Newyana2 <Newyana2@invalid.nospam> wrote:
[...]

> People in this thread are actually getting angry at
> merely the suggestion of having options besides cellphones
> for taking care of business.

IMO that's misrepresenting what's being said.

Some - and probably even many - might *prefer* using a mobile phone,
but AFAICT nobody is insisting on it being the *only* option (for other
people). And IME it never *is* the only option.

But don't let facts get in the way of your rants.

[Yet another Newyana2 rant on other people's lifestyles being inferior
to his, deleted.]'

Dave Royal <dave@dave123royal.com> writes:

> I notice on WikiP that andOTP is no longer supported. But it works
> and should continue to work unless Android breaks it. I must back
> up the APK.

Another FOSS HOTP and TOTP client for Android is Aegis and it can import
from andOTP.

> I don't do banking on my phone, only on my
> desktop PC. So, Authy yanked their desktop client, can't use it anymore
> with my bank, so I'm stuck with them sending the 2FA code to my Google
> Voice phone number which forwards to me via e-mail.

WinAuth v3.5 works just as well as Authy and uses the same credentials
for TOTP account registrations. It also has an easy to use recovery feature.
https://winauth.github.io/winauth/download.html

> There are other TOTP desktop clients, but I don't know which will work
> with my bank.

TOTP desktop client credentials are interchangeable as long as you start
with each account's secret key or QR code, which I'm sure you have saved.

Am 11.03.24 um 15:47 schrieb Chris:
> Newyana2 <Newyana2@invalid.nospam> wrote:
>> "The Real Bev" <bashley101@gmail.com> wrote
>>
>> | WTF? Why is the google voice number not a REAL phone number?
>> |
>> As V said, the simple answer is that they want to spy.
>
> Just because you're paranoid doesn't mean they're NOT after you.

+1

> However, in this case it's by design not nefarious. The 'F' in. 2FA is
> "factor" meaning that you need two different sources of truth. Your
> password is one and a known device is the second. VOIP is neither known nor
> a device so cannot be trusted as the endpoint could be almost anything.

--
"Gutta cavat lapidem." (Ovid)

On 3/12/2024 5:53 AM, Newyana2 wrote:
> "AJL" <noemail@none.org> wrote
>
> | That would be me. I visit my branch maybe twice a year to get cash for
> | emergencies (like if the checkout system is down) and tips. Everything
> else
> | is done with the credit card. Love that Cashback card. Also love that
> folks
> | who pay with cash help support it...

> Yes, I remember that about you.

I'm flattered. I remember you too. That's why I threw out the cashback
fishhook. It worked... :)

> The man who would
> buy an expired lottery ticket if he could get cash back.

I don't gamble but you're right, everything goes on the cashback card. I
usually get over $1000US back per year. Better than gambling because I
always win...

> The
> man who wants to purchase a gravestone that says, "Here
> lies a man who never failed to get cash back."
> The trend seems to be much bigger than cash-back-mania,
> though. People in this thread are actually getting angry at
> merely the suggestion of having options besides cellphones
> for taking care of business.

> Cellphones have become a lifestyle.
> Many of those people are not even using charge cards.

I still use a card. I find it easier to dig my card out at the store
than my cell phone.

> They're
> using debit, Square, Venmo...

Not me. I'm still using (gasp) checks. For example, one fits nicely
under the front doormat for the yard guy...

> They've actually become
> accustomed to paying someone else to handle their cash, so
> that all transactions -- even lending $20 to a friend -- go
> through a payment service.

You'd be proud of me. I give the grand and greatgrandkids CASH gifts.

> Some people are just afraid of cash, fearing that they'll
> be mugged if they have money.

And if they are mugged and don't have any cash, no loss...

> Others feel Jetson-esque,
> waving their iPhone at Starbucks.

Hardly, since almost EVERYBODY is waving their phone these days. But
they probably would all stop and point at someone using cash... ;)

> Many young people
> probably know payment services as where money comes from.
> But I suspect the main motivator is just habit: Once people
> are constantly using their cellphone, it becomes convenient
> to do everything through it.

Sure beats a phone being tied to the wall IMO.

> As Carlos put it, people addicted to cellphones
> would like to believe that everyone else "does not matter".
> They not only want cellphone options, they want cellphone
> interaction to be enforced as the only option. They
> want to live in Cellphone World.

> I'm not so sure about automated checkouts, though. Some
> stores in the US are deciding to remove or reduce them due
> to theft.

It's a balancing act. If the increased $$ theft is less than the fired
cashiers salary $$ then they are still $$ ahead.

> https://www.cnn.com/2023/12/08/business/self-checkout-dollar-general-retail/index.html
>
> At the same time, you run the risk of being accused of
> theft when using self-checkout:
>
> https://www.coreycohen.com/blog/2022/12/have-you-been-accused-of-self-checkout-theft/

Life's a bitch, huh.

Having my receipt checked on the way out is no big deal for me. And it
is a theft deterrent which helps to keep the prices down for us honest
folks...

> There's also a controversy around restaurants with QR
> code menus. Most people are happy to use their cellphone
> to read the menu, but then they're questioning why they
> should tip for barebones service...

Since I don't give to any charities I use tipping as my charity and tip
well. Those folks who wait tables need it IMO. And since I generally eat
out most every day that does come to a few (credit card cashback)
bucks... ;)

> So we run into an entirely
> different issue: How does human society work without
> personal interactions? Maybe you'll be able to use your
> famous cash-back charge card to buy conversations...
> Perhaps Monty Python's argument service wasn't so
> farfetched. :)
>
> I used a self checkout for the first time recently. There
> were 8 women with full carts at the only Target register,
> and the self checkout took cash. I don't really mind it
> there. They have the best prices, by far, on household
> items. And Target seems to be the only place left to buy
> such a simple thing as a pack or sponges -- just a plain old
> 4-pack of kitchen sponges, without a "patented
> scrubber surface" or any other overpriced gimmick. So
> I accept that they need to cut corners. Though I have to
> find another source for underwear and socks now. Target
> has locked them in display cases! Apparently people were
> stealing them and sneaking through the self-checkout.

I have 2 Targets within 5 miles of me. My favorite purchases have been
new cell phones on the discount rack. I got one for $13US and another
for $15. I never used them for phones but they made great Android toys
(see, I'm back on topic)...

Frank Slootweg <this@ddress.is.invalid> Wrote in message:

> Dave Royal <dave@dave123royal.com> wrote:
>> Frank Slootweg <this@ddress.is.invalid> Wrote in message:
>>
>> > Chris <ithinkiam@gmail.com> wrote:
>> >> Frank Slootweg <this@ddress.is.invalid> wrote:
>> >> > VanguardLH <V@nguard.lh> wrote:
>> > [...]
>> >> > As Dave Royal also mentioned, your bank probably mentions/'supports'
>> >> > one or more TOTP 'apps'/programs, but - assuming they have not
>> >> > re-invented the wheel - their systems should be standards-compliant and
>> >> > hence worke with any standards-compliant 'app'/program.
>> >>
>> >> Sadly in the UK that's not the case. They either use SMS, an automated call
>> >> or their own TOTP available in their app.
>> >
>> > It's similar in The Netherlands, at least for my banks and other banks
>> > I know of. But SMS and automated call are (AFAIK) not used. Just a
>> > bank-specific hardware TOTP device (uses your bank card as one of the
>> > factors) or TOTP in their apps. I use the TOTP devices, because it's not
>> > much of a bother and more secure.
>>
>> Does this bank-specific TOTP device use your normal bank
>> credit/debit card (i.e. the one you you make payments or withdraw
>> cash with) or a specific TOTP card. I have one of the latter -
>> though the bank doesn't use it for payments requiring
>> 2FA.
>
> It uses my normal bank card. Mostly a debit card, because most 'local'
> (in NL (and EU?)) on-line transactions can be done by a debit card,
> which - in our country - is a safer card than a credit card. But also
> some credit card transactions work with the bank's TOTP device (our
> credit cards are issued by our banks).
>
>> Amex has recently taken to asking for 2 digits of my credit card
>> PIN to authorise some transactions - after years of saying we
>> should never reveal it.
>
> When I use my credit card in the bank's TOTP device, I need to give
> the 4-digit PIN of that card, i.e. the PIN is one factor of 2FA, the
> physical card is the other.
>
That's obviously OK on an offline gadget. It's providing (part of)
the PIN to a website I find dubious - even if that website
purports to be AMEX itself.

I don't know why NatWest in the UK doesn't use it's own credit
card in its own TOTP gadget for 2FA. Perhaps because it uses
Mastercard, whereas AMEX cards are their own.
--
Remove numerics from my email address.

VanguardLH <V@nguard.LH> wrote:
> Chris <ithinkiam@gmail.com> wrote:
>
>> However, in this case it's by design not nefarious. The 'F' in. 2FA is
>> "factor" meaning that you need two different sources of truth. Your
>> password is one and a known device is the second. VOIP is neither
>> known nor a device so cannot be trusted as the endpoint could be
>> almost anything.
>
> Yet 2FA codes are also sent by e-mail. Someone is on your phone using a
> web browser, gets the login 2FA interruption, and the 2FA code gets sent
> to e-mail which is accessed on the same phone. Yeah, that really
> thwarted the 2FA-enabled login ... not! 2FA only makes sense when 2
> *different* devices are used for login and to where the 2FA code is
> sent.

Incorrect. It needs to be two different factors. Like I said a password is
something you *know* and a phone is a device you *have*. Two, three or more
devices are still one factor.

This is why MFA is a thing as other factors are included now like time
since last log in, location, time of day, etc.

"Carlos E.R." <robin_listas@es.invalid> wrote:

> On 2024-03-12 13:53, Newyana2 wrote:
>> "AJL" <noemail@none.org> wrote
>
> ...
>
>>
>> As Carlos put it, people addicted to cellphones
>> would like to believe that everyone else "does not matter".
>> They not only want cellphone options, they want cellphone
>> interaction to be enforced as the only option. They
>> want to live in Cellphone World.
>
> Addicted? No, simply banks are using a device that everybody has,
> instead of making their clients buy an extra hardware device, not cheap,
> for needed extra security. You do have other options if you insist.

Personally I would prefer if the trend were toward using USB security
sticks instead of SMS and e-mail. One problem there might be: having to
use a computer that has no USB ports, or they've been disabled. Another
problem is no one is going to attach the USB stick to a cord attached to
their body: when they leave the computer, the USB stick must go with
them. Instead the sticks are left plugged into a USB port, so anyone
with physical access to the computer can login using the stick just like
the owner can. The problem of physical access also applies to phones.

As for cost, if every computer could use a Yubi security key, the $25
would be worth the freedom of relying on a phone. Weren't some
Europeans charged and fined for pretending to be someone else's phone
through SIM card swap they foisted on the carrier?

What Is a SIM Swap Attack and How Can You Prevent It?
https://www.avast.com/c-sim-swap-scam

When getting an SMS text, there is no verification that the receiving
phone's IMEI is the one to where the text was intended to drop. If the
IMEI were involved, you'd have to re-register with whomever is sending
2FA codes via texts to give them yet another piece of valuable info: the
IMEI of your phone. When you change or add phones, you have to update
all your accounts to give them another IMEI. But SMS doesn't link to
IMEI, so there SMS is not secured either during transmission nor
guarantee which phone the SMS targets.

Maybe if all computers had biometric input (camera for eyes and sensor
for fingers and mic for voice) then the verification really would be to
a person, not the expectation of a device or service to which that
person -- or someone else -- has access. Phones and laptops have those
bio devices (well, maybe not all have finger sensors), but only a
fraction of desktops have even 2 of them. I don't have a camera on my
desktop. I don't do video chats. I have a mic only when I plug in my
headset. I'd have to buy a fingerprint sensor. Bio verification isn't
going to happen on desktops until those devices are built in by default
whether pre-builts or own builts, not appended on.

When sent a 2FA code, how long before you have to use it. Typically the
expiration is 5 to 15 minutes. Pretty long time, but they have to
account for delay in SMS transport, and time for users to enter the 2FA
code. Some phone users are handicapped, so they don't quickly enter
anything. Do the 2FA codes automatically and immediately expire upon
use, or are they still valid for the original time allowed for
expiration? I hope that the site enforces automatic expiration on use,
but I haven't verified this is the case. Anyway, the long expiration
time to wait for use of the 2FA code means a larger window of
opportunity for interception. SMS and e-mail are not secure
communication venues. That's why I'm thinking TOTP would be a better
choice; however, doesn't seem that every site wanting to use 2FA
supports TOTP, and it seems you must have the particular TOTP
authenticator that they expect you to use which, to me, hints the
communication protocol is not yet standardized to allow use of *any*
TOTP authenticator. One site uses Authy, another uses Symantec VIP, and
another requires something else.

Does everyone that gets a new phone, or just a new SIM card, always get
a new phone number, and keep that one? I use Google Voice which calls
all my phones, so it doesn't matter which phones I have at the time or
what are their phone numbers. All of them (that I've added to my GV
account) get called using simultaneous ring. I even have an Obitalk
added to my GV account, so I get calls on my home phones (VOIP converted
to POTS in my home wiring). However, if I had only 1 phone, I'd try to
port my old phone number to the new phone, if allowed (which costs money
to do the port). I wouldn't have to change my old phone number in every
account where it is recorded, and to where SMS texts would get sent.
With e-mail alerts (GV sends a copy of a text to my e-mail), it doesn't
matter which smartphone I use. If a site is going to use 2FA when you
try to update your account to reflect your new phone number, you're
screwed if you don't have the old phone to get the text. If you have to
talk to tech support, figure on wasting an hour and half on a call, and
the info you give them is the same info the hackers use in a SIM swap.

With the average ownership of smartphones only around 2 years, seems it
would be a repetitive nuisance to update phone numbers in all accounts
for all those consumers that just must update. With a security key,
wouldn't matter where you got the text, but who wants to keep plugging a
stick into the phone's USB port, or leave the stick dangling out the
port? Even if IMEI were linked to SMS (to the sender, not to the
carrier who doesn't give a fart about the content and is not involved in
securing a login), a change of phone means a different IMEI. You can go
to TOTP *if* the other party supports using it, but then you have to get
your tokens to the new phone. Authy does that with its cloud sync, but
not other authenticators. Transferring tokens with other authenticators
is a bitch, but then often the intent to make users think that more
effort means more security.

Dave Royal <dave@dave123royal.com> wrote:

> It's easier than you think. All the TOTP sites I use - admittedly
> not many and none of them banks - use standards protocols. I
> think all of them suggested Authy - not sure. GitHub and Mozilla
> suggested FreeOTP IIRC.
>
> The reason I chose andOTP on my Android tablet was (a) it's
> opensource (b) it's offline (c) it can produce an encrypted
> backup of its tokens (d) it requires a password to access.
> FreeOTP on iOS could not do (c) and (d). All the tokens I have
> originated on my Linux desktop. I point the Android tablet's
> camera at the barcode on the screen to install it, then back it
> up onto both. If I want to transfer the token to my iPhone - I
> usually don't in case it's lost ot stolen, see (d) - I display
> the barcode on the tablet and read that with the iPhone.

Bitwarden is open source, too; however, to get TOTP means paying for
their Premium version ($10/yr). From the wiki article mentioned by
Frank (https://en.wikipedia.org/wiki/Comparison_of_OTP_applications),
Bitwarden supports the platforms I want and the features I want (if I
pay to get TOTP), but it's not a feature-rich comparison. FreeOTP and
andOTP are unusable on Windows. I don't want a TOTP solution only for
mobile platforms. I need an authenticator on desktops (Windows now,
perhaps Linux later) where I do the vast majority of web surfing (I hate
it on phones), and also available on Android, and would like to use as
few as possible, like just one authenticator on all platforms.

Bitwarden is also available as a Firefox add-on, the primary web browser
I use on a Windows desktop and on my Android phone. Firefox Mobile
allows installation of add-ons, but only some that are vetted for
Android. The Firefox Desktop add-on mentions support for 2FA (which
looks to be TOTP). The add-on is free, and if 2FA/TOTP is supported in
the add-on, then I don't need to buy their Premium version that includes
TOTP. I can't think of anywhere I've connected where 2FA is initiated
that wasn't when I was web surfing to a site. Web-centric apps handle
their own connections and authentication. So, Bitwarden as a Firefox
add-on should work for me: free, includes 2FA/TOTP.
But there remains the problem that TOTP doesn't yet seem a standardized
protocol, so Bitwarden might not work everywhere, like at sites that
tell you to use Symantec VIP. Too much is still proprietary. I see a
Symantec Authentication Client Extension add-on for Firefox Desktop, but
it's description leads me to believe you must have their authenticator
app installed, plus it's not a vetted add-on available for Firefox
Mobile, so I can't use that add-on on my Android phone within Firefox.

I'll first try Bitwarden as a Firefox Desktop add-on on my Windows host,
and test if it works with my bank that says to use Symantec VIP. If
not, I'm stuck having to also install Symantec VIP on my Windows host.
On my Android phone, doesn't look like there is a Bitwarden add-on for
Firefox Mobile. Based on the prior successful test on Windows, maybe I
can get by with just the Bitwarden app on my Android phone. If not,
I'll have to install both the Bitwarden and Symantec VIP apps on my
Android phone, and hope having multiple authenticator apps don't
interfere with each other.

On 2024-03-12 21:21, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
>
>> On 2024-03-12 13:53, Newyana2 wrote:
>>> "AJL" <noemail@none.org> wrote
>>
>> ...
>>
>>>
>>> As Carlos put it, people addicted to cellphones
>>> would like to believe that everyone else "does not matter".
>>> They not only want cellphone options, they want cellphone
>>> interaction to be enforced as the only option. They
>>> want to live in Cellphone World.
>>
>> Addicted? No, simply banks are using a device that everybody has,
>> instead of making their clients buy an extra hardware device, not cheap,
>> for needed extra security. You do have other options if you insist.
>
> Personally I would prefer if the trend were toward using USB security
> sticks instead of SMS and e-mail. One problem there might be: having to
> use a computer that has no USB ports, or they've been disabled. Another
> problem is no one is going to attach the USB stick to a cord attached to
> their body: when they leave the computer, the USB stick must go with
> them. Instead the sticks are left plugged into a USB port, so anyone
> with physical access to the computer can login using the stick just like
> the owner can. The problem of physical access also applies to phones.

There are safer methods than the mobile phone, but their rationale is
"you already have a phone, so implementing this is very cheap".

Of course, a percent doesn't have a phone, but those are not their
objective client, and probably they will provide some other means.

>
> As for cost, if every computer could use a Yubi security key, the $25
> would be worth the freedom of relying on a phone. Weren't some
> Europeans charged and fined for pretending to be someone else's phone
> through SIM card swap they foisted on the carrier?

SIM swap attack is a thing, yes. They can thus receive verification
SMSs, but probably not banking app messages.

>
> What Is a SIM Swap Attack and How Can You Prevent It?
> https://www.avast.com/c-sim-swap-scam
>
> When getting an SMS text, there is no verification that the receiving
> phone's IMEI is the one to where the text was intended to drop. If the
> IMEI were involved, you'd have to re-register with whomever is sending
> 2FA codes via texts to give them yet another piece of valuable info: the
> IMEI of your phone. When you change or add phones, you have to update
> all your accounts to give them another IMEI. But SMS doesn't link to
> IMEI, so there SMS is not secured either during transmission nor
> guarantee which phone the SMS targets.
>
> Maybe if all computers had biometric input (camera for eyes and sensor
> for fingers and mic for voice) then the verification really would be to
> a person, not the expectation of a device or service to which that
> person -- or someone else -- has access. Phones and laptops have those
> bio devices (well, maybe not all have finger sensors), but only a
> fraction of desktops have even 2 of them. I don't have a camera on my
> desktop. I don't do video chats. I have a mic only when I plug in my
> headset. I'd have to buy a fingerprint sensor. Bio verification isn't
> going to happen on desktops until those devices are built in by default
> whether pre-builts or own builts, not appended on.

Most recent laptops have finger print sensors and cameras. But I don't
have software that uses the former (nor the later, for purposes of ID).

>
> When sent a 2FA code, how long before you have to use it. Typically the
> expiration is 5 to 15 minutes. Pretty long time, but they have to
> account for delay in SMS transport, and time for users to enter the 2FA
> code. Some phone users are handicapped, so they don't quickly enter
> anything. Do the 2FA codes automatically and immediately expire upon
> use, or are they still valid for the original time allowed for
> expiration?

They expire on use. Ie, they are single use.

> I hope that the site enforces automatic expiration on use,
> but I haven't verified this is the case. Anyway, the long expiration
> time to wait for use of the 2FA code means a larger window of
> opportunity for interception. SMS and e-mail are not secure
> communication venues. That's why I'm thinking TOTP would be a better
> choice; however, doesn't seem that every site wanting to use 2FA
> supports TOTP, and it seems you must have the particular TOTP
> authenticator that they expect you to use which, to me, hints the
> communication protocol is not yet standardized to allow use of *any*
> TOTP authenticator. One site uses Authy, another uses Symantec VIP, and
> another requires something else.

Yeah, but for many purposes SMS is good enough. It doesn't have to be
failsafe, but only to block a high enough percent of the "attacks".

>
> Does everyone that gets a new phone, or just a new SIM card, always get
> a new phone number, and keep that one?

Depends.

I have the same mobile phone number since around 1999. Other people
change(d) it frequently, because they use offerings by various providers.

Mine was first a pay as you go prepaid card, at some point upgraded to
contract, and at some point migrated to another company (for free).

Then, when I travel to Canada I get a local number that is valid only
for a month.

> I use Google Voice which calls
> all my phones, so it doesn't matter which phones I have at the time or
> what are their phone numbers. All of them (that I've added to my GV
> account) get called using simultaneous ring. I even have an Obitalk
> added to my GV account, so I get calls on my home phones (VOIP converted
> to POTS in my home wiring). However, if I had only 1 phone, I'd try to
> port my old phone number to the new phone, if allowed (which costs money
> to do the port). I wouldn't have to change my old phone number in every
> account where it is recorded, and to where SMS texts would get sent.
> With e-mail alerts (GV sends a copy of a text to my e-mail), it doesn't
> matter which smartphone I use. If a site is going to use 2FA when you
> try to update your account to reflect your new phone number, you're
> screwed if you don't have the old phone to get the text. If you have to
> talk to tech support, figure on wasting an hour and half on a call, and
> the info you give them is the same info the hackers use in a SIM swap.
>
> With the average ownership of smartphones only around 2 years, seems it
> would be a repetitive nuisance to update phone numbers in all accounts
> for all those consumers that just must update. With a security key,
> wouldn't matter where you got the text, but who wants to keep plugging a
> stick into the phone's USB port, or leave the stick dangling out the
> port? Even if IMEI were linked to SMS (to the sender, not to the
> carrier who doesn't give a fart about the content and is not involved in
> securing a login), a change of phone means a different IMEI. You can go
> to TOTP *if* the other party supports using it, but then you have to get
> your tokens to the new phone. Authy does that with its cloud sync, but
> not other authenticators. Transferring tokens with other authenticators
> is a bitch, but then often the intent to make users think that more
> effort means more security.

--
Cheers, Carlos.

"Carlos E.R." <robin_listas@es.invalid> wrote:

> VanguardLH wrote:
>
>> Weren't some Europeans charged and fined for pretending to be someone
>> else's phone through SIM card swap they foisted on the carrier?
>
> SIM swap attack is a thing, yes. They can thus receive verification
> SMSs, but probably not banking app messages.

My bank has apps for Android and iOS, but not for Windows where they
expect me to login via web browser. They have apps for Android and iOS,
but I'll have to ask them if those use TOTP. I doubt they will know nor
know who to pass my inquiry.

I resist putting a bank app on my smartphone. Anyone that has physical
access could get into my account using the . My banks app says "Secure
your account with a 4-digit passcode or biometric on supported devices."
Sure wish the PIN were longer, like at least 8 digits, and more like a
password where I can use alphanumeric characters, capitalization, and
non-alphanumeric characters. Or to use both a PIN *and* biometrics
(fingerprint sensor).

>> Maybe if all computers had biometric input (camera for eyes and
>> sensor for fingers and mic for voice) then the verification really
>> would be to a person, not the expectation of a device or service to
>> which that person -- or someone else -- has access. Phones and
>> laptops have those bio devices (well, maybe not all have finger
>> sensors), but only a fraction of desktops have even 2 of them.
>
> Most recent laptops have finger print sensors and cameras. But I don't
> have software that uses the former (nor the later, for purposes of
> ID).

My desktop is not a laptop. No camera, no mic (until I plug in the USB
headset), and no fingerprint sensor. I'd have to buy those, but then my
bank could care less as they want me using their phone app (not usable
on my desktop) or the Symantec VIP authenticator (since Authy is soon
dropping their desktop app).

On 2024-03-12 23:32, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
>
>> VanguardLH wrote:
>>
>>> Weren't some Europeans charged and fined for pretending to be someone
>>> else's phone through SIM card swap they foisted on the carrier?
>>
>> SIM swap attack is a thing, yes. They can thus receive verification
>> SMSs, but probably not banking app messages.
>
> My bank has apps for Android and iOS, but not for Windows where they
> expect me to login via web browser. They have apps for Android and iOS,
> but I'll have to ask them if those use TOTP. I doubt they will know nor
> know who to pass my inquiry.
>
> I resist putting a bank app on my smartphone. Anyone that has physical
> access could get into my account using the . My banks app says "Secure
> your account with a 4-digit passcode or biometric on supported devices."
> Sure wish the PIN were longer, like at least 8 digits, and more like a
> password where I can use alphanumeric characters, capitalization, and
> non-alphanumeric characters. Or to use both a PIN *and* biometrics
> (fingerprint sensor).

Normally the pin only allows "read" access, for operations there is some
other authorization.

>
>>> Maybe if all computers had biometric input (camera for eyes and
>>> sensor for fingers and mic for voice) then the verification really
>>> would be to a person, not the expectation of a device or service to
>>> which that person -- or someone else -- has access. Phones and
>>> laptops have those bio devices (well, maybe not all have finger
>>> sensors), but only a fraction of desktops have even 2 of them.
>>
>> Most recent laptops have finger print sensors and cameras. But I don't
>> have software that uses the former (nor the later, for purposes of
>> ID).
>
> My desktop is not a laptop. No camera, no mic (until I plug in the USB
> headset), and no fingerprint sensor. I'd have to buy those, but then my
> bank could care less as they want me using their phone app (not usable
> on my desktop) or the Symantec VIP authenticator (since Authy is soon
> dropping their desktop app).

Certainly, for 2FA they want a mobile phone, not a computer. And a non
rooted phone as that.

--
Cheers, Carlos.

Anssi Saari <anssi.saari@usenet.mail.kapsi.fi> Wrote in message:

> Dave Royal <dave@dave123royal.com> writes:
>
>> I notice on WikiP that andOTP is no longer supported. But it works
>> and should continue to work unless Android breaks it. I must back
>> up the APK.
>
> Another FOSS HOTP and TOTP client for Android is Aegis and it can import
> from andOTP.

An important feature of andOTP, for me, is that it will backup all
the tokens to a standard AES256 symmetrically encryted file
(.json.aes). So text-format tokens can be imported into another
authenticator, or even made into QR codes, in case andOTP becomes
unavailable or inoperable.

I see that Aegis can produce an encryted copy of it's 'vault'. Do
you know if the tokens therein be recovered without using Aegis
itself ?
--
Remove numerics from my email address.

Jörg Lorenz <hugybear@gmx.net> wrote:
> On 10.03.24 10:44, Bob Henson wrote:
>> Newyana2 wrote:
>>> At one point I played with crypto a bit. I had to upload a picture
>>> ID (drivers license), as well as giving them my email address and
>>> access to my bank account. As I recall I think they sent a voice
>>> message code to my landline, which is a lot more security in terms of
>>> proof of ID than a cellphone. The lamdline is registered to -- and
>>> wired to -- a physical address.
>>
>> They will struggle in the UK soon, then. All landlines disappear by the end
>> of 2025 - there will only be VoIP.
>
> Hardly ever read so much nonsense. We know Newyana does not have a cell
> phone but he or she wants to have a big mouth in technical groups
> discussing mobile technology.
>
> For you: IP-telephone lines are landlines. Landlines are not what you
> think they are. The backend is even in the UK ip-based for years.

Do you have evidence for that? It's true that UK telephony has been digital
for a long time within the BT network, but that doesn't mean it's
internet/ip-based.

Carlos E.R. <robin_listas@es.invalid> wrote:
> On 2024-03-12 13:53, Newyana2 wrote:
>> "AJL" <noemail@none.org> wrote
>
> ...
>
>>
>> As Carlos put it, people addicted to cellphones
>> would like to believe that everyone else "does not matter".
>> They not only want cellphone options, they want cellphone
>> interaction to be enforced as the only option. They
>> want to live in Cellphone World.
>
> Addicted? No, simply banks are using a device that everybody has,
> instead of making their clients buy an extra hardware device, not cheap,
> for needed extra security.

Banks here used to provide a hardware device for free which you used with
your bank card at home.

The annoying thing was that you ended up with one for each bank - despite
using the same technology - and you were stuck if you didn't have it with
you.

Carlos E.R. <robin_listas@es.invalid> wrote:
> On 2024-03-12 21:21, VanguardLH wrote:
>>
>> Does everyone that gets a new phone, or just a new SIM card, always get
>> a new phone number, and keep that one?
>
> Depends.
>
> I have the same mobile phone number since around 1999. Other people
> change(d) it frequently, because they use offerings by various providers.

That's the default across Europe. I don't know anyone who regularly changes
their number. Porting is free and automated.

I've only had a single mobile number and I've had it about 20 years.

Chris <ithinkiam@gmail.com> Wrote in message:

> Jörg Lorenz <hugybear@gmx.net> wrote:
>> On 10.03.24 10:44, Bob Henson wrote:
>>> Newyana2 wrote:
>>>> At one point I played with crypto a bit. I had to upload a picture
>>>> ID (drivers license), as well as giving them my email address and
>>>> access to my bank account. As I recall I think they sent a voice
>>>> message code to my landline, which is a lot more security in terms of
>>>> proof of ID than a cellphone. The lamdline is registered to -- and
>>>> wired to -- a physical address.
>>>
>>> They will struggle in the UK soon, then. All landlines disappear by the end
>>> of 2025 - there will only be VoIP.
>>
>> Hardly ever read so much nonsense. We know Newyana does not have a cell
>> phone but he or she wants to have a big mouth in technical groups
>> discussing mobile technology.
>>
>> For you: IP-telephone lines are landlines. Landlines are not what you
>> think they are. The backend is even in the UK ip-based for years.
>
> Do you have evidence for that? It's true that UK telephony has been digital
> for a long time within the BT network, but that doesn't mean it's
> internet/ip-based.
>
BT's System X, installed from the '80s, didn't use packet-switching.
--
Remove numerics from my email address.

Chris <ithinkiam@gmail.com> writes:

> Carlos E.R. <robin_listas@es.invalid> wrote:
>> On 2024-03-12 13:53, Newyana2 wrote:
>>> "AJL" <noemail@none.org> wrote
>>
>> ...
>>
>>>
>>> As Carlos put it, people addicted to cellphones would like to
>>> believe that everyone else "does not matter". They not only want
>>> cellphone options, they want cellphone interaction to be enforced as
>>> the only option. They want to live in Cellphone World.
>>
>> Addicted? No, simply banks are using a device that everybody has,
>> instead of making their clients buy an extra hardware device, not
>> cheap, for needed extra security.
>
> Banks here used to provide a hardware device for free which you used
> with your bank card at home.
>
> The annoying thing was that you ended up with one for each bank -
> despite using the same technology - and you were stuck if you didn't
> have it with you.

I still use a little plastic device which the bank gave to me free of
charge. (And replaced free of charge when the battery went flat).

I would rather use it than use an android phone. I don't trust the
security of android phones, and I have a suspicion that banks don't
either, but they are not taking responsibility. Who will pay if your
phone gets malware on it and steals your credentials?

Dave Royal <dave@dave123royal.com> writes:

> I see that Aegis can produce an encryted copy of it's 'vault'. Do
> you know if the tokens therein be recovered without using Aegis
> itself ?

Looks like an OTPClient dev asked about importing an Aegis encrypted
backup in https://github.com/beemdevelopment/Aegis/issues/902 and from
their project page at https://github.com/paolostivanin/OTPClient/ they
support that now. So at least OTPClient has the required support.

More reading, there's a script decrypt.py in the docs directory of
Aegis' Github which apparently can be used to decrypt the vault as
well. I don't know what format that produces or if it can be imported by
other tools. I should try that, obviously.

"Richmond" <dnomhcir@gmx.com> wrote

| I would rather use it than use an android phone. I don't trust the
| security of android phones, and I have a suspicion that banks don't
| either, but they are not taking responsibility. Who will pay if your
| phone gets malware on it and steals your credentials?

That's a good question. To read the media it seems that
identity theft is rampant, though I don't actually know
anyone it's happened to.

Credit card companies will usually reimburse losses, but
they don't have to. They're doing it so far because they
profit by encouraging people to use cards without worry.

Debit cards are less protected. Commercial debit cards
have no protection in the US. With personal debit cards
there are limitations. If I remember correctly, one is that
any theft must be reported within something like 2 1/2 days.
How many people even read their bank statements or
balance their checkbook to know if something goes wrong?

The level of abstraction makes me nervous. WW3 might
be started and won by one country simply hacking into
multiple networks simultaneously and tainting the records
beyond salvaging. Then everyone wakes up the next day
a random pauper or billionaire. Everything could collapse.

On the other hand, money under a mattress also has
severe limitations.

I avoid any online banking. I can still walk and drive. Social
security is auto-deposited. I just don't need online banking,
so there's no sense risking it. I've also locked my credit. In
the US one can contact 3 credit reporting agencies, establish
a lock, and from then on no credit cards can be issued. If
you need a new credit card, you unlock it temporarily. That
method also provides a great excuse for pushy store clerks
who want me to sign up for their store card. "Oh, I'd love to,
but I have my credit locked. Haven't you done that yourself?"

On 2024-03-13 09:16, Chris wrote:
> Carlos E.R. <robin_listas@es.invalid> wrote:
>> On 2024-03-12 13:53, Newyana2 wrote:
>>> "AJL" <noemail@none.org> wrote
>>
>> ...
>>
>>>
>>> As Carlos put it, people addicted to cellphones
>>> would like to believe that everyone else "does not matter".
>>> They not only want cellphone options, they want cellphone
>>> interaction to be enforced as the only option. They
>>> want to live in Cellphone World.
>>
>> Addicted? No, simply banks are using a device that everybody has,
>> instead of making their clients buy an extra hardware device, not cheap,
>> for needed extra security.
>
> Banks here used to provide a hardware device for free which you used with
> your bank card at home.
>
> The annoying thing was that you ended up with one for each bank - despite
> using the same technology - and you were stuck if you didn't have it with
> you.

Yep.

Another method was a card with a list of random numbers, and each time
we had to type one of those. It is cheaper than the gadget, but
otherwise, you have to carry it around and it has no password hiding it.

--
Cheers, Carlos.

On 2024-03-13 09:11, Chris wrote:
> Jörg Lorenz <hugybear@gmx.net> wrote:
>> On 10.03.24 10:44, Bob Henson wrote:
>>> Newyana2 wrote:
>>>> At one point I played with crypto a bit. I had to upload a picture
>>>> ID (drivers license), as well as giving them my email address and
>>>> access to my bank account. As I recall I think they sent a voice
>>>> message code to my landline, which is a lot more security in terms of
>>>> proof of ID than a cellphone. The lamdline is registered to -- and
>>>> wired to -- a physical address.
>>>
>>> They will struggle in the UK soon, then. All landlines disappear by the end
>>> of 2025 - there will only be VoIP.
>>
>> Hardly ever read so much nonsense. We know Newyana does not have a cell
>> phone but he or she wants to have a big mouth in technical groups
>> discussing mobile technology.
>>
>> For you: IP-telephone lines are landlines. Landlines are not what you
>> think they are. The backend is even in the UK ip-based for years.
>
> Do you have evidence for that? It's true that UK telephony has been digital
> for a long time within the BT network, but that doesn't mean it's
> internet/ip-based.

I don't know about UK, but here in Spain all clients on fibre have a
VoIP system, hidden. At the home, there is a device called ONT (Optical
network terminal), which can be integrated on the router, that converts
the phone over IP signals to an RJ-11 where we connect our traditional
phone terminals.

In fact, companies hide the VoIP credentials so that connecting a VoIP
phone instead is not trivial.

The stated goal is to remove all copper exchanges, migrating everybody
to fibre (or some form of radio). The buildings can then be sold, they
are in the city centres and are worth a packet.

My understanding is that the UK is doing more or less the same, and many
countries are on the same road. Which means that a lot of the current
phone network is no longer circuit switched.

--
Cheers, Carlos.

"Newyana2" <Newyana2@invalid.nospam> writes:

> "Richmond" <dnomhcir@gmx.com> wrote
>
> | I would rather use it than use an android phone. I don't trust the
> | security of android phones, and I have a suspicion that banks don't
> | either, but they are not taking responsibility. Who will pay if your
> | phone gets malware on it and steals your credentials?
>
> That's a good question. To read the media it seems that identity
> theft is rampant, though I don't actually know anyone it's happened
> to.
>
> Credit card companies will usually reimburse losses, but they don't
> have to. They're doing it so far because they profit by encouraging
> people to use cards without worry.
>
> Debit cards are less protected. Commercial debit cards have no
> protection in the US. With personal debit cards there are
> limitations. If I remember correctly, one is that any theft must be
> reported within something like 2 1/2 days. How many people even read
> their bank statements or balance their checkbook to know if something
> goes wrong?
>
> The level of abstraction makes me nervous. WW3 might be started and
> won by one country simply hacking into multiple networks
> simultaneously and tainting the records beyond salvaging. Then
> everyone wakes up the next day a random pauper or
> billionaire. Everything could collapse.
>
> On the other hand, money under a mattress also has severe
> limitations.
>
> I avoid any online banking. I can still walk and drive. Social
> security is auto-deposited. I just don't need online banking, so
> there's no sense risking it. I've also locked my credit. In the US one
> can contact 3 credit reporting agencies, establish a lock, and from
> then on no credit cards can be issued. If you need a new credit card,
> you unlock it temporarily. That method also provides a great excuse
> for pushy store clerks who want me to sign up for their store
> card. "Oh, I'd love to, but I have my credit locked. Haven't you done
> that yourself?"

It isn't just the card unfortunately. If you install an app rather than
just receive an SMS, that app can do other things like make payments,
and tell you the PIN number of your card. What happens if someone else
finds the PIN number from your phone? well, the Bank would like to say
it is your fault.

https://www.ftadviser.com/your-industry/2022/09/06/santander-agrees-to-reimburse-customer-after-gym-theft/

HSBC offers both physical and digital secure keys, but the digital one
involves installing an app.

https://www.hsbc.co.uk/help/security-centre/secure-key/

On 2024-03-13 15:25, Richmond wrote:
> "Newyana2" <Newyana2@invalid.nospam> writes:
>
>> "Richmond" <dnomhcir@gmx.com> wrote

>>
>> I avoid any online banking. I can still walk and drive. Social
>> security is auto-deposited. I just don't need online banking, so
>> there's no sense risking it. I've also locked my credit. In the US one
>> can contact 3 credit reporting agencies, establish a lock, and from
>> then on no credit cards can be issued. If you need a new credit card,
>> you unlock it temporarily. That method also provides a great excuse
>> for pushy store clerks who want me to sign up for their store
>> card. "Oh, I'd love to, but I have my credit locked. Haven't you done
>> that yourself?"
>
> It isn't just the card unfortunately. If you install an app rather than
> just receive an SMS, that app can do other things like make payments,
> and tell you the PIN number of your card. What happens if someone else
> finds the PIN number from your phone? well, the Bank would like to say
> it is your fault.

He has to know the password to open the phone, and the password to open
the bank application. And possibly, a third password before the app
allows you to do an operation such as retrieve the pin of a credit card.

>
> https://www.ftadviser.com/your-industry/2022/09/06/santander-agrees-to-reimburse-customer-after-gym-theft/
>

I don't know what that pin in app feature is, and I am a santander
client, just not in the UK.

> HSBC offers both physical and digital secure keys, but the digital one
> involves installing an app.
>
> https://www.hsbc.co.uk/help/security-centre/secure-key/

--
Cheers, Carlos.

"Carlos E.R." <robin_listas@es.invalid> writes:

> On 2024-03-13 15:25, Richmond wrote:
>> "Newyana2" <Newyana2@invalid.nospam> writes:
>>
>>> "Richmond" <dnomhcir@gmx.com> wrote
>
>
>>>
>>> I avoid any online banking. I can still walk and drive. Social
>>> security is auto-deposited. I just don't need online banking, so
>>> there's no sense risking it. I've also locked my credit. In the US
>>> one can contact 3 credit reporting agencies, establish a lock, and
>>> from then on no credit cards can be issued. If you need a new credit
>>> card, you unlock it temporarily. That method also provides a great
>>> excuse for pushy store clerks who want me to sign up for their store
>>> card. "Oh, I'd love to, but I have my credit locked. Haven't you
>>> done that yourself?" >> It isn't just the card unfortunately. If
>>> you install an app rather >> than >> just receive an SMS, that app
>>> can do other things like make payments, >> and tell you the PIN
>>> number of your card. What happens if someone else >> finds the PIN
>>> number from your phone? well, the Bank would like to say >> it is
>>> your fault.
>
> He has to know the password to open the phone, and the password to
> open the bank application. And possibly, a third password before the
> app allows you to do an operation such as retrieve the pin of a credit
> card.

Malware doesn't need to do all these things. It just waits for you to do
them.

In the case of the article it doesn't explain how the phone was unlocked
but I think it likely the phone was not locked, or it had a trivial
PIN. Maybe the banking app was open too.

>
>> https://www.ftadviser.com/your-industry/2022/09/06/santander-agrees-to-reimburse-customer-after-gym-theft/
>>
>
> I don't know what that pin in app feature is, and I am a santander
> client, just not in the UK.

It may have been removed now, the article is from 2022 and it says
"Morgan has called on Virgin Active UK to review its security as a
result of the incident and on Santander to remove its PIN-in-app feature
from its mobile banking app, or to at least make it an optional feature
for customers "