Hi,

I just made a payment using Paypal, and it asked to confirm my identity
using WhatsApp, sending a sis digit confirmation code to it. :-)

SMS was also possible.

I chose WA this time :-)

--
Cheers,
Carlos E.R.

On 08.11.23 22:57, Carlos E. R. wrote:
> Hi,
>
> I just made a payment using Paypal, and it asked to confirm my identity
> using WhatsApp, sending a sis digit confirmation code to it. :-)
>
> SMS was also possible.
>
> I chose WA this time :-)

WTF cares?

--
De gustibus non est disputandum

On 09.11.23 01:50, Jörg Lorenz wrote:
> On 08.11.23 22:57, Carlos E. R. wrote:
>> Hi,
>>
>> I just made a payment using Paypal, and it asked to confirm my identity
>> using WhatsApp, sending a sis digit confirmation code to it. :-)
>>
>> SMS was also possible.
>>
>> I chose WA this time :-)
>
> WTF cares?

And totally *OT*.

--
De gustibus non est disputandum

On 8 Nov 2023 22:57:10 +0100 Carlos E. R. wrote:
>Hi,
>
>I just made a payment using Paypal, and it asked to confirm my identity
>using WhatsApp, sending a six digit confirmation code to it. :-)
>
>SMS was also possible.
>

I can see why Meta would encourage that. And in soon...
"WhatsApp Explores Ads in Chat App as Meta Seeks Revenue Boost"
<https://m.slashdot.org/story/419088>

But maybe the e2e encryption is worthwhile. Amex sends 2FA codes by _both_
SMS and email which is about as insecure as you get. And it doesn't ask
which I prefer. (I'd prefer an OTP authenticator app but no financial
company I know offers it.)
--
(Remove numerics from email address)

On 2023-11-09 10:21, Dave Royal wrote:
> On 8 Nov 2023 22:57:10 +0100 Carlos E. R. wrote:
>> Hi,
>>
>> I just made a payment using Paypal, and it asked to confirm my identity
>> using WhatsApp, sending a six digit confirmation code to it. :-)
>>
>> SMS was also possible.
>>
>
> I can see why Meta would encourage that. And in soon...
> "WhatsApp Explores Ads in Chat App as Meta Seeks Revenue Boost"
> <https://m.slashdot.org/story/419088>
>
> But maybe the e2e encryption is worthwhile. Amex sends 2FA codes by _both_
> SMS and email which is about as insecure as you get. And it doesn't ask
> which I prefer. (I'd prefer an OTP authenticator app but no financial
> company I know offers it.)

I use one bank which uses confirmation via sms, and another via its own
bank app. Push messages I think they said. Is that OTP?

--
Cheers,
Carlos E.R.

On 09.11.23 11:39, Carlos E. R. wrote:
> On 2023-11-09 10:21, Dave Royal wrote:
>> On 8 Nov 2023 22:57:10 +0100 Carlos E. R. wrote:
>>> Hi,
>>>
>>> I just made a payment using Paypal, and it asked to confirm my identity
>>> using WhatsApp, sending a six digit confirmation code to it. :-)
>>>
>>> SMS was also possible.
>>>
>>
>> I can see why Meta would encourage that. And in soon...
>> "WhatsApp Explores Ads in Chat App as Meta Seeks Revenue Boost"
>> <https://m.slashdot.org/story/419088>
>>
>> But maybe the e2e encryption is worthwhile. Amex sends 2FA codes by _both_
>> SMS and email which is about as insecure as you get. And it doesn't ask
>> which I prefer. (I'd prefer an OTP authenticator app but no financial
>> company I know offers it.)
>
> I use one bank which uses confirmation via sms, and another via its own
> bank app. Push messages I think they said. Is that OTP?

Both highly insecure. Good banks use their own app that recognises
patterns that generate numeric codes.

--
De gustibus non est disputandum

On 2023-11-09 12:41, Jörg Lorenz wrote:
> On 09.11.23 11:39, Carlos E. R. wrote:
>> On 2023-11-09 10:21, Dave Royal wrote:
>>> On 8 Nov 2023 22:57:10 +0100 Carlos E. R. wrote:
>>>> Hi,
>>>>
>>>> I just made a payment using Paypal, and it asked to confirm my identity
>>>> using WhatsApp, sending a six digit confirmation code to it. :-)
>>>>
>>>> SMS was also possible.
>>>>
>>>
>>> I can see why Meta would encourage that. And in soon...
>>> "WhatsApp Explores Ads in Chat App as Meta Seeks Revenue Boost"
>>> <https://m.slashdot.org/story/419088>
>>>
>>> But maybe the e2e encryption is worthwhile. Amex sends 2FA codes by _both_
>>> SMS and email which is about as insecure as you get. And it doesn't ask
>>> which I prefer. (I'd prefer an OTP authenticator app but no financial
>>> company I know offers it.)
>>
>> I use one bank which uses confirmation via sms, and another via its own
>> bank app. Push messages I think they said. Is that OTP?
>
> Both highly insecure. Good banks use their own app that recognises
> patterns that generate numeric codes.
>

That's what I said, using their own app displaying a numeric code send
over their encrypted and secure channel.

--
Cheers,
Carlos E.R.

On 9 Nov 2023 11:39:49 +0100 Carlos E. R. wrote:
>On 2023-11-09 10:21, Dave Royal wrote:
>> On 8 Nov 2023 22:57:10 +0100 Carlos E. R. wrote:
>>> Hi,
>>>
>>> I just made a payment using Paypal, and it asked to confirm my identity
>>> using WhatsApp, sending a six digit confirmation code to it. :-)
>>>
>>> SMS was also possible.
>>>
>>
>> I can see why Meta would encourage that. And in soon...
>> "WhatsApp Explores Ads in Chat App as Meta Seeks Revenue Boost"
>> <https://m.slashdot.org/story/419088>
>>
>> But maybe the e2e encryption is worthwhile. Amex sends 2FA codes by _both_
>> SMS and email which is about as insecure as you get. And it doesn't ask
>> which I prefer. (I'd prefer an OTP authenticator app but no financial
>> company I know offers it.)
>
>I use one bank which uses confirmation via sms, and another via its own
>bank app. Push messages I think they said. Is that OTP?
>
OTP: One Time Passcode
Some bank apps generate OTPs
My bank gives me a tiny device that generates an OTP, but it's being
replaced by an app.

But it doesn't have to be the bank's own app or device. There are
standards, such as TOTP - where the code constantly changes.
<https://en.m.wikipedia.org/wiki/One-time_password#Standardization>

I use Open Source TOTP apps AndOTP on Android (and FreeOTP on iOS) for 2FA
with some sites - eg github. I think Authy and Google Authenticator are
also TOTP generators - not sure.

--
(Remove numerics from email address)

On 2023-11-09 13:36, Dave Royal wrote:
> On 9 Nov 2023 11:39:49 +0100 Carlos E. R. wrote:
>> On 2023-11-09 10:21, Dave Royal wrote:
>>> On 8 Nov 2023 22:57:10 +0100 Carlos E. R. wrote:
>>>> Hi,
>>>>
>>>> I just made a payment using Paypal, and it asked to confirm my identity
>>>> using WhatsApp, sending a six digit confirmation code to it. :-)
>>>>
>>>> SMS was also possible.
>>>>
>>>
>>> I can see why Meta would encourage that. And in soon...
>>> "WhatsApp Explores Ads in Chat App as Meta Seeks Revenue Boost"
>>> <https://m.slashdot.org/story/419088>
>>>
>>> But maybe the e2e encryption is worthwhile. Amex sends 2FA codes by _both_
>>> SMS and email which is about as insecure as you get. And it doesn't ask
>>> which I prefer. (I'd prefer an OTP authenticator app but no financial
>>> company I know offers it.)
>>
>> I use one bank which uses confirmation via sms, and another via its own
>> bank app. Push messages I think they said. Is that OTP?
>>
> OTP: One Time Passcode

Ah, of course. I forgot.

> Some bank apps generate OTPs
> My bank gives me a tiny device that generates an OTP, but it's being
> replaced by an app.

No, I don't have that. Just that they send a code to the app, and you
have to enter that code on the computer.

>
> But it doesn't have to be the bank's own app or device. There are
> standards, such as TOTP - where the code constantly changes.
> <https://en.m.wikipedia.org/wiki/One-time_password#Standardization>
>
> I use Open Source TOTP apps AndOTP on Android (and FreeOTP on iOS) for 2FA
> with some sites - eg github. I think Authy and Google Authenticator are
> also TOTP generators - not sure.

I had one such hardware device at the job once. Year 2000.

--
Cheers,
Carlos E.R.

Dave Royal<dave@dave123royal.com> wrote:
> Amex sends 2FA codes by _both_
> SMS and email which is about as insecure as you get. And it doesn't
ask
> which I prefer.

My Android AMEX app gives me a 2FA CHOICE between text, email, or a
voice phone call. You might recheck yours, perhaps it's changed...

Just stuck my old Android Groundhog newsreader on an old Amazon
tablet. First post. Newer tablets break it into read only. So lets
see his this one does...

On 09 Nov 2023 07:16:19 -0700 AJL wrote:
>Dave Royal<dave@dave123royal.com> wrote:
>> Amex sends 2FA codes by _both_
>> SMS and email which is about as insecure as you get. And it doesn't
>ask
>> which I prefer.
>
>My Android AMEX app gives me a 2FA CHOICE between text, email, or a
>voice phone call. You might recheck yours, perhaps it's changed...

I don't use an Amex app - this is with their website.
--
(Remove numerics from email address)

AJL <noemail@none.com> wrote:
> Dave Royal wrote:

> > Amex sends 2FA codes by _both_
> > SMS and email which is about as
>> insecure as you get. And it doesn't
> ask which I prefer.

> My Android AMEX app gives me a
> 2FA CHOICE between text, email, or a
> voice phone call. You might recheck
> yours, perhaps it's changed...

> Just stuck my old Android Groundhog
> newsreader on an old Amazon
> tablet. First post. Newer tablets break
> it into read only. So lets see his this
> one does...

Ah. I see the quote strings were broken.
I think I can fix that in this and future
posts but it's a PITA. None of my old
stuff works anymore, even when used
on my old stuff. Test over...

On 11/9/2023 7:27 AM, Dave Royal wrote:
> On 09 Nov 2023 07:16:19 -0700 AJL wrote:
>> Dave Royal<dave@dave123royal.com> wrote:

>>> Amex sends 2FA codes by _both_ SMS and email which is about as
>>> insecure as you get. And it doesn't ask which I prefer.

>> My Android AMEX app gives me a 2FA CHOICE between text, email, or a
>> voice phone call. You might recheck yours, perhaps it's changed...

> I don't use an Amex app - this is with their website.

I just checked it on my AMEX website. They still gave me the same three
CHOICES (text, email, or voice). I'm in the US. Perhaps that's the
difference?

BTW I use text. A one time code good for only minutes. Where's the big
security risk?

On 9 Nov 2023 08:10:33 -0700 AJL wrote:
>On 11/9/2023 7:27 AM, Dave Royal wrote:
>> On 09 Nov 2023 07:16:19 -0700 AJL wrote:
>>> Dave Royal<dave@dave123royal.com> wrote:
>
>>>> Amex sends 2FA codes by _both_ SMS and email which is about as
>>>> insecure as you get. And it doesn't ask which I prefer.
>
>>> My Android AMEX app gives me a 2FA CHOICE between text, email, or a
>>> voice phone call. You might recheck yours, perhaps it's changed...
>
>> I don't use an Amex app - this is with their website.
>
>I just checked it on my AMEX website. They still gave me the same three
>CHOICES (text, email, or voice). I'm in the US. Perhaps that's the
>difference?

Maybe.

>BTW I use text. A one time code good for only minutes. Where's the big
>security risk?

SIM swap fraud.

--
(Remove numerics from email address)

On 9 Nov 2023 15:50:13 -0000 (UTC) Dave Royal wrote:
>On 9 Nov 2023 08:10:33 -0700 AJL wrote:
>>On 11/9/2023 7:27 AM, Dave Royal wrote:
>>> On 09 Nov 2023 07:16:19 -0700 AJL wrote:
>>>> Dave Royal<dave@dave123royal.com> wrote:
>>
>>>>> Amex sends 2FA codes by _both_ SMS and email which is about as
>>>>> insecure as you get. And it doesn't ask which I prefer.
>>
>>>> My Android AMEX app gives me a 2FA CHOICE between text, email, or a
>>>> voice phone call. You might recheck yours, perhaps it's changed...
>>
>>> I don't use an Amex app - this is with their website.
>>
>>I just checked it on my AMEX website. They still gave me the same three
>>CHOICES (text, email, or voice). I'm in the US. Perhaps that's the
>>difference?
>
>Maybe.
>
>>BTW I use text. A one time code good for only minutes. Where's the big
>>security risk?
>
>SIM swap fraud.

.... but I meant email was particularly insecure - unencrypted,
interceptable...

--
(Remove numerics from email address)

On 11/9/2023 8:50 AM, Dave Royal wrote:
> On 9 Nov 2023 08:10:33 -0700 AJL wrote:
>> On 11/9/2023 7:27 AM, Dave Royal wrote:
>>> On 09 Nov 2023 07:16:19 -0700 AJL wrote:
>>>> Dave Royal<dave@dave123royal.com> wrote:
>>
>>>>> Amex sends 2FA codes by _both_ SMS and email which is about
>>>>> as insecure as you get. And it doesn't ask which I prefer.
>>
>>>> My Android AMEX app gives me a 2FA CHOICE between text, email,
>>>> or a voice phone call. You might recheck yours, perhaps it's
>>>> changed...
>>
>>> I don't use an Amex app - this is with their website.
>>
>> I just checked it on my AMEX website. They still gave me the same
>> three CHOICES (text, email, or voice). I'm in the US. Perhaps
>> that's the difference?
>
> Maybe.
>
>> BTW I use text. A one time code good for only minutes. Where's the
>> big security risk?
>
> SIM swap fraud.

How would a SIM swap get a perp into my AMEX account? He would need my
AMEX user name and password to even get the text code. And where does he
get that?

So I ask again, where's the big security risk in texting a 2FA code?

On 11/9/2023 8:57 AM, Dave Royal wrote:
> On 9 Nov 2023 15:50:13 -0000 (UTC) Dave Royal wrote:
>> On 9 Nov 2023 08:10:33 -0700 AJL wrote:
>>> On 11/9/2023 7:27 AM, Dave Royal wrote:
>>>> On 09 Nov 2023 07:16:19 -0700 AJL wrote:
>>>>> Dave Royal<dave@dave123royal.com> wrote:
>>>
>>>>>> Amex sends 2FA codes by _both_ SMS and email which is about
>>>>>> as insecure as you get. And it doesn't ask which I prefer.
>>>
>>>>> My Android AMEX app gives me a 2FA CHOICE between text,
>>>>> email, or a voice phone call. You might recheck yours,
>>>>> perhaps it's changed...
>>>
>>>> I don't use an Amex app - this is with their website.
>>>
>>> I just checked it on my AMEX website. They still gave me the same
>>> three CHOICES (text, email, or voice). I'm in the US. Perhaps
>>> that's the difference?
>>
>> Maybe.
>>
>>> BTW I use text. A one time code good for only minutes. Where's
>>> the big security risk?
>>
>> SIM swap fraud.
>
> ... but I meant email was particularly insecure - unencrypted,
> interceptable...

Not for me, though I don't use email for 2FA. With a SIM swap Google
would sense a new device and use Google Authenticator to one of MY
authentic devices to verify. No verification, no email...

If you mean just no encryption, again even if intercepted what can
anyone do with a code only good for a few minutes without a user name
and password...

On 9 Nov 2023 09:07:41 -0700 AJL wrote:
>On 11/9/2023 8:50 AM, Dave Royal wrote:
>> On 9 Nov 2023 08:10:33 -0700 AJL wrote:
>>> On 11/9/2023 7:27 AM, Dave Royal wrote:
>>>> On 09 Nov 2023 07:16:19 -0700 AJL wrote:
>>>>> Dave Royal<dave@dave123royal.com> wrote:
>>>
>>>>>> Amex sends 2FA codes by _both_ SMS and email which is about
>>>>>> as insecure as you get. And it doesn't ask which I prefer.
>>>
>>>>> My Android AMEX app gives me a 2FA CHOICE between text, email,
>>>>> or a voice phone call. You might recheck yours, perhaps it's
>>>>> changed...
>>>
>>>> I don't use an Amex app - this is with their website.
>>>
>>> I just checked it on my AMEX website. They still gave me the same
>>> three CHOICES (text, email, or voice). I'm in the US. Perhaps
>>> that's the difference?
>>
>> Maybe.
>>
>>> BTW I use text. A one time code good for only minutes. Where's the
>>> big security risk?
>>
>> SIM swap fraud.
>
>How would a SIM swap get a perp into my AMEX account? He would need my
>AMEX user name and password to even get the text code. And where does he
>get that?
>
>So I ask again, where's the big security risk in texting a 2FA code?

The point of two factor authentication is to add a _second_ layer of
security so that if your account/password is stolen - which happens a lot
in data breaches - there must be a second 'token' - something you _have_.
With SIM swap fraud the malefactors effectively have your phone and can
get the code.

I wouldn't say it's a /big/ risk but it's a risk if a large financial
tranfer depends on it. Banks implemented it 'cos it was cheap to do.

SIM swap fraud was becoming serious a year or so back in the UK but I
think operators are supposed to carry out more checks now before providing
replacement SIMs.

As for WhatsApp, an account can have up to 6(?) linked devices, so
presumably the code will appear on all of them. I can imagine a new attack
- 'clandestine WA device linking' whereby someone with brief physical
access to your mobile links another device to it.
--
(Remove numerics from email address)

On 11/9/2023 9:35 AM, Dave Royal wrote:
> On 9 Nov 2023 09:07:41 -0700 AJL wrote:

>> So I ask again, where's the big security risk in texting a 2FA
>> code?
>
> The point of two factor authentication is to add a _second_ layer of
> security so that if your account/password is stolen - which happens a
> lot in data breaches - there must be a second 'token' - something you
> _have_. With SIM swap fraud the malefactors effectively have your
> phone and can get the code.
>
> I wouldn't say it's a /big/ risk but it's a risk

Everythings a risk. Your risk scenario is infinitesimal IMO...

> if a large financial tranfer depends on it.

Not a problem. I'm covered for any fraudulent bank transactions that ARE
NOT MY FAULT...

> Banks implemented it 'cos it was cheap to do.

And also it was one more layer of security.

> SIM swap fraud was becoming serious a year or so back in the UK but
> I think operators are supposed to carry out more checks now before
> providing replacement SIMs.

I have a security code registered with my phone provider. No business
transacted without that code. Course I suppose there's always the inside
job thing to worry about for the risk paranoid...

> As for WhatsApp, an account can have up to 6(?) linked devices, so
> presumably the code will appear on all of them. I can imagine a new
> attack - 'clandestine WA device linking' whereby someone with brief
> physical access to your mobile links another device to it.

Have never used WhatsApp. My whole extended family here uses text... ;)

On 2023-11-09 17:21, AJL wrote:
> On 11/9/2023 8:57 AM, Dave Royal wrote:
>> On 9 Nov 2023 15:50:13 -0000 (UTC) Dave Royal wrote:
>>> On 9 Nov 2023 08:10:33 -0700 AJL wrote:
>>>> On 11/9/2023 7:27 AM, Dave Royal wrote:
>>>>> On 09 Nov 2023 07:16:19 -0700 AJL wrote:
>>>>>> Dave Royal<dave@dave123royal.com> wrote:
>>>>
>>>>>>> Amex sends 2FA codes by _both_ SMS and email which is about
>>>>>>> as insecure as you get. And it doesn't ask which I prefer.
>>>>
>>>>>> My Android AMEX app gives me a 2FA CHOICE between text,
>>>>>> email, or a voice phone call. You might recheck yours,
>>>>>> perhaps it's changed...
>>>>
>>>>> I don't use an Amex app - this is with their website.
>>>>
>>>> I just checked it on my AMEX website. They still gave me the same
>>>> three CHOICES (text, email, or voice). I'm in the US. Perhaps
>>>> that's the difference?
>>>
>>> Maybe.
>>>
>>>> BTW I use text. A one time code good for only minutes. Where's
>>>> the big security risk?
>>>
>>> SIM swap fraud.
>>
>> ... but I meant email was particularly insecure - unencrypted,
>> interceptable...
>
> Not for me, though I don't use email for 2FA. With a SIM swap Google
> would sense a new device and use Google Authenticator to one of MY
> authentic devices to verify. No verification, no email...
>
> If you mean just no encryption, again even if intercepted what can
> anyone do with a code only good for a few minutes without a user name
> and password...

They could pose as you in their machines. Then the email would be sent
to you, which they could intercept and use to login in their machine.

--
Cheers,
Carlos E.R.

On 2023-11-09 17:35, Dave Royal wrote:
> On 9 Nov 2023 09:07:41 -0700 AJL wrote:
>> On 11/9/2023 8:50 AM, Dave Royal wrote:
>>> On 9 Nov 2023 08:10:33 -0700 AJL wrote:
>>>> On 11/9/2023 7:27 AM, Dave Royal wrote:

....

>>>> BTW I use text. A one time code good for only minutes. Where's the
>>>> big security risk?
>>>
>>> SIM swap fraud.
>>
>> How would a SIM swap get a perp into my AMEX account? He would need my
>> AMEX user name and password to even get the text code. And where does he
>> get that?
>>
>> So I ask again, where's the big security risk in texting a 2FA code?
>
> The point of two factor authentication is to add a _second_ layer of
> security so that if your account/password is stolen - which happens a lot
> in data breaches - there must be a second 'token' - something you _have_.
> With SIM swap fraud the malefactors effectively have your phone and can
> get the code.
>

Right.

So imagine I use the app in the phone to connect to the bank. The bank
sends a code by SMS to the *same* phone, the app reads automatically the
message and logins.

Now suppose my phone is stolen...

> I wouldn't say it's a /big/ risk but it's a risk if a large financial
> tranfer depends on it. Banks implemented it 'cos it was cheap to do.
>
> SIM swap fraud was becoming serious a year or so back in the UK but I
> think operators are supposed to carry out more checks now before providing
> replacement SIMs.

They were fined here for not verifying the identity of the person
getting the sim. So I suppose now they are stricter.

>
> As for WhatsApp, an account can have up to 6(?) linked devices, so
> presumably the code will appear on all of them. I can imagine a new attack
> - 'clandestine WA device linking' whereby someone with brief physical
> access to your mobile links another device to it.

Ah. True.

The code would appear in my phone and in my computer.

Mind, SMS can also be read in the computer if you want. At least with
Google messages. I have not tried, but read about it.

--
Cheers,
Carlos E.R.

On 11/9/23 12:15 PM, Carlos E. R. wrote:
>On 2023-11-09 17:21, AJL wrote:
>> On 11/9/2023 8:57 AM, Dave Royal wrote:
>>> On 9 Nov 2023 15:50:13 -0000 (UTC) Dave Royal wrote:
>>>> On 9 Nov 2023 08:10:33 -0700 AJL wrote:
>>>>> On 11/9/2023 7:27 AM, Dave Royal wrote:
>>>>>> On 09 Nov 2023 07:16:19 -0700 AJL wrote:
>>>>>>> Dave Royal<dave@dave123royal.com> wrote:
>>>>>
>>>>>>>> Amex sends 2FA codes by _both_ SMS and email which is about
>>>>>>>> as insecure as you get. And it doesn't ask which I prefer.
>>>>>
>>>>>>> My Android AMEX app gives me a 2FA CHOICE between text,
>>>>>>> email, or a voice phone call. You might recheck yours,
>>>>>>> perhaps it's changed...
>>>>>
>>>>>> I don't use an Amex app - this is with their website.
>>>>>
>>>>> I just checked it on my AMEX website. They still gave me the same
>>>>> three CHOICES (text, email, or voice). I'm in the US. Perhaps
>>>>> that's the difference?
>>>>
>>>> Maybe.
>>>>
>>>>> BTW I use text. A one time code good for only minutes. Where's
>>>>> the big security risk?
>>>>
>>>> SIM swap fraud.
>>>
>>> ... but I meant email was particularly insecure - unencrypted,
>>> interceptable...
>>
>> Not for me, though I don't use email for 2FA. With a SIM swap Google
>> would sense a new device and use Google Authenticator to one of MY
>> authentic devices to verify. No verification, no email...
>>
>> If you mean just no encryption, again even if intercepted what can
>> anyone do with a code only good for a few minutes without a user name
>> and password...

>They could pose as you in their machines.

How if no user/password info? And if they had it somehow and tried to log in
I'd get a uncalled for text code that'd tell me someone had my UN/PW and
was trying to break in my AMEX account and I'd change it.

>Then the email would be sent
>to you, which they could intercept and >use to login in their machine.

Since I use text 2FA notification guess they'd need my phone too? Unlikely
to the 1000000th degree...

On 2023-11-09 20:49, AJL wrote:
> On 11/9/23 12:15 PM, Carlos E. R. wrote:
>> On 2023-11-09 17:21, AJL wrote:
>>> On 11/9/2023 8:57 AM, Dave Royal wrote:
>>>> On 9 Nov 2023 15:50:13 -0000 (UTC) Dave Royal wrote:
>>>>> On 9 Nov 2023 08:10:33 -0700 AJL wrote:
>>>>>> On 11/9/2023 7:27 AM, Dave Royal wrote:
>>>>>>> On 09 Nov 2023 07:16:19 -0700 AJL wrote:
>>>>>>>> Dave Royal<dave@dave123royal.com> wrote:
>>>>>>
>>>>>>>>> Amex sends 2FA codes by _both_ SMS and email which is about
>>>>>>>>> as insecure as you get. And it doesn't ask which I prefer.
>>>>>>
>>>>>>>> My Android AMEX app gives me a 2FA CHOICE between text,
>>>>>>>> email, or a voice phone call. You might recheck yours,
>>>>>>>> perhaps it's changed...
>>>>>>
>>>>>>> I don't use an Amex app - this is with their website.
>>>>>>
>>>>>> I just checked it on my AMEX website. They still gave me the same
>>>>>> three CHOICES (text, email, or voice). I'm in the US. Perhaps
>>>>>> that's the difference?
>>>>>
>>>>> Maybe.
>>>>>
>>>>>> BTW I use text. A one time code good for only minutes. Where's
>>>>>> the big security risk?
>>>>>
>>>>> SIM swap fraud.
>>>>
>>>> ... but I meant email was particularly insecure - unencrypted,
>>>> interceptable...
>>>
>>> Not for me, though I don't use email for 2FA. With a SIM swap Google
>>> would sense a new device and use Google Authenticator to one of MY
>>> authentic devices to verify. No verification, no email...
>>>
>>> If you mean just no encryption, again even if intercepted what can
>>> anyone do with a code only good for a few minutes without a user name
>>> and password...
>
>> They could pose as you in their machines.
>
> How if no user/password info?

Obtained earlier "somehow".

> And if they had it somehow and tried to
> log in
> I'd get a uncalled for text code that'd tell me someone had my UN/PW and
> was trying to break in my AMEX account and I'd change it.

There is a window of opportunity. They do it fast and reconfigure so you
get no more warnings and your phone invalidated.

The fact is that SIM swap fraud is a thing, not a rumour. People have
lost money.

>
>> Then the email would be sent to you, which they could intercept and
>> >use to login in their machine.
>
> Since I use text 2FA notification guess they'd need my phone too? Unlikely
> to the 1000000th degree...

They ask the system to send the 2FA via email.

--
Cheers,
Carlos E.R.

On 11/9/2023 12:20 PM, Carlos E. R. wrote:

> imagine I use the app in the phone to connect to the bank. The bank
> sends a code by SMS to the *same* phone,

> the app reads automatically the message and logins.

Doesn't work that way on any of my apps. The 2FA code is sent by text as
a number that I then have to then reenter into the app.

> Now suppose my phone is stolen...

Hopefully your phone AND your phone bank app are BOTH LOCKED. That way
the thief has to go through TWO LOCKS to enter your bank app. Pretty
unlikely, don't you think...

On my phone the 2FA text code only had to authorize the AMEX app ONCE.
After that only the user name and PW is required to open the app.
(Though AMEX can be set to require a 2FA code on every app entry I find
that a bit too much of a hassle for what little added security it may
give (IMO-YMMV).

I'm still waiting to see why SMS is a poor way to send a 2FA codes.
Though I'll admit that pushing "Yes" on a Google Authenticator screen to
authorize an app is sure a lot easier...

On 11/9/2023 1:30 PM, Carlos E. R. wrote:
> On 2023-11-09 20:49, AJL wrote:
>> On 11/9/23 12:15 PM, Carlos E. R. wrote:

>>> They could pose as you in their machines.

>> How if no user/password info?

> Obtained earlier "somehow".

"Somehow" = magic?

>> And if they had it somehow and tried to log in I'd get a uncalled
>> for text code that'd tell me someone had my UN/PW and was trying to
>> break in my AMEX account and I'd change it.

> There is a window of opportunity. They do it fast and reconfigure so
> you get no more warnings and your phone invalidated.

How would they get my username/password. Please no more magic...

> The fact is that SIM swap fraud is a thing, not a rumour. People
> have lost money.

Yup. That's why I have a security code registered with my phone
provider. No code, no business transacted.

> They ask the system to send the 2FA via email.

No username/password no email/text 2FA. And if they break into the AMEX
servers to get them no biggie. As long as it's NOT MY FAULT I'm covered
there too...