Using a Cell Phone text message for OTP (One Time Password) – thoughts?

Topic

New Reply

I’ve been using cell text messaging for OTP for a while. The risk being my cell phone number being moved to another sim card or e-sim.

I spoke with my cell provider about the risk of someone hijacking my sim. They told me a person would have to phone in, pass authentication (not that hard) and when they attempt to port the number to another sim,  I would receive a message on my phone asking me to approve it. Without me responding with yes, the number would not be ported.

If the customer reports they lost their phone, they must attend a store in person and produce government ID to allow porting of the number.

It seems to me a person would only be trying this if they saw me as a good target.

The risk seems remote. It would require an in person visit to a store and being charming enough to convince the employee to ignore security requirements. They would be risking having their image being captured on security cameras as well.

Are their other risks I’m failing to see?

Moderator’s Note: Rescued from the spam bucket.

Reply | Quote

Replies

WSalgrinch wrote:

It seems to me a person would only be trying this if they saw me as a good target.

I’m not expert in these things.

Yet, in this age of the deified creators of soul-less, large-scale AI scrapers (which is never the same concept as artificial wisdom), and deep fakes, and criminal syndicates – which sell private phone numbers coupled to government IDs and ‘full’ identities for slightly more than the cost of dirt – how could one conclude that it will be only ‘one’ actor attempting to hack a personal account of any sort?

Both AT&T and T-Mobile this year disclosed massive data thefts of private phone call data. Which companies are we willing to trust for their word? I wouldn’t trust any telecom company for its word.

1. ) https://techcrunch.com/2024/10/14/2024-in-data-breaches-1-billion-stolen-records-and-rising
2. ) https://www.reuters.com/technology/cybersecurity/t-mobile-hacked-massive-chinese-breach-telecom-networks-wsj-reports-2024-11-16/

I’ve been using 2FA authenticator apps for years at this writing.

Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster

Reply | Quote

WSalgrinch wrote:

The risk being my cell phone number being moved to another sim card or e-sim.

You can also log onto your account on your phone provider’s website and go to the security options in your profile. One or some or all of the phone providers have an option to click to block porting and another option to block sim change or both.

Also  remember the rule “if it is convenient it is probably not secure”.

Then do the “What if” test. What if I hand my phone to a complete (and dishonest stranger), is it convenient with stored passwords and auto sign in’s and chock full of valuable data

OR is it secure but still usable with some inconvenience (like having to sign in each time)?

One other tip. If you ever reach for your phone and it says, “no service”, don’t delay one second. Get to the provider immediately as it could just be a service issue or a swapped sim.

 

Reply | Quote

PS – you could also use a virtual number linked to your private phone number for (many) OTPs. I’ve done that, too, for years.

Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster

1 user thanked author for this post.

J9438

Reply | Quote

WSalgrinch wrote:

The risk seems remote. It would require an in person visit to a store and being charming enough to convince the employee to ignore security requirements. They would be risking having their image being captured on security cameras as well.

Are their other risks I’m failing to see?

You’re assuming all employees are fine and upstanding. Don’t overlook the occasional unscrupulous employee who may be willing to take an under the table payment to help some hacker who has befriended him. Or a nefarious employee planted right from the start by organized crime or a hacker group.

Also, don’t overlook the risk of a Man-In-The-Middle attack, or fake calls or texts from fake “fraud detection” departments purporting to be safeguarding you. These don’t involve a SIM swap nor need to even involve an employee of your phone company. These type of attacks are common enough to have become fodder for the nightly news, with tales of pensioners unwittingly being scammed out of their life savings. The victims probably thought they weren’t likely targets, either.

Like Mr. Austin, I prefer regular 2FA authentication apps over SMS authentication whenever possible. Not only are they more secure, they are also more convenient because they are always at hand and you don’t have to sit and wait for some web service to text you a code.

Unfortunately, the banking and financial services industry — those most in need of something better than SMS authentication — are dragging their feet on implementing support for 2FA apps.

 

2 users thanked author for this post.

windbg, J9438

Reply | Quote

dg1261 wrote:

Not only are they more secure

Yes, but there are also some disadvantages (like all security techniques).

1. For the average non technical person there is a HUGE learning curve to understand authys. I know, because I spent hours on Woody learning how to set one up. Once you get through that they are easy to use.
2. If you have a lot it becomes cumbersome. Most people probably have dozens of accounts and that would create a large scroll down list on your phone whereas a simple SMS text requires no list to look at. If you are looking for a particular code in a long list and enter a code one line off you could lock out the account. I did. I guess because it was an authy the account did not give me a second chance.

and don’t forget if someone steals your phone AND has your password either SMS or authy is no protection so don’t store your passwords in your phone.

The huge advantage of the authy is that the 2FA code does not travel over the internet where it could be intercepted as with the SMS. It is generated on demand within the phone itself.

Reply | Quote

I use LastPass on my computer and phone. The information is encrypted  on both. If someone stole my phone, assuming that they would be able to log in to the phone, they would then have to hack into LastPass to access information on the phone.

If someone stole my phone, I would change the LastPass password. This would require a new log in before LastPass could be accessed. The current PW is long (27 characters) and uses nothing that could be guessed to abbreviate hacking it.

 

1 user thanked author for this post.

J9438

Reply | Quote

J9438 wrote:

and don’t forget if someone steals your phone AND has your password either SMS or authy is no protection so don’t store your passwords in your phone.

You can safely store your passwords on an iPhone by adding a password to lock the file containing your list of passwords. Even if your phone is open and ready to use by anyone, they will have to enter the password to access that file.

HTH, Dana:))

1 user thanked author for this post.

J9438

Reply | Quote

Also the iPhone can add double security for those sensitive documents such as one that contains your passwords.

On my iPhone I keep my passwords or other sensitive data in password protected PDFs.
I store these password protected PDFs in the Books app.
I lock the Books app which requires my Face ID or passcode to even open the Books app once the Books app is selected.
This basically requires two different passwords to access the file.

For me it is easy, click Books app and use my Face ID to open it, then select my PDF and enter the password to open it.

HTH, Dana:))

Reply | Quote

For 2FA, my preference is Yubikey. These are made by Yubico. It is s small hardware key which provides a code directly to my phone or computer. I can connect it via NFC or the built in USB C.  This code typically is uploaded to the service that I am accessing. There is also a Yubico authenticator app which interfaces with the Yubikey and sends the code to the service.

The key would need to be physically in the hands of a hacker to log into the services protected by Yubikey. I wish that my banks and credit cards all used physical pass keys like this.

My Yubikey went swimming in my pocket one day (unintentionally). It is waterproof.

1 user thanked author for this post.

J9438

Reply | Quote

What happens when you lose it / it fails? Can you recover it to a new one, do you have a spare?

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

I have a spare in case I lose this one.  You set both up when you get them.

Brooks

 

Reply | Quote

Drcard:)) wrote:

You can safely store your passwords on an iPhone by adding a password to lock the file

Excellent idea but I wonder how many people know about that feature or even how to use it.

I never heard of it (until now) and have no idea how to set it up – there are so many apps and options on iPhone I think I would need a college course to be an expert on iPhone – LOL.

 

2 users thanked author for this post.

WCHS, WSbobby-p

Reply | Quote