.

load more comments (3 replies)
[–] [email protected] 21 points 2 days ago

Adding to this that my Canadian bank just updated their app and it doesn't work with my older phone. So my only option is to use online services with SMS/call verification.

It's such a joy to know that my bank, who made $40.670 billion last year, takes care of every customer equally.

load more comments (5 replies)
[–] [email protected] 54 points 2 days ago* (last edited 2 days ago) (3 children)

Oh it turns out we needed NSA to do its actual fucking job after all rather than holding onto exploits for the surveillance state.

Now — for the second time — we have an adversarial administration eager to weaponize government departments while Americans are vulnerable. Why? Because America is the good guys and would never abuse its extrajudicial powers (say, by detaining, rendering and torturing Americans with names similar to those of POIs.)

We could have had twenty-four years of robust communications security developments if NSA didnt sell the public out like Judas.

load more comments (3 replies)
[–] [email protected] 26 points 2 days ago (2 children)

of course it is. forced 2fa BY SMS OF ALL THINGS is one of the stupidest ideas

[–] [email protected] 10 points 2 days ago

Even stupider is supporting hardware keys for MFA, but having SMS fallback which can't be disabled (looking at you, Vanguard). I'd much rather have email as my second factor than SMS, and I literally abandoned a bank (Ally) for removing email as an alternative to SMS.

[–] [email protected] 14 points 2 days ago (1 children)

I assume businesses only jumped at the chance to enable SMS 2FA to get their greedy little fingers on our phone numbers.

load more comments (1 replies)
[–] [email protected] 67 points 2 days ago (1 children)

Oh man it sure would be nice if the feds had the power to regulate something like this /s

[–] [email protected] 55 points 2 days ago (2 children)

They did. That's the reason for this hack, they wanted Lawful Interception, they got their backdoor. It's what professionals and privacy advocates said all along, if it exists it will be abused.

[–] [email protected] 9 points 2 days ago* (last edited 2 days ago)

This isn’t a hack in the way you’re thinking of, nor is it a product of government mandated interception, or a back door. The salt typhoon event you’re referring to is nothing more than the tip of the iceberg of a much bigger problem, which is abuse of the dated SS7 system we’ve known about for decades.

[–] [email protected] 7 points 2 days ago (2 children)

Do you have a source for this claim? I’d like to repeat it elsewhere…

[–] [email protected] 7 points 2 days ago (2 children)

Its essentially what the apple vs FBI encryption legal battle was about years ago:

https://en.m.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_dispute

I'm not really a fan of apple, but I was very happy they stood their ground on that one. They were absolutely right to do so.

load more comments (2 replies)
[–] [email protected] 18 points 2 days ago (1 children)

I.e. this article from October: https://www.techradar.com/pro/chinese-hackers-allegedly-hit-us-wiretap-systems-to-hit-broadband-networks

In an all too predictable turn of events, Salt Typhoon, an infamous Chinese state actor, has reportedly hijacked government systems to breach several American broadband providers and gain access to the interception portals required by US law.

[–] [email protected] 9 points 2 days ago (1 children)

Thanks for bringing receipts. In stark contrast to my experience on Reddit, Lemmings usually seem allergic to showing their work for some reason.

[–] [email protected] 10 points 2 days ago

Yeah, I don't get it. I go out of my way to provide sources even before being asked.

What's really frustrating is when others users criticize me for providing evidence that could be used to counter my claim. I'm not trying to win arguments, I'm trying to show my work so others can correct me if I missed something. I'm here to learn and educate, in that order, yet so many only seem interested in engaging in discussion that jives w/ their existing opinions. That was a problem on Reddit too, but at least someone would chime in w/ sources much of the time.

[–] [email protected] 4 points 2 days ago (1 children)

Ive been slowly hearing about this over the last week or so, and I couldnt tell if it was real news or just over exaggerated.

And everyone has been on an on about iphone to android RCS, but no word on if anything is being done to fix the vulnerability.

[–] [email protected] 2 points 2 days ago* (last edited 2 days ago) (2 children)

What vulnerability? I thought RCS is encrypted on transit

[–] [email protected] 0 points 2 days ago (1 children)

Article is about phone company being hacked, so there’s a good chance that even if we had non-proprietary encryption, they’d be able to read it

[–] [email protected] 3 points 2 days ago (1 children)

That's precisely what E2EE is supposed to prevent. If the phone company gets hacked, attackers can see all the traffic going through all of their towers, so if everything is encrypted before getting to the towers, they can't see the contents. IIRC, metadata like phone numbers can be read though, so they can see who you're talking to, but they can't see what you're saying.

The phone manufacturer, however, can see everything before it's encrypted and after it's decrypted.

load more comments (1 replies)
[–] [email protected] 9 points 2 days ago (3 children)

RCS doesn't really do a whole lot of anything. It's a step up from SMS/MMS, but not by much.

All the features people think they mean when they're talking about RCS are proprietary Google extensions that only work if you go through Google's servers. They're basically exactly the same as Apple putting iMessage on top; Apple just brags about it while Google tries to trick you into thinking incompatibility is someone else's fault for not giving them control.

[–] [email protected] 3 points 2 days ago (2 children)

Usually I’ll defend Apple on this, but yes it’s a step up from SMS, and Apple is a big reason RCS hadnt been widely adopted as a replacement, and incremented to include more features.

I’m definitely on Googles side here: years of no one doing anything until “fine, I’ll take care it myself”

[–] [email protected] 1 points 2 days ago* (last edited 2 days ago)

Why would you defend Apple? It's just a stupid form of lock-in, it was at the start, and it always will be.

If you want security, use an app that provides security. RCS does a little to protect against MITM attacks, unless that MITM is your OS vendor.

[–] [email protected] 2 points 2 days ago (1 children)

Apple didn't bother because it sucks. It's not an actual solution (or path to one) for messaging not to be a dumpster fire.

Google "did it itself" exclusively for control. It's exactly the same as their browser behavior.

load more comments (1 replies)
load more comments (2 replies)
[–] [email protected] 28 points 3 days ago* (last edited 3 days ago)

Thank god, give me my HMAC hash please.

Nothing more terrifying than losing your phone number these days because of all the accounts tied to it via 2FA.

[–] [email protected] 22 points 3 days ago (2 children)

I wish Signal stopped using it. I know you can set a Signal PIN but a lot of the non-techy friends I speak to on Signal probably wouldn't think to, or look through the settings (not that you need to be "techy" to set it, but you know the kind of learned helplessness most people have about tech). At least a prompt for all users to set an account PIN so their account can't just be stolen by anyone with their SIM card.

[–] [email protected] 5 points 2 days ago

Another thing is that even if you set a PIN, you'd still have to log into your account relatively regularly so that if you lose access to your number, you wouldn't lose an account. It's logical, given that numbers are reused... But that means that if you want to register without effectively tying your account to your ID (KYC when buying numbers is mandatory in a lot of the world, remember!), you'd have to pay for another phone bill (expensive given that the number's practically doing nothing!) or use a one-time rental... Which guess what, puts your account at constant risk!

[–] [email protected] 14 points 3 days ago (1 children)

I thought they abandoned SMS a couple years ago??

[–] [email protected] 22 points 3 days ago (1 children)

They abandoned letting you use the Signal app to send and recieve SMS. You still need to get a code via SMS to activate your Signal account. I believe this is what they are referring to.

[–] [email protected] 7 points 2 days ago

Yep, I was referring to that. You can stick someone else's SIM in your phone and log into their signal account if they've not set a Signal PIN. You don't see message history but new messages to that person will go to you.

load more comments
view more: ‹ prev next ›